Here is a quick overview of getting Sophos AV working on an SRX
Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.
Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.
The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.
1) THE LICENSE
You need the highlighted line..
user@SRX220> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
anti_spam_key_sbl 0 1 0 2014-02-12 11:00:00 EST
idp-sig 1 1 0 2014-02-12 11:00:00 EST
dynamic-vpn 0 2 0 permanent
ax411-wlan-ap 0 2 0 permanent
appid-sig 0 1 0 2014-02-12 11:00:00 EST
av_key_sophos_engine 0 1 0 2014-02-12 11:00:00 EST
wf_key_websense_ewf 1 1 0 2014-02-12 11:00:00 EST
2) PICK THE AV ENGINE
Prior to selecting Sophos AV we can check the AV status..
user@SRX220> show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: license not installed
Update server: http://update.juniper-updates.net/AV/SRX220/
Interval: 60 minutes
Pattern update status: update disabled due to no license
Last result: N/A
Anti-virus signature version: not loaded
Anti-virus signature compiler version: N/A
Scan engine type: kaspersky-lab-engine
Scan engine information: last action result: Engine not ready
Note: by default it shows the Kaspersky engine even though we don't have a license for it and we never configured it .
Trying to update with no AV configured even though we have the Sophos licence..
user@SRX220> request security utm anti-virus sophos-engine pattern-update
Anti-virus update request results: engine type mismatch!
Now we configure Sophos..
user@SRX220# set security utm feature-profile anti-virus type sophos-engine
If we do a commit at this stage and then check the AV status again..
user@SRX220# run show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2014-02-12 11:00:00
Update server: http://update.juniper-updates.net/SAV/
Interval: 1440 minutes
Pattern update status: next update in 1439 minutes
Last result: new database downloaded
Anti-virus signature version: 1.02.0 (1.02)
Scan engine type: sophos-engine
Scan engine information: last action result: No error
Looks better!
Lets changes the update interval to 12 hours..
user@SRX220# run show security utm anti-virus status
UTM anti-virus status:
Anti-virus key expire date: 2014-02-12 11:00:00
Update server: http://update.juniper-updates.net/SAV/
Interval: 720 minutes
Pattern update status: next update in 719 minutes
Last result: already have latest database
Anti-virus signature version: 1.02.0 (1.02)
Scan engine type: sophos-engine
Scan engine information: last action result: No error
Its actually interesting to consider here exactly what the update interval does as we know running Sophos we are not actually downloading the AV signature set.
I believe this is the best description of whats happening with these updates..
Sophos antivirus uses a set of data files that need to
be updated on a regular basis. These are not typical virus pattern
files; they are a set of small files that help guide virus scanning
logic. You can manually download the data files or set up automatic
download.
http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/utm-antivirus-sophos-comparison-to-kaspersky.html
3) Bind AV to the UTM Policy
In my case I already have a UTM policy which has Enhanced Web Filtering in it so we will use that.
Here is the UTM policy config before changes..
user@SRX220# run show configuration security utm utm-policy utm_testa
web-filtering {
http-profile wf_e_profile;
Now we add AV to the UTM policy. You need to define which protocols you want AV to protect with individual profiles. This time we will apply it to all possible choices.
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus http-profile junos-sophos-av-defaults
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus smtp-profile junos-sophos-av-defaults
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus pop3-profile junos-sophos-av-defaults
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus imap-profile junos-sophos-av-defaults
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus ftp upload-profile junos-sophos-av-defaults
[edit]
user@SRX220# set security utm utm-policy utm_testa anti-virus ftp download-profile junos-sophos-av-defaults
4) OTHER OPTIONS
If you are happy to use the junos-sophos-av-default profile thats it. No more to configure in the AV section.
However when we look at the default profile settings..
user@SRX220# show groups junos-defaults security utm feature-profile anti-virus sophos-engine
pattern-update {
url http://update.juniper-updates.net/SAV/;
interval 1440;
}
profile junos-sophos-av-defaults {
fallback-options {
default log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
uri-check;
content-size-limit 10000;
timeout 180;
}
notification-options {
virus-detection {
type message;
no-notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block {
type message;
no-notify-mail-sender;
}
}
}
We dont see any settings for these below sxl-retry and sxl-timeout options so Im not sure what the default settings for them are. SXL is Sophos Extensible List - the servers contain the virus and malware database for scanning operations
user@SRX220# set security utm feature-profile anti-virus sophos-engine ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> pattern-update Anti-virus sophos-engine pattern update
> profile Anti-virus sophos-engine profile
sxl-retry Sxl sophos anti-virus engine query retry (number of times) (0..5)
sxl-timeout Sxl sophos anti-virus engine timeout (1..5 seconds)
So you may want to set them to whatever you want so you know what those settings are..
user@SRX220# set security utm feature-profile anti-virus sophos-engine sxl-retry ?
Possible completions:
<sxl-retry> Sxl sophos anti-virus engine query retry (number of times) (0..5)
[edit]
user@SRX220# set security utm feature-profile anti-virus sophos-engine sxl-retry 5
[edit]
user@SRX220# set security utm feature-profile anti-virus sophos-engine sxl-timeout ?
Possible completions:
<sxl-timeout> Sxl sophos anti-virus engine timeout (1..5 seconds)
[edit]
user@SRX220# set security utm feature-profile anti-virus sophos-engine sxl-timeout 5
5) AV CONFIG
Here is the resulting AV config in full..
user@SRX220> show configuration security utm feature-profile anti-virus
type sophos-engine;
sophos-engine {
sxl-timeout 5;
sxl-retry 5;
pattern-update {
interval 720;
}
}
user@SRX220> show configuration security utm utm-policy utm_testa
anti-virus {
http-profile junos-sophos-av-defaults;
ftp {
upload-profile junos-sophos-av-defaults;
download-profile junos-sophos-av-defaults;
}
smtp-profile junos-sophos-av-defaults;
pop3-profile junos-sophos-av-defaults;
imap-profile junos-sophos-av-defaults;
}
web-filtering {
http-profile wf_e_profile;
}
To make it work you attach the UTM policy to the policy you want to enforce AV checking and note that policy will also do web filtering.
Finally I have setup the same syslog files as from the Kaspersky blog (AV_OPS and AV_VIRUS)
To see the config for the syslog setup and the enforcing policy please check the Kaspersky lab blog - they are exactly the same.
6) TESTING
All test results are the same as per the Kaspersky blog so I wont bore you by repeating them here.
We'll just quickly verify its stats..
user@SRX220> show security utm anti-virus statistics
UTM Anti Virus statistics:
MIME-whitelist passed: 0
URL-whitelist passed: 0
Scan Request:
Total Clean Threat-found Fallback
24 21 3 0
Fallback:
Log-and-Permit Block Permit
Engine not ready: 0 0 0
Out of resources: 0 0 0
Timeout: 0 0 0
Maximum content size: 0 0 0
Too many requests: 0 0 0
Others: 0 0 0
For something a little different lets dig a bit deeper into its workings..
AV Traceoptions..
To do traceoptions for AV it doesnt appear you can set the traceoptions file under either security > utm > feature-profile > anti-virus or even under security > utm. You have to set the file directly under security for this type of traceoptions though that isn't necessarily the case for all the hierarchies under security.
Here is the full AV traceoptions settings I used based on..
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21781&smlogin=true#UTMAntiVirus
user@SRX220# run show configuration | match traceoptions | display set
set security utm traceoptions flag all
set security utm application-proxy traceoptions flag all
set security utm feature-profile anti-virus traceoptions flag all
set security traceoptions file SEC-UTM
set security traceoptions file size 1m
set security traceoptions file files 3
set security traceoptions file world-readable
set security traceoptions flag all
Be aware of the phenominal amount of data these traceoptions generate. The caveats in the above link are important...
Below are some selected output from the traceoptions that are understandable/meaningful.
Naturally with traceoptions you get way more than you need so you need to know what to look for. Surely only a Junos programmer could undestand all of the output!
Looks like the event of trying to download the eicar file is assigned a unique app_obj which you can follow through the log entries to see whats happening with said event.
Starting the download..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:HTTP: 10.222.222.10(54767)->188.40.238.250(80) server header /download/eicar_com.zip is received.
app_obj assigned..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:: HTTP http_post_event_handler 245 app_obj 0x4ac767b8 event_id 11.
Checks if it is in the whitelist..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:check url whitelist: (0) url:www.eicar.org/download/eicar_com.zip
Not in whitelist..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:not found
We need to scan it..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:SAV: sav_is_scan_required 720 app_obj 0x4ac767b8 sav_ctx 0x4ac76650
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:SAV: check_sav_configuration 584 app_obj 0x4ac767b8 sav_info 0x4db94bf0 filename www.eicar.org/download/eicar_com.zip.
Size confirms its our file..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:AV: current content size:184, config maximum content size:10000K
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:check_sav_configuration: need scan
We send the scan request to the cloud..
Nov 21 13:46:26 13:46:26.386915:CID-0:RT:SAV: sav_send_sxl_request 814 app_obj 0x4ac767b8 sav_ctx 0x4ac76650 send dns to a3d093b len 142 (0)
Nov 21 13:46:26 13:46:26.390513:CID-0:RT:: APPPXY HANDLER EVENT utm_apppxy_event_scheduler 234 app_obj 0x4ac767b8 event_handler=222e50b4.
Nov 21 13:46:26 13:46:26.390513:CID-0:RT:Release APPPXY:0x4E44B050 app object 0x4ac767b8 for flow 10.222.222.10(54767)->188.40.238.250(80).
Response back from the cloud..
Nov 21 13:46:26 13:46:26.705882:CID-0:RT:SAV: sav_sxl_response_callback 1918 context 0x4ac75010 request 0x4e44be20 app_obj 0x4ac767b8 rtn 11
Nov 21 13:46:26 13:46:26.705882:CID-0:RT:APPPXY: HTTP on_http_mod_sav_recv_scan_result 563 app_obj 0x4ac767b8 http_session 0x4ac76a28
Nov 21 13:46:26 13:46:26.705882:CID-0:RT:APPPXY: HTTP http_sav_process_scan_result 899 app_obj 0x4ac767b8 http_session 0x4ac76a28 flow_orig 1
We drop the request..
Nov 21 13:46:26 13:46:26.705882:CID-0:RT: drop_pak_queue 658 q AV-CTX(0x4ac766f0) total 2 bytes 400
The drop message is sent to the browser..
Nov 21 13:46:26 13:46:26.705882:CID-0:RT:APPPXY: HTTP http_create_drop_msg 222 protocol_only 0, plain_msg 0
I cant be certain all my descriptions of the log events are correct but it makes sense in light of what we know how it works and what happened. Comments welcome..
Here is the corresponding log entry to the above event..
user@SRX220> show log AV_VIRUS
Nov 21 13:46:26 SRX RT_UTM: AV_VIRUS_DETECTED_MT: AntiVirus: Virus detected: from 188.40.238.250:80 to 10.222.222.10:54767 source-zone untrust www.eicar.org/download/eicar_com.zip file www.eicar.org/download/eicar_com.zip virus EICAR-AV-Test URL:HTTP://SXL2-01.P.LINK.SOPHOS.COM/T/en/EICAR-AV-Test username N/A roles N/A
Model: srx220h
JUNOS Software Release [12.1X44-D25.5]
No comments:
New comments are not allowed.