SRX UTM Sophos Antivirus
On the previous post, I wrote about UTM Webfiltering. This post will provide a basic configuration example of Sophos Antivirus. Below is the simple topology we will use on this lab.
[edit]
root@srx# show security utm feature-profile
anti-virus {
type sophos-engine;
sophos-engine {
profile sophos-prof {
fallback-options {
content-size log-and-permit;
engine-not-ready permit;
out-of-resources permit;
too-many-requests permit;
}
scan-options {
content-size-limit 15000;
timeout 600;
}
notification-options {
virus-detection {
custom-message "Juniper Sophos has detected a virus";
}
}
}
}
}
Like web filtering configuration we must configure a feature profile for antivirus as well and a profile under sophos-engine. Again you shouldn’t forget to set “type sophos-engine” command without which you don’t really tell junos which engine (i.e sophos,kaspersky) you want to use.
In the scan-options we also instruct sophos engine not to scan more than 15M content and other options are self explanatory I believe.
After configuring the feature profile, we must assign this under a utm policy.
[edit]
root@srx# show security utm utm-policy utm-pol1
anti-virus {
http-profile sophos-prof;
}
Now we must apply this utm policy in our security policy
[edit]
root@srx# show security policies
from-zone TRUST to-zone INTERNET {
policy allow-utm-clients {
match {
source-address any;
destination-address any;
application [junos-http junos-dns-udp junos-dns-tcp];
}
then {
permit {
application-services {
utm-policy utm-pol1;
}
}
}
}
}
Now I did a commit and checked the sophos status immediately two times.
root@srx> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2014-07-19 13:13:08
Update server: http://update.juniper-updates.net/SAV/
Interval: 1440 minutes
Pattern update status: N/A
Last result: N/A
Anti-virus signature version: Not loaded
Scan engine type: sophos-engine
Scan engine information: Load failure (general error)
root@srx> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2014-07-19 13:13:14
Update server: http://update.juniper-updates.net/SAV/
Interval: 1440 minutes
Pattern update status: next update in 1439 minutes
Last result: new database downloaded
Anti-virus signature version: 1.13 (1.02)
Scan engine type: sophos-engine
Scan engine information: last action result: No error
As you can see first antivirus signature isn’t loaded but short time later, engine becomes ready. Make sure your SRX has a name-server configured for this to work.
Now I would like to emphasis the “type sophos-engine” option. If you don’t set it you will get an output like below as if you haven’t configure anything. So don’t forget it.
root@srx>show security utm anti-virus status
UTM anti-virus status:
Scan engine type: no-config
To try the antivirus, I have download eicar sample and I have got the message “Juniper Sophos has detected a virus” as configured. Statistics also show that a virus has been found
root@srx> show security utm anti-virus statistics
UTM Anti Virus statistics:
MIME-whitelist passed: 0
URL-whitelist passed: 0
Scan Request:
Total Clean Threat-found Fallback
1 0 1 0
Fallback:
Log-and-Permit Block Permit
Engine not ready: 0 0 0
Out of resources: 0 0 0
Timeout: 0 0 0
Maximum content size: 0 0 0
Too many requests: 0 0 0
Others: 0 0 0
