Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to edit the email notification to the end user when the firewall detects a virus in the email (supported from ScreenOS 6.2 or later)

0

0

Article ID: KB16045 KB Last Updated: 25 Feb 2013Version: 4.0
Summary:
This article provides information on how to edit the email notification that is sent to the end user, when the firewall detects a virus in an e-mail.
Symptoms:
The current AV implementation on the ScreenOS, starting from 6.2, is designed to scan the SMTP mail attachments for any virus and if a virus is found, the firewall sends a mail notification to the end user who is supposed to receive that mail.

The issue is when the firewall scans the mail attachment and finds the virus, it drops the mail attachment and the content of the mail, uses the same header information with the original sender and receiver address, adds the content of the event log messae to the body of the mail, and sends it to the end user.

So, technically the original content is deleted and the extract of the event log message from the firewall is attached to the body of the mail. The message is similar to the following excerpt:
Your mail 1.1.1.1:4721->2.2.2.2:25  contains contaminated file _From_support___test_test.com___Date_support___test_test.com___SubjA_new_settings_file_for_the_test_test.com_has_just_be_/_install.zip_/install.exe with virus Packed.Win32.Krap.ah, so it is dropped.
Based on this message, it is very difficult to identify who exactly sent this message, as the header of the mail remains the same with the original sender and receiver address. This can cause the end user to contact the Administrator, every time the message is received, to find out who sent the message.
Cause:

Solution:
As part of the solution, the administrator can always set an option on the firewall to add a text message or a notification message that this message is from the Juniper firewall and the reason this is sent to the end user is because the AV on the firewall has found a virus.

This way, the end user will know, even though the header has the original sender and receiver address, that the content of the mail was actually sent by the firewall, which notified that a virus was found and the mail content was dropped.

To do so, set the following configuration on the firewall:
set av warning-message "This message is generated by Juniper firewall from Administrator"
After the above configuration is set, the next time the end user receives the virus found mail notification, the message will be as follows:
Your mail 1.1.1.1:4721->2.2.2.2:25  contains contaminated file _From_support___test_test.com___Date_support___test_test.com___SubjA_new_settings_file_for_the_test_test.com_has_just_be_/_install.zip_/install.exe with virus Packed.Win32.Krap.ah, so it is dropped.
This message is generated by the Juniper firewall and is from the Administrator.

Note:  There is a known limitation for this command; for more information, refer to KB17414 - Limitation of multi-lined string configured in "set av warning-message" for FTP application.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search