Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Full Antivirus Application Protocol Scanning

Full Antivirus uses a scanning engine and virus signature databases to protect against virus-infected files, worms, trojans, spyware, and other malware over POP3, HTTP, SMTP, IMAP, and FTP protocols. For more information, see the following topics:

Understanding Full Antivirus Application Protocol Scanning

The Full Antivirus Application Protocol Scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, you can turn antivirus scanning on and off on a per protocol basis. If scanning for a protocol is disabled in an antivirus profile, there is no application intelligence for this protocol. Therefore, in most cases, traffic using this protocol is not scanned. But if the protocol in question is based on another protocol for which scanning is enabled in an antivirus profile, then the traffic is scanned as that enabled protocol.

The internal antivirus scan engine supports scanning for specific Application Layer transactions allowing you to select the content (HTTP, FTP, SMTP, POP3, or IMAP traffic) to scan. For each content type that you are scanning, you have different configuration options.

Profile-based settings, including enable/disable, scan-mode, and scan result handling settings, may not be applicable to all supported protocols. The following table lists profile-based settings and their protocol support.

Table 1: Supported Profile-based Settings By Protocol

Profile Setting

Protocol Support

Enable or disable scanning on per protocol basis

All protocols support this feature

Understanding Full Antivirus Scan Mode Support, including file extension scanning

All protocols support this feature

Understanding Full Antivirus Content Size Limits

All protocols support this feature

Understanding Full Antivirus Decompression Layer Limits

All protocols support this feature

Understanding Full Antivirus Scanning Timeouts

All protocols support this feature

Understanding HTTP Trickling

HTTP only

Understanding Antivirus Scanning Fallback Options

All protocols support this feature

Protocol specific messages

All protocols support this feature

Understanding E-Mail Virus-Detected Notifications

SMTP, POP3, and IMAP only

Understanding Custom Message Virus-Detected Notifications

All protocols support this feature

Understanding HTTP Scanning

The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if antivirus scanning is enabled for Hypertext Transfer Protocol (HTTP) traffic in a content security profile, TCP traffic to defined HTTP service ports (generally port 80) is monitored. For HTTP traffic, the security device scans both HTTP responses and requests (get, post, and put commands).

For HTTP antivirus scanning, both HTTP 1.0 and 1.1 are supported. If the protocol version is HTTP 0.x , the antivirus scanner attempts to scan the traffic. Unknown protocols are bypassed. For example, some application protocols use HTTP as the transport but do not comply with HTTP 1.0 or 1.1. These are considered unknown protocols and are not scanned.

This is a general description of how HTTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:

  1. An HTTP client sends an HTTP request to a webserver or a webserver responds to an HTTP request.

  2. The security device intercepts the request and passes the data to the antivirus scanner, which scans it for viruses.

  3. After completing the scan, the device follows one of two courses:

    • If there is no virus, the device forwards the request to the webserver.

    • If there is a virus, the device drops the request and sends an HTTP message reporting the infection to the client.

With script-only scanning, the input object is a script file. It can be JavaScript, VBScript, mIRC script, bat scripts (DOS bat files) and other text scripts. The engine matches the input content only with signatures for script files. Script scanning is applicable only for HTML content over the HTTP protocol. There are two criteria for this scan-type. First, the content-type field of this HTML document must be text or HTML. Second, there is no content encoding in the HTTP header. If those two criteria are met, an HTML parser is used to parse the HTML document.

Enabling HTTP Scanning (CLI Procedure)

The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for HTTP traffic, enter the following CLI configuration statement:

Understanding FTP Antivirus Scanning

The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards. For previous releases, if antivirus scanning is enabled for File Transfer Protocol (FTP) traffic in a content security profile, the security device monitors the control channel and, when it detects one of the FTP commands for transferring data, it scans the data sent over the data channel.

This is a general description of how FTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:

  1. A local FTP client opens an FTP control channel to an FTP server and requests the transfer of some data.

  2. The FTP client and server negotiate a data channel over which the server sends the requested data. The security device intercepts the data and passes it to the antivirus scan engine, which scans it for viruses.

  3. After completing the scan, the device follows one of two courses:

    • If there is no virus, the device forwards the data to the client.

    • If there is a virus, the device replaces the data with a drop message in the data channel and sends a message reporting the infection in the control channel.

Enabling FTP Antivirus Scanning (CLI Procedure)

The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards. For previous releases, to enable antivirus scanning for File Transfer Protocol (FTP) traffic, enter the following CLI configuration statement:

Note:

In order to scan FTP traffic, the FTP ALG must be enabled.

Understanding SMTP Antivirus Scanning

Starting from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, only Sophos Antivirus supports the SMTP antivirus scanning. If SMTP (Simple Mail Transfer Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from local SMTP clients to the antivirus scanner before sending it to the local mail server.

Chunking is an alternative to the data command. It provides a mechanism to transmit a large message in small chunks. It is not supported. Messages using chunking are bypassed and are not scanned.

This is a general description of how SMTP traffic is intercepted, scanned, and acted upon by the antivirus scanner:

  1. An SMTP client sends an e-mail message to a local mail server or a remote mail server forwards an e-mail message via SMTP to the local mail server.

  2. The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.

  3. After completing the scan, the device follows one of two courses:

    • If there is no virus, the device forwards the message to the local server.

    • If there is a virus, the device sends a replacement message to the client.

This topic includes the following sections:

Understanding SMTP Antivirus Mail Message Replacement

If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:

If a scan error is returned and the fail mode is set to drop, the original message is dropped and the entire message body is truncated. The content is replaced by a message that may appear as follows:

Understanding SMTP Antivirus Sender Notification

If notify-sender-on-virus is set and the message is dropped due to a detected virus, an e-mail is sent to the mail sender. The content of the notification may appear as follows:

If notify-sender-on-error-drop is set and the message is dropped due to a scan error, an e-mail is sent to the mail sender of the scanned message. The content of the e-mail may appear as follows:

Note:

For information on the ENVID parameter, refer to RFC 3461.

Understanding SMTP Antivirus Subject Tagging

If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the server. If notify-recipient-on-error-pass is set, the following string is appended to the end of the subject field:

Enabling SMTP Antivirus Scanning (CLI Procedure)

The SMTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for SMTP traffic, enter the following CLI configuration statement:

Understanding POP3 Antivirus Scanning

The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if Post Office Protocol 3 (POP3) antivirus scanning is enabled in a content security profile, the security device redirects traffic from a local mail server to antivirus scanner before sending it to the local POP3 client.

This is a general description of how POP3 traffic is intercepted, scanned, and acted upon by the antivirus scanner.

  1. The POP3 client downloads an e-mail message from the local mail server.

  2. The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.

  3. After completing the scan, the security device follows one of two courses:

This topic includes the following sections:

Understanding POP3 Antivirus Mail Message Replacement

If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:

Understanding POP3 Antivirus Sender Notification

If notify-sender-on-virus is set and the message is dropped due to a detected virus, an e-mail is sent to the mail sender.

If notify-sender-on-error-drop is set and the message is dropped due to a scan error, an e-mail is sent to the mail sender of the scanned message. The content of the e-mail may appear as follows:

Understanding POP3 Antivirus Subject Tagging

If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the server. If notify-recipient-on-error-pass is set, the following string is appended to the end of subject field:

Enabling POP3 Antivirus Scanning (CLI Procedure)

The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for POP3 traffic, enter the following CLI configuration statement:

Understanding IMAP Antivirus Scanning

The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, if IMAP (Internet Message Access Protocol) antivirus scanning is enabled in a content security profile, the security device redirects traffic from a local mail server to the internal antivirus scanner before sending it to the local IMAP client.

This is a general description of how IMAP traffic is intercepted, scanned, and acted upon by the antivirus scanner.

  1. The IMAP client downloads an e-mail message from the local mail server.

  2. The security device intercepts the e-mail message and passes the data to the antivirus scanner, which scans it for viruses.

  3. After completing the scan, the security device follows one of two courses:

This topic includes the following sections:

Understanding IMAP Antivirus Mail Message Replacement

If the antivirus scanner finds a virus in an e-mail message, the original message is dropped, the message body is truncated, and the content is replaced by a message that may appear as follows:

Understanding IMAP Antivirus Sender Notification

If notify-sender-on-virus is set and the message is dropped due to a detected virus, an e-mail is sent to the mail sender.

If notify-sender-on-error-drop is set and the message is dropped due to a scan error, an e-mail is sent to the mail sender of the scanned message. The content of the e-mail may appear as follows:

Understanding IMAP Antivirus Subject Tagging

If a scan error is returned and the fail mode is set to pass, the antivirus module passes the message through to the server. If notify-recipient-on-error-pass is set, the following string is appended to the end of subject field:

Understanding IMAP Antivirus Scanning Limitations

Mail Fragments — It is possible to chop one e-mail into multiple parts and to send each part through a different response. This is called mail fragmenting and most popular mail clients support it in order to send and receive large e-mails. Scanning of mail fragments is not supported by the antivirus scanner and in such cases, the message body is not scanned.

Partial Content — Some mail clients treat e-mail of different sizes differently. For example, small e-mails (less than 10 KB) are downloaded as a whole. Large e-mails (for example, less than 1 MB) are chopped into 10 KB pieces upon request from the IMAP server. Scanning of any partial content requests is not supported by the antivirus scanner.

IMAP Uploads — Only antivirus scanning of IMAP downloads is supported. IMAP upload traffic is not scanned.

Enabling IMAP Antivirus Scanning (CLI Procedure)

The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, to enable antivirus scanning for IMAP traffic, enter the following CLI configuration statement:

Release History Table
Release
Description
15.1X49-D10
The Full Antivirus Application Protocol Scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The HTTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards.
15.1X49-D10
The FTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 onwards.
15.1X49-D10
Starting from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1, only Sophos Antivirus supports the SMTP antivirus scanning.
15.1X49-D10
The SMTP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The POP3 antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The IMAP antivirus scanning is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.