Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
external-header-nav
keyboard_arrow_up
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

On-Device Avira Antivirus

date_range 28-Nov-23

Read this topic to understand about how to use Avira Antivirus for scanning application traffic and preventing viruses from entering your network.

You can also watch the video Avira Antivirus Solution on SRX Series Firewalls to understand about installing and using Avira antivirus on your security device.

Avira Antivirus Overview

Junos OS Content Security integrates with Avira’s Antivirus functionality and provides full file-based scan engine. This antivirus protection secures your device by scanning the application layer traffic and blocks the harmful content such as infected files, trojans, worms, spyware, and other malicious data.

Avira Antivirus scans the network traffic by accessing the virus pattern database and identifies the virus. Avira Antivirus drops the infected file and notifies the user.

Table 1 lists the components and license details for Avira Antivirus.

Table 1: Components and License Details for Avira Antivirus

Components

Detailed Information

Virus pattern database

Avira Antivirus checks the virus signature database to identify and then remove signatures.

The virus pattern database is available at the following locations:

By default, SRX Series Firewalls downloads the updates for pattern database. See Configure Avira Antivirus Scanning Options to schedule the automatic download option.

Avira Antivirus scan engine

Avira Antivirus provides the scan engine that examines a file for known viruses at real-time. You must install and activate Avira Antivirus scan engine on your SRX Series Firewall. See Example: Configure Avira Antivirus for steps to install and activate Avira Antivirus scan engine.

Avira Antivirus scan engine decompresses files before scanning for virus detection. For more information, see decompress-layer-limit.

In the following scenarios, Avira Antivirus scan engine on the SRX Series Firewall does not scan the application traffic:

  • The scan engine is not ready.

  • There are too many scanning requests.

  • The scanned file size is larger than a configured limit.

  • The scanned file has too many nested layers of compression.

  • The memory file system is full.

License details

Avira Antivirus scan engine is a licensed subscription service.

With this license, you can use a full file-based and real-time Avira Antivirus scanning function. The antivirus functionality uses the latest updated virus signature database.

When the license expires, you can continue to use the locally stored antivirus signatures without any updates. If you delete the local database, you cannot run antivirus scanning.

For more information about licenses, see Licenses for SRX Series.

Benefits

  • Secures your device and protects your network from viruses, trojans, rootkits, and other types of malicious code.

  • Provides improved scanning performance as the virus signature database and Avira Antivirus scan engine reside locally on the device.

Example: Configure Avira Antivirus

In this example, you’ll learn how to configure Avira antivirus on your security device. This topic includes the details about using default antivirus profile and customized antivirus profile to secure your device from the harmful content such as infected files, trojans, worms, spyware, and other malicious data.

Requirements

Before you begin:

  • Verify that you have a Avira antivirus license. For more information on how to verify licenses on your device, see Understanding Licenses for SRX Series Firewalls.

  • SRX Series Firewall with Junos OS Release 18.4R1 or later.

  • For vSRX Virtual Firewall, the minimum requirement is 4 CPU cores and 4 GB memory.

We’ve tested this example using an SRX1500 device with Junos OS Release 18.4R1.

Overview

Let’s take a look at a typical enterprise network. An end user unknowingly visits a compromised Website and downloads a malicious content. This action results in compromise of the endpoint. The harmful content on the endpoint also becomes a threat to other hosts within the network. It is important to prevent the download of the malicious content.

You can use an SRX Series Firewall with Avira antivirus to protect users from virus attacks and to prevent spreading of viruses in your system, Avira antivirus scans network traffic for viruses, trojans, rootkits, and other types of malicious code and blocks the malicious content immediately when detected.

Figure 1 shows an example of Avira antivirus on SRX Series Firewall usage.

Figure 1: Avira Antivirus on SRX SeriesAvira Antivirus on SRX Series

In this example, you’ll learn how to configure Avira antivirus on your security device. You have the following options.

Configuration

You can enable the Juniper Networks pre-configured antivirus profile. When you use the default antivirus feature profile option, you don't have to configure additional parameter. In this procedure, you create an Content Security policy with default antivirus profiles for all protocols and apply the Content Security policy in a security policy for the permitted traffic.

Use Default Antivirus Profile to Start Antivirus Scanning

Step-by-Step Procedure

To use default antivirus profile, complete the following steps:

  1. Enable Avira antivirus scan on your security device.

    content_copy zoom_out_map
    user@host# set security utm default-configuration anti-virus type avira-engine
    

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Select default antivirus profile for HTTP, FTP, SMTP, POP3, and IMAP protocols.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus type avira
    user@host# set security utm utm-policy P1 anti-virus http-profile junos-av-defaults
    user@host# set security utm utm-policy P1 anti-virus ftp upload-profile junos-av-defaults
    user@host# set security utm utm-policy P1 anti-virus ftp download-profile junos-av-defaults
    user@host# set security utm utm-policy P1 anti-virus smtp-profile junos-av-defaults
    user@host# set security utm utm-policy P1 anti-virus pop3-profile junos-av-defaults
    user@host# set security utm utm-policy P1 anti-virus imap-profile junos-av-defaults
    
  3. Apply the Content Security policy to the security policy.

    content_copy zoom_out_map
    [edit]
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match source-address any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match destination-address any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match application any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 then permit application-services utm-policy P1
    
  4. Commit the configuration.

    content_copy zoom_out_map
    [edit]
    user@host# commit
    

You can also watch the video Avira Antivirus Solution on SRX Series Firewalls to understand about installing and using Avira antivirus on your security device.

Configure Avira Antivirus Scanning Options

Step-by-Step Procedure

In this procedure, you’ll perform optional steps to prepare your security device to use Avira antivirus.

  1. Manually update the virus signature database, specify the URL of the database server. If you do not specify a URL, a default URL is provided, https://update.juniper-updates.net/avira. By default, your security device downloads the pattern updates from https://update.juniper-updates.net/avira. The location of virus pattern database depends on your SRX Series mode. See Table 1 for more details.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus avira-engine pattern-update url http://www.example.net/
    

    This step downloads the pattern and engine files from the specified URL.

  2. Set an interval for regular download of antivirus pattern update.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus avira-engine pattern-update interval 2880
    

    In this step, you are changing the default from every 24 hours to every 48 hours. The default antivirus pattern-update interval is 1440 minutes (every 24 hours).

  3. Send an e-mail notification once pattern update completes.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus avira-engine pattern-update email-notify admin-email admin@email.net custom-message “Avira antivirus data file was updated” custom-message-subject “AV data file updated”
    
  4. (Optional) Configure pattern update from an proxy profile.

    content_copy zoom_out_map
    [edit]
    set security utm default-configuration anti-virus avira-engine pattern-update proxy-profile proxy-profile <proxy-profile>
    

    Use this option in case your internal network device do not have direct access to the Internet and the device can reach the Internet only through a proxy server.

  5. (Optional) Configure on-box antivirus to heavy mode.

    content_copy zoom_out_map
    [edit]
    user@host# set chassis onbox-av-load-flavor heavy
    

    This step allocates additional resources for improved performance.

    To use the antivirus scan in light mode, use the delete chassis onbox-av-load-flavor heavy command. Reboot the device once you change the modes.

  6. (Optional) Change the operating mode from the default continuous delivery function (CDF) to hold mode. When you change to hold mode, the system withhold all the packets until you get the final result.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus forwarding-mode hold
    

    For more details on CDF mode and Inline Tap mode, see forwarding-mode.

Configure Avira Antivirus Scanning with Custom Profile

You must complete the steps as in Table 2 to configure Avira antivirus with custom options on your security device.

Table 2: Steps for Avira Antivirus Scanning Using Custom Profile

Step

Details

Step 1: Define custom objects

In this step, you will define antivirus scanning options:

  • MIME allowlist—Include type of traffic that you want to bypass antivirus scanning

  • MIME exception list—Specify excluding some MIME types from the MIME allowlist

  • Custom URL categories—Define URLs that you want to bypass antivirus scanning.

Alternatively, you can use the default list junos-default-bypass-mime.

Step 2: Create antivirus feature profile

  • Apply MIME list, exception list, and custom URL category created in step 1 to the antivirus feature profile.

  • Configure antivirus scanning settings such as data file update interval, notification options for administrators, fallback options, and file size limits.

Step 3: Create Content Security policy

Associate the antivirus profile created in Step 2 for FTP, HTTP, POP3, SMTP, and IMAP traffic. Content Security policies control which protocol traffic is sent to the antivirus scanning engine.

Step 4: Apply Content Security policy to a security policy

Specify Content Security policy as application services in the security policy. The Content Security antivirus settings are applied for the traffic that matches the security policy rules.

See scan-options and trickling to understand about the scanning configuration parameters available for antivirus feature.

CLI Quick Configuration

To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security utm default-configuration anti-virus type avira-engine
set security utm custom-objects mime-pattern Mime_1 value video/
set security utm custom-objects mime-pattern Mime_exception value video/x-shockwave-flash
set security utm custom-objects url-pattern Pattern_List_1 value www.juniper.net
set security utm custom-objects custom-url-category Cust_URL_Cat value Pattern_List_1
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options default log-and-permit
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options content-size block
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options engine-not-ready log-and-permit
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options timeout log-and-permit
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options out-of-resources log-and-permit
set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options too-many-requests log-and-permit
set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block type protocol-only
set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block notify-mail-sender
set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block custom-message " fallback block action occured “
set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block custom-message-subject " Antivirus Fallback Alert "
set security utm feature-profile anti-virus profile Avira-AV-Profile mime-whitelist list Mime_1
set security utm feature-profile anti-virus profile Avira-AV-Profile url-whitelist Cust_URL_Cat
set security utm feature-profile anti-virus profile Avira-AV-Profile mime-whitelist list Mime_exception
set security utm utm-policy UTM-AV-Policy anti-virus http-profile Avira-AV-Profile
set security utm utm-policy UTM-AV-Policy anti-virus ftp upload-profile Avira-AV-Profile
set security utm utm-policy UTM-AV-Policy anti-virus ftp download-profile Avira-AV-Profile
set security utm utm-policy UTM-AV-Policy anti-virus smtp-profile Avira-AV-Profile
set security utm utm-policy UTM-AV-Policy anti-virus pop3-profile Avira-AV-Profile
set security utm utm-policy UTM-AV-Policy anti-virus imap-profile Avira-AV-Profile
set security policies from-zone trust to-zone untrust policy POLICY-1 match source-address any
set security policies from-zone trust to-zone untrust policy POLICY-1 match destination-address any
set security policies from-zone trust to-zone untrust policy POLICY-1 match application any
set security policies from-zone trust to-zone untrust policy POLICY-1 then permit application-services utm-policy UTM-AV-Policy
Note:

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see Content Security Overview.

Step-by-Step Procedure

To configure the on-device antivirus feature profile using the CLI:

  1. Enable Avira antivirus scan on your security device if you have not already enabled..

    content_copy zoom_out_map
    [edit]
    user@host# set security utm default-configuration anti-virus type avira-engine
    

    After configuring Avira as the antivirus type, reboot the device for the new scan engine to take effect.

  2. Create custom objects.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm custom-objects mime-pattern Mime_1 value video/
    user@host# set security utm custom-objects mime-pattern Mime_exception value video/x-shockwave-flash
    user@host# set security utm custom-objects url-pattern Pattern_List_1 value www.juniper.net
    user@host# set security utm custom-objects custom-url-category Cust_URL_Cat value Pattern_List_1
    
  3. Create the antivirus profile.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile
    
  4. Configure a list of fallback options.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options default log-and-permit
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options content-size block
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options engine-not-ready log-and-permit
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options timeout log-and-permit
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options out-of-resources log-and-permit
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile fallback-options too-many-requests log-and-permit
    

    Fallback options specify the actions to take when traffic cannot be scanned.

  5. Configure notification options for fallback blocking actions.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block type protocol-only
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block notify-mail-sender
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block custom-message " fallback block action occured “
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile notification-options fallback-block custom-message-subject " Antivirus Fallback Alert "
    
  6. Configure the antivirus module to use MIME bypass lists and exception lists.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile mime-whitelist list Mime_exception
    
  7. Configure the antivirus module to use URL bypass lists. URL allowlists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile mime-whitelist list Mime_1
    user@host# set security utm feature-profile anti-virus profile Avira-AV-Profile url-whitelist Cust_URL_Cat
    
  8. Configure a Content Security policy attach the antivirus feature profile Avira-AV-Profile.

    content_copy zoom_out_map
    [edit]
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus http-profile Avira-AV-Profile
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus ftp upload-profile Avira-AV-Profile
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus ftp download-profile Avira-AV-Profile
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus smtp-profile Avira-AV-Profile
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus pop3-profile Avira-AV-Profile
    user@host# set security utm utm-policy UTM-AV-Policy anti-virus imap-profile Avira-AV-Profile
    
  9. Configure a security policy and apply the Content Security policy UTM-AV-Policy as application services for the permitted traffic.

    content_copy zoom_out_map
    [edit]
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match source-address any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match destination-address any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 match application any
    user@host# set security policies from-zone trust to-zone untrust policy POLICY-1 then permit application-services utm-policy UTM-AV-Policy
    

Results

From configuration mode, confirm your configuration by entering the show security utm, show services, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show security utm 
custom-objects {
    mime-pattern {
        Mime_1 {
            value video/;
        }
        Mime_exception {
            value video/x-shockwave-flash;
        }
    }
    url-pattern {
        Pattern_List_1 {
            value www.juniper.net;
        }
    }
    custom-url-category {
        Cust_URL_Cat {
            value Pattern_List_1;
        }
    }
}
feature-profile {
    anti-virus {
        profile Avira-AV-Profile {
            fallback-options {
                default log-and-permit;
                content-size block;
                engine-not-ready log-and-permit;
                timeout log-and-permit;
                out-of-resources log-and-permit;
                too-many-requests log-and-permit;
            }
            notification-options {
                fallback-block {
                    type protocol-only;
                    notify-mail-sender;
                    custom-message " fallback block action occured ";
                    custom-message-subject " Antivirus Fallback Alert ";
                }
            }
            mime-whitelist {
                list Mime_1;
            }
            url-whitelist Cust_URL_Cat;
        }
    }
}
utm-policy P1 {
    anti-virus {
        http-profile junos-av-defaults;
        ftp {
            upload-profile junos-av-defaults;
            download-profile junos-av-defaults;
        }
        smtp-profile junos-av-defaults;
        pop3-profile junos-av-defaults;
        imap-profile junos-av-defaults;
    }
}
utm-policy UTM-AV-Policy {
    anti-virus {
        http-profile Avira-AV-Profile;
        ftp {
            upload-profile Avira-AV-Profile;
            download-profile Avira-AV-Profile;
        }
        smtp-profile Avira-AV-Profile;
        pop3-profile Avira-AV-Profile;
        imap-profile Avira-AV-Profile;
    }
}
content_copy zoom_out_map
[edit]
user@host# show security policies
    from-zone untrust to-zone trust {
        policy  POLICY-1 {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        utm-policy UTM-AV-Policy;
                    }
                }
            }
        }
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

To verify the configuration is working properly, use the following steps:

Obtaining Information About the Current Antivirus Status

Purpose
Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Sample Output
command-name
content_copy zoom_out_map
user@host>show security utm anti-virus status
UTM anti-virus status:
  Update server: https://update.example-juniper.net/avira
           Interval: 360 minutes
           Pattern update status: next update in 236 minutes
           Last result: Downloading certs failed
    Scan engine type: avira-engine
    Scan engine information: 8.3.52.102
    Anti-virus signature version: 8.15.11.42
    Onbox AV load flavor: running heavy, configure heavy 
Meaning
  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Version of the scan engine.

Validate Avira Antivirus on Your Security Device

Purpose

Validate whether Avira Antivirus Solution is working on SRX Series Firewalls

Action

Use the safe way of testing the antivirus capability using Eicar.org website. Your security device displays an error message as shown when you try to download an unsafe file.

Figure 2: Validating Antivirus SolutionValidating Antivirus Solution
Meaning

The message indicates that your security device has blocked a malicious content.

external-footer-nav