RtoDto.net
Network/Security/Programming

JNCIS-SEC [ Antivirus ]

rtoodtoo jncis-sec May 7, 2011

There are two types of protection techniques

a) Full Antivirus Protection
b) Express Antivirus Protection

A) Full Antivirus Protection

Files are scanned against a signature database.  Data packets are received and the original application content e.g email attachment is reconstructed. Kaspersky lab provides scan engine and if antivirus license expires, you can continue to use scanning feature with the locally stored signatures without updates.

Pattern Updates

Downloaded by pattern-update command. As opposed to express antivirus.  It detects all malicious code, viruses (polymorphic and other advanced types), worms,  trojans and malware.

Database pattern server is accessible through HTTP or HTTPS and by default antivirus module checks for database updates automatically every 60 minutes and local copy of the pattern database is saved locally.

Sample Pattern Update Config (Automatic)

[edit security]
root@host# show utm
feature-profile {
    anti-virus {
        type kaspersky-lab-engine;
        kaspersky-lab-engine {
            pattern-update {
                url https://kaskerskytest.net;
                interval 120;
            }
        }
    }
}Manual Pattern Update
root@host> request security utm anti-virus kaspersky-lab-engine ?
Possible completions:
  <[Enter]>            Execute this command
  pattern-delete       Delete kaspersky-lab-engine pattern
  pattern-reload       Reload kaspersky-lab-engine pattern
  pattern-update       Update kaspersky-lab-engine pattern
  |                    Pipe through a command

Full Antivirus Scan Engine

Scan engine works as follows;

1) A client establishes a TCP connection with a server and then starts a transaction
2) If the application protocol in question is marked for antivirus scanning, the traffic is forwarded to an application  proxy for parsing
3) When the scan request is sent, the scan engine scans the data by querying a virus pattern database
4) The scan manager monitors antivirus scanning sessions, checking the properties of the data content against the existing antivirus settings
5) After scanning has occurred, the result is then handled by the scan manager
 Scan Modes
* scan-all : This option tells scan engine to scan all the data it receives
* scan-by-extension: This option bases scanning decision on the file extensions
Sample config:
[edit security]
root@host# show utm
custom-objects {
    filename-extension {
        extlist1 {
            value [ exe vbs bat ];
        }
    }
}
feature-profile {
    anti-virus {
        kaspersky-lab-engine {
            profile avprof1 {
                scan-options {
                    scan-mode by-extension;
                    scan-extension extlist1;
                }
            }
        }
    }
}Full Antivirus Intelligent Prescreening
This is to improve scanning performance.  Antivirus module generally begins to scan data after the gateway has received all the packets of a file.  By intelligent way, the scan engine uses the first or first several packets to determine if a file contains malicious code or not. If it does, it bypasses the normal procedure.
*TIP : use with non-encoded traffic. Not applicable for MIME encoded traffic (SMTP,POP3,IMAP) and HTTP POST
Content Size Limit
Due to resource constraints, there is a default device dependent limit on maximum content size.
FIXME: Needs to add more content in here
Monitoring Antivirus Sessions and Scan Results

root@host> show security utm anti-virus status

AV Key Expire Date: 03/01/2010 00:00:00
Update Server: http://update.juniper-updates.net/AV/SRX210
interval: 60 minutesauto update status: next update in 12 minutes
last result: new database loaded
AV signature version: 12/21/2008 00:35 GMT, virus records: 154018
Scan Engine Info: last action result: No error(0x00000000)
root@host> show security utm session    
 UTM session info:
 Maximum sessions:                 4000
 Total allocated sessions:         0
 Total freed sessions:             0
 Active sessions:                  0
root@host> show security utm anti-virus statistic  
 UTM Anti Virus statistics:
 Intelligent-prescreening passed:      0
 MIME-whitelist passed:                0
 URL-whitelist passed:                 0
 Scan Mode:
     scan-all:                         0
     Scan-extension:                   0
 Scan Request:
  Total           Clean         Threat-found    Fallback
       0               0              0               0
 Fallback:
                           Log-and-permit         Block
  Engine not ready:                0                      0
  Password file:                   0                      0
  Decompress layer:                0                      0
  Corrupt files:                   0                      0
  Out of resources:                0                      0
  Timeout:                         0                      0
  Maximum content size:            0                      0
  Too many requests:               0                      0
  Others:                          0                      0

B) Express Antivirus Protection

FIXME

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading