There are currently 3 Antivirus solutions for the SRX all of which require a different license to activate:
* Kapersky
* Sophos
* Juniper Express
Briefly, some differences between the 3 options are:
Kaspersky
* Full file based AV
* Local signature database lookups. AV signatures downloaded as a package.
* Largest cpu performance impact
* Supports Intelligent Prescreening
Sophos
* Cloud based signature database which therefore requires..
* Constant Internet access needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening
Juniper Express
* Less protection than the other 2 options
* Only protects against critical threats. Modified Kaspersky database.
* Does not reconstruct content prior to scanning
* Pattern matching based solution. No heuristics.
* No protection against polymorphic or metamorphic viruses
* Supports Intelligent Prescreening
As our test today is on an SRX100H we only have 2 of those options available. Juniper Express is not available on the 100 as it doesn't have Content Security Accelerator hardware.
1) THE LICENSE
a) Download the trial license.
a. Login to this site with your Juniper ID.. https://www.juniper.net/lcrs/mylic.do?methodToCall=setUpTrial&family_id=1
b. Select your version of Junos, enter your serial number and click “Get Available Trials”
c. Select "Juniper-Kaspersky AV updates (Trial Period : 30 Days )" and click the "Generate" button to get your license key
b) Install the license
blogger@LEFTY> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
JUNOS175342 aeaaea qmifkt eobrgf auxmbu gm3aqb qczg7e
7ptna4 udt2r4 hhattv 7vmyyw 75jw7j pmn2gn
bsobrw i4ugb3 dpaibx fe3y2e a5gpmr vngw4p
nny
JUNOS172342: successfully added
add license complete (no errors)
blogger@LEFTY> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 0 1 0 2013-10-03 10:00:00 EST
wf_key_surfcontrol_cpa 1 0 1 9 days
dynamic-vpn 0 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
mem-upg 0 1 0 permanent
wf_key_websense_ewf 1 0 1 18 days
2) DOWNLOAD AND CHECK THE SIGNATURES
The SRX, even with no AV features configured other than the downloading of the license will try and get he signature updates. If the SRX has to go through another firewall to get the updates you need to permit DNS and HTTP for it to do so.
Here is it auto downloading the signature updates after being granted access to the net.
blogger@LEFTY> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2013-10-03 10:00:00
Update server: http://update.juniper-updates.net/AV/SRX100/
Interval: 60 minutes
Pattern update status: in process
Last result: downloading signature files
Anti-virus signature version: not loaded
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: Engine not ready
And just a few minutes later all done...
blogger@LEFTY> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2013-10-03 10:00:00
Update server: http://update.juniper-updates.net/AV/SRX100/
Interval: 60 minutes
Pattern update status: next update in 56 minutes
Last result: new database loaded
Anti-virus signature version: 09/13/2013 23:18 GMT, virus records: 567708
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: No error(0x00000000)
At anytime you can always try a manual update..
blogger@LEFTY> request security utm anti-virus kaspersky-lab-engine pattern-update
Anti-virus update request results: av_mgr: pattern updater 13423 is started, downloading from http://update.juniper-updates.net/AV/SRX100/.
Check the results..
blogger@LEFTY> show security utm anti-virus status | match "last result"
Last result: already have latest database
3) CONFIGURE ANTIVIRUS
a) Pick the AV engine
blogger@LEFTY# set security utm feature-profile anti-virus type kaspersky-lab-engine
b) Change AV signature update interval to according to your policy. Here I change from the default 60 minutes to 45 minutes.
blogger@LEFTY# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> email-notify Virus pattern file updated notification
interval Interval to check the update (10..10080)
no-autoupdate Don't automatically update anti-virus pattern
> proxy Pattern update proxy server.
url Server URL
| Pipe through a command
[edit]
blogger@LEFTY# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval ?
Possible completions:
<interval> Interval to check the update (10..10080)
[edit]
blogger@LEFTY# set security utm feature-profile anti-virus kaspersky-lab-engine pattern-update interval 45
Note: the other options here give such as notify update status via email, dont update or go through proxy.
If you are happy to use the Junos default AV profile thats it. No more to configure in the AV section.
c) Bind Antivirus to the UTM policy
In my case I already have a UTM policy which has Enhanced Web Filtering in it so we will use that.
Here is the UTM policy config before changes..
blogger@LEFTY> show configuration security utm utm-policy utm-testa
web-filtering {
http-profile wf-e-profile;
Now we add AV to it. You need to define each which protocols you want AV to protect with individual profiles. Below are the choices. We will use HTTP and FTP for testing.
blogger@LEFTY# set security utm utm-policy utm-testa anti-virus ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> ftp FTP profile
http-profile Anti-virus profile
imap-profile Anti-virus profile
pop3-profile Anti-virus profile
smtp-profile Anti-virus profile
[edit]
blogger@LEFTY# set security utm utm-policy utm-testa anti-virus http-profile junos-av-defaults
[edit]
blogger@LEFTY# set security utm utm-policy utm-testa anti-virus ftp upload-profile junos-av-defaults
[edit]
blogger@LEFTY# set security utm utm-policy utm-testa anti-virus ftp download-profile junos-av-defaults
[edit]
blogger@LEFTY# commit
commit complete
[edit]
blogger@LEFTY# run show configuration security utm utm-policy utm-testa
anti-virus {
http-profile junos-av-defaults;
ftp {
upload-profile junos-av-defaults;
download-profile junos-av-defaults;
}
}
web-filtering {
http-profile wf-e-profile;
}
Note the ability to have different profiles for FTP upload and download.
Seeing we took the easy way to start and used the junos-av-defaults profile, we better actually have a look and see what settings it actually uses..
blogger@LEFTY# show groups junos-defaults security utm feature-profile anti-virus kaspersky-lab-engine profile junos-av-defaults
fallback-options {
default log-and-permit;
corrupt-file log-and-permit;
password-file log-and-permit;
decompress-layer log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
intelligent-prescreening;
scan-mode all;
content-size-limit 10000;
timeout 180;
decompress-layer-limit 2;
}
notification-options {
virus-detection {
type message;
no-notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block {
type message;
no-notify-mail-sender;
}
}
Also note that even though those settings above are the ones we are using they don't actually show in the config. You can of course change any of those settings with a custom profile.
The URL for the pattern update and the update interval are also defaults however since we changed the default interval that does show in the config.
type kaspersky-lab-engine;
kaspersky-lab-engine {
pattern-update {
interval 45;
}
}
blogger@LEFTY> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2013-10-03 10:00:00
Update server: http://update.juniper-updates.net/AV/SRX100/
Interval: 45 minutes
Pattern update status: next update in 20 minutes
Last result: already have latest database
Anti-virus signature version: 09/13/2013 23:18 GMT, virus records: 567708
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: No error(0x00000000)
d) Apply the UTM policy to a security policy
blogger@LEFTY> show configuration security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy utm-testa;
}
}
log {
session-init;
}
}
}
e) Sylog setup
Before we test, lets get some logging setup.
Here is a list of all possible AV messages..
AV_HUGE_FILE_DROPPED_MT LOG_PFE,Skip antivirus scanning and drop the received traffic due to huge file
AV_HUGE_FILE_NOT_SCANNED_MT LOG_PFE,Skip antivirus scanning and pass the received traffic due to huge file
AV_MANY_MSGS_DROPPED_MT LOG_PFE,Drop the received file due to excessive traffic
AV_MANY_MSGS_NOT_SCANNED_MT LOG_PFE,Skip antivirus scanning due to excessive traffic
AV_PATTERN_GET_FAILED LOG_FIREWALL,The device was unable to retrieve an antivirus pattern file from the server
AV_PATTERN_KEY_EXPIRED LOG_FIREWALL,Unable to download the antivirus pattern file, because the antivirus license key has been expired
AV_PATTERN_KL_CHECK_FAILED LOG_FIREWALL,The device is unable to use Kaspersky's pattern file
AV_PATTERN_TOO_BIG LOG_FIREWALL,The pattern file size specified in the server initialization file exceeds the limit
AV_PATTERN_UPDATED LOG_FIREWALL,The internal antivirus scanner successfully updated the antivirus pattern file
AV_PATTERN_WRITE_FS_FAILED LOG_FIREWALL,The device is unable to save contents of an antivirus pattern file
AV_SCANNER_DROP_FILE_MT LOG_PFE,Drop the received traffic due to an internal error of antivirus scanner
AV_SCANNER_ERROR_SKIPPED_MT LOG_PFE,Skip antivirus scanning due to an internal error
AV_SCANNER_READY LOG_FIREWALL,The antivirus scan engine is ready
AV_VIRUS_DETECTED_MT LOG_PFE,The antivirus scanner detected a virus
So we will setup one log file to catch virus detections (AV_VIRUS) and another (AV_OPS) to catch all the other operational messages.
file AV_VIRUS {
any any;
match AV_VIRUS_DETECTED_MT;
archive size 1m files 3;
}
file AV_OPS {
any any;
match "(AV_HUGE|AV_MANY|AV_PATTERN|AV_SCANNER)";
archive size 1m files 3;
}
4) TEST ANTIVIRUS
We will of course start testing with the EICAR test file which we know is not a real virus but a signature that all AV products should pick up. I.e a completely safe way to test AV.
We are using the above trust-to-untrust policy.
You can run the EICAR test from here..
http://www.eicar.org/85-0-Download.html
On this page there is a variety of tests you can run over HTTP and HTTPS
a) HTTP tests.
Result > Success. Each virus was caught. As its being done through a browser we get the follwing message pop up when we access any of the tests over HTTP.
The wording "VIRUS WARNING" is from the default junos-av-defaults profile
Here is the syslog message in our custom log for each of the 4 EICAR HTTP tests..
blogger@LEFTY> show log AV_VIRUS
Sep 14 15:31:26 LEFTY clear-log[2223]: logfile cleared
Sep 14 15:31:35 LEFTY RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 188.40.238.250:80 to 10.10.10.40:49293 source-zone untrust www.eicar.org/download/eicar.com file www.eicar.org/download/eicar.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A
Sep 14 15:31:38 LEFTY RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 188.40.238.250:80 to 10.10.10.40:49293 source-zone untrust www.eicar.org/download/eicar.com.txt file www.eicar.org/download/eicar.com.txt virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A
Sep 14 15:31:40 LEFTY RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 188.40.238.250:80 to 10.10.10.40:49293 source-zone untrust www.eicar.org/download/eicar_com.zip file www.eicar.org/download/eicar_com.zip/eicar.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A
Sep 14 15:31:44 LEFTY RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 188.40.238.250:80 to 10.10.10.40:49293 source-zone untrust www.eicar.org/download/eicarcom2.zip file www.eicar.org/download/eicarcom2.zip/eicar_com.zip/eicar.com virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A
Note: eicarcom2.zip is a zipped file containing another zipped file. We catch it as we have decompress-layer-limit 2 in the junos-av-defaults profile.
b) HTTPS tests
Result > FAIL.
Completely expected for obvious reasons as it cant see into the encrypted stream.
I just mention it to make the point so your not dissapointed or suprised if you choose to run SRX AV and you expect it to work its magick over HTTPS.
c) FTP tests.
Below is an FTP session captured on the client side through the same security policy.
c:\temp>ftp 172.30.116.40
Connected to 172.30.116.40.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
User (172.30.116.40:(none)): XXXX
331 Password required for XXXX
Password:
230 Logged on
ftp> bin
200 Type set to I
ftp> hash
Hash mark printing On ftp: (2048 bytes/hash mark) .
ftp> get eicar.com.txt
200 Port command successful
150 Opening data channel for file transfer.
550 172.30.116.40:21->10.10.10.40:49327 VIRUS WARNING For eicar.com.txt with virus EICAR-Test-File.
ftp: 95 bytes received in 0.00Seconds 95000.00Kbytes/sec.
ftp> bye
221 Goodbye
c:\temp>dir
Volume in drive C has no label.
Volume Serial Number is 0ED6-FF4D
Directory of c:\temp
09/14/2013 04:29 PM <DIR> .
09/14/2013 04:29 PM <DIR> ..
09/14/2013 04:29 PM 95 eicar.com.txt
1 File(s) 95 bytes
2 Dir(s) 38,075,416,576 bytes free
RESULT > Success.
We see that we got the VIRUS WARNING in the actual FTP session which is useful. However it did seem to actually dowload a file. 95 bytes. However the eicar.com.txt file is only 68 bytes.
Looking into the file it downloaded we see..
So it replaced the contents of the file with the warning. Nice one Juniper.
Here is the SRX log for the above incident. My only complaint is there is no mention of FTP in the log message.
Sep 14 16:51:17 LEFTY RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 172.30.116.40:20 to 10.10.10.40:49332 source-zone untrust eicar.com.txt file eicar.com.txt virus EICAR-Test-File URL:http://www.viruslist.com/en/search?VN=EICAR-Test-File username N/A roles N/A
Checking the UTM AV stats after the testing..
blogger@LEFTY> show security utm anti-virus statistics
UTM Anti Virus statistics:
Intelligent-prescreening passed: 115
MIME-whitelist passed: 0
URL-whitelist passed: 0
Scan Mode:
scan-all: 65
Scan-extension: 0
Scan Request:
Total Clean Threat-found Fallback
65 166 14 0
Fallback:
Log-and-permit Block
Engine not ready: 0 0
Password file: 0 0
Decompress layer: 0 0
Corrupt files: 0 0
Out of resources: 0 0
Timeout: 0 0
Maximum content size: 0 0
Too many requests: 0 0
Others: 0 0
5) BYPASSING THE AV ENGINE
You may not want certain sites or MIME types to be inspected with the AV engine. That can be done with URL and MIME whitelists. URL whitelists are checked before MIME whitelists.
You define these whitelists as UTM custom objects.
A good test for this would be to put the eicar site into a whitelist and then try and download the test files again over HTTP.
Here is the config..
blogger@LEFTY> show configuration security utm
custom-objects {
url-pattern {
pattern2 {
value http://www.eicar.org;
}
}
custom-url-category {
antivirus_whitelist {
value pattern2;
}
}
}
feature-profile {
anti-virus {
url-whitelist antivirus_whitelist;
type kaspersky-lab-engine;
kaspersky-lab-engine {
pattern-update {
interval 45;
}
}
}
Lets check the stats to see if we had whitelist hits..
blogger@LEFTY> show security utm anti-virus statistics
UTM Anti Virus statistics:
Intelligent-prescreening passed: 131
MIME-whitelist passed: 0
URL-whitelist passed: 7
Scan Mode:
scan-all: 218
Scan-extension: 0
Scan Request:
Total Clean Threat-found Fallback
218 335 14 2
Fallback:
Log-and-permit Block
Engine not ready: 0 0
Password file: 0 0
Decompress layer: 0 0
Corrupt files: 0 0
Out of resources: 0 0
Timeout: 0 0
Maximum content size: 2 0
Too many requests: 0 0
Others: 0 0
Whitelist worked. I was able to download the eicar test files with triggering any alerts.
Finally lets just make sure the other log (AV_OPS) is working as I see there are hits on
Maximum content size:
blogger@LEFTY> show log AV_OPS
Sep 14 17:48:19 LEFTY RT_UTM: AV_HUGE_FILE_NOT_SCANNED_MT: AntiVirus: Content from 98.126.237.66:80 to 10.10.10.40:49575 download18.gamershell.com/filehell/17f15d865d683159245c3d297af99dd4523d4ed3019333/demo/gunner-fsd-setup.zip was not scanned because maximum content size was exceeded username N/A roles N/A.
Sep 14 18:14:21 LEFTY RT_UTM: AV_SCANNER_ERROR_SKIPPED_MT: AntiVirus: Content from 10.10.10.40:49576 to 74.125.237.168:80 safebrowsing.clients.google.com/safebrowsing/downloads?client=navclient-auto-ffox&appver=23.0.1&pver=2.2&wrkey=akegnis4uoqmwydtr79qsql1pc0hyxpt6dbs8jny8k8-_jpayxru98xh_wwjl3wlqnv7s2upkkrgzl1nhge8dtxanvrlqg== was not scanned because scan-engine error or constraint with code 14 for scan engine is not ready username N/A roles N/A.
AV_OPS log is working as seen by capturing 2 of the different types of messages we wanted.
Thats a 38MB game demo that got through (AV_HUGE_FILE_NOT_SCANNED_MT)as the junos-av-defaults default profile setting has its content-size-limit 10000.
Though it doesn't exactly say..http://www.juniper.net/techpubs/en_US/junos-srx/topics/reference/configuration-statement/security-edit-content-size-limit.html...its 10000KB
In regards the second message (AV_SCANNER_ERROR_SKIPPED_MT) at one point I got a huge amount of these. the AV engine just stopped checking anything. It wasnt due for an update (which could be a possible cause for this message) for another 15 minutes. I deleted the signature database and it auto downloaded again and resolved the issue. Nasty stuff.
blogger@LEFTY> request security utm anti-virus kaspersky-lab-engine pattern-delete
Anti-virus update request results: Virus db on disk will be deleted.
So thats Kaspersky AV on the SRX using the default profile.
Again, I must remind you to understand what all the options in the default profile mean and adjust to suit your needs or create a new profile from scratch.
Finally remember this is just lab testing and you very likely wouldnt run Kaspersky Full AV on an SRX100H because of the peformance impact.
Model: srx100h
JUNOS Software Release [12.1R7.9]
No comments:
New comments are not allowed.