advanced-anti-malware policy

Syntax

Hierarchy Level

Description

The connection to the Juniper Advanced Threat Prevention Cloud is launched on-demand. It is established only when a condition is met and a file or URL must be sent to the cloud. The cloud inspects the file and returns a verdict number (1 through 10). A verdict number is a score or threat level. The higher the number, the higher the malware threat. The SRX Series Firewall compares this verdict number to the Juniper Advanced Threat Prevention Cloud policy settings and either permits or denies the session. If the session is denied, a reset packet is sent to the client and the packets are dropped from the server.

Juniper Advanced Threat Prevention Cloud policies append to the Junos OS security policies by defining the actions to take when a file is considered malware or when an attempt is made to download a file from a location that’s on a custom blocklist or allowlist.

Use this command to configure the Juniper Advanced Threat Prevention Cloud policy.

Options

policy-name	Name of the Juniper Advanced Threat Prevention Cloud policy. Note: Starting in Junos OS Release 18.2R1, for unified policies, a `default-policy` can be used for anti-malware and security-intelligence policies. The commands are: `set services security-intelligence default-policy` and `set services advanced-anti-malware default-policy`. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different security intelligence or anti-malware policies, the SRX Series Firewall applies the default policy until a more explicit match has occurred. See the Juniper ATP Cloud Administration Guide and your SRX Series documentation for more details on unified policies.
blacklist-notification	(Optional) Create a system log entry when an attempt to access a website listed in the blocklist file is made. Use `blacklist-notification log` to create a log entry. If you do not want to create a log entry, do not specify the `blacklist-notification` option.
default-notification	Create a system log entry if the cloud returns a verdict number less than the verdict-threshold. Use `default-notification log` to create a log entry. If you do not want to create a log entry, do not specify the `default-notification` option.
fallback-options (action block \| action permit)	The action to take when the SRX Series Firewall runs out of resources or the connection to the cloud is lost. The default is `action permit`.
fallback-options	(Optional) Create a system log entry when fallback occurs. Use `fallback-options notification log` to create a log entry. If you do not want to create a log entry, do not specify the `fallback-options notification` option.
http	This command allows you to inspect advanced anti-malware (AAMW) files downloaded by hosts through Hypertext Transfer Protocol (HTTP) protocol. The AAMW files are then submitted to Juniper ATP Cloud for malware screening.
http action (permit \| block)	This command allows you to permit or block malware based on the detected malware. Starting in Junos OS release 21.3R1, when the http action is set as block, the detected malware file will be blocked immediately after signature match. Juniper ATP cloud will not get the full file for analysis, instead it will receive a notification of the malware hit event. You can view the malware information Juniper ATP Cloud Portal. The Partial file tab displays the malware hit event information for all blocked signature match detections.
http(s) client-notify (message \| file \| redirect-url)	(Starting in Junos OS release 19.3R1) This command allows you to configure HTTP URL redirection for a customized client notification based on detected malware with the block action.
http(s) file-verdict-unknown (permit \| block)	(Starting in Junos 19.3R1) This command allows you to permit or block malware based on the detected malware having a verdict of “unknown.” By default, “unknown” malware is permitted.
smb	(Starting in Junos 21.1R1) This command allows you to inspect advanced anti-malware (AAMW) files downloaded by hosts through Server Message Block (SMB) protocol. The AAMW files are then submitted to Juniper ATP Cloud for malware screening. Note: Starting in Junos OS Release 21.3R1, SMB supports block mode in addition to permit mode. SMBv3 encryption is not supported. SMB multichannel is not supported.
inspection-profile	Name of the Juniper Advanced Threat Prevention Cloud profile. This profile defines what file types or file categories are to be sent to the cloud for inspection.
match verdict-threshold	The verdict-threshold defines the number at which you want to label a file as malware. For example, if you set verdict-threshold to 7 and the cloud returns a verdict number of 7 or greater, then that file is considered malware. verdict-threshold can be any number between 1 and 10, inclusive.
then notification	(Optional) Create a system log entry if the cloud returns a verdict number equal to or greater than the verdict-threshold. Use `then notification log` to create a log entry. If you do not want to create a log entry, do not specify the `then notification` option.
whitelist-notification	(Optional) Create a system log entry when an attempt to access a website listed in the allowlist file is made. Use `whitelist-notification log` to create a log entry. If you do not want to create a log entry, do not specify the `whitelist-notification` option.

Table 1 shows examples of using the Juniper Advanced Threat Prevention Cloud policy options.

Table 1: Juniper Advanced Threat Prevention Cloud Security Policy Additions
Addition	Description
Action and notification based on the verdict number and threshold	Defines the threshold value and what to do when the verdict number is greater than or equal to the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 9 for a file, then that file is blocked from being downloaded and a log entry is created. set services advanced-anti-malware policy aamwpol1 match verdict-threshold 7 set services advanced-anti-malware policy aamwpol1 then action block set services advanced-anti-malware policy aamwpol1 then notification log
Default action and notification	Defines what to do when the verdict number is less than the threshold. For example, if the threshold is 7 and Juniper Advanced Threat Prevention Cloud returns a verdict number of 3 for a file, then that file is allowed to be downloaded and create a log entry. set services advanced-anti-malware policy aamwpol1 default-notification log
Name of the inspection profile	Name of the Juniper Advanced Threat Prevention Cloud profile that defines the types of file to scan. set services advanced-anti-malware policy aamwpol1 inspection-profile profile1
Fallback options	Defines what to do when error conditions occur or when there is a lack of resources. The following fallback options are available: action—Permit or block the file regardless of its threat level. notification—Add or do not add this event to the log file. set services advanced-anti-malware policy aamwpol1 fallback-options action block set services advanced-anti-malware policy aamwpol1 fallback-options notification log The following fallback options are available: invalid-content-size—Content size exceed supported range out-of-resources—Service is out of resources service-not-ready—Service is not yet ready submission-timeout—Submission is timed out unknown-file—File type is unknown verdict-timeout—Verdict is timed out If none of listed fallback condition is hit, then the default fallback option is applied.
Blocklist notification	Defines whether to create a log entry when attempting to download a file from a site listed in the blocklist file. set services advanced-anti-malware policy aamwpol1 blacklist-notification log
Whitelist notification	Defines whether to create a log entry when attempting to download a file from a site listed in the allowlist file. set services advanced-anti-malware policy aamwpol1 whitelist-notification log
User notification of malware on block action	(Starting in Junos 19.3R1) This command allows you to configure HTTP and HTTPS URL redirection for a customized client notification based on detected malware with the block action. A block message can only be sent when a block action is configured. Note: See request services advanced-anti-malware redirect-file for details on adding a custom file. set services advanced-anti-malware policy p1 http client-notify message set services advanced-anti-malware policy p1 http client-notify file set services advanced-anti-malware policy p1 http client-notify redirect-url <enter URL>
Block or permit malware when file verdict is “unknown”	(Starting in Junos 19.3R1) This command allows you to permit or block malware based on the detected file having a verdict of “unknown.” By default, an “unknown” file verdict is permitted. (Note this only applies to HTTP and HTTPS traffic.) set services advanced-anti-malware policy p1 http file-verdict-unknown <block\|permit>

Required Privilege Level

View

Release Information

Command introduced in Junos OS Release 15.1X49-D33.

The SMB option is introduced in Junos OS Release 21.1R1.

ON THIS PAGE