Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Sophos Antivirus Protection

The Sophos antivirus scanner uses a local internal cache to maintain query responses from the external list server to improve lookup performance. The Sophos antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. For more information, see the following topics:

Sophos Antivirus Protection Overview

Sophos antivirus is as an in-the-cloud antivirus solution. The virus pattern and malware database is located on external servers that are maintained by Sophos (Sophos Extensible List) servers, thus there is no need to download and maintain large pattern databases on the Juniper device. Prior to Junos OS Release 23.1R1, the Sophos antivirus scanner also used a local internal cache to maintain query responses from the external list server to improve lookup performance.

Because a significant amount of traffic processed by Juniper Content Security is HTTP based, Uniform Resource Identifier (URI) checking is used to effectively prevent malicious content from reaching the endpoint client or server. The following checks are performed for HTTP traffic: URI lookup, true file type detection, and file checksum lookup. The following application layer protocols are supported: HTTP, FTP, SMTP, POP3 and IMAP.

The full file-based antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, Sophos antivirus scanning is offered as a less CPU-intensive alternative to the full file-based antivirus feature. Sophos supports the same protocols as full antivirus and functions in much the same manner; however, it has a smaller memory footprint and is compatible with lower end devices that have less memory.

Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, HTTPS, FTP, SMTP, POP3, IMAP protocols is supported for Sophos antivirus, Web filtering and Content filtering security features of Content Security.

Starting with Junos OS Release 12.3X48-D35 and Junos OS Release 17.3R1, the Content Security Sophos antivirus (SAV) single session throughput is increased for optimizing tcp-proxy forwarding.

Starting from Junos OS Release 19.4R1, the antivirus feature supports implicit and explicit SMTPS, IMAPS, and POP3S protocol, and supports only explicit passive mode FTPS.

Implicit mode—Connect to SSL/TLS encrypted port using secure channel.

Explicit mode—First connect to unsecured channel, then secure the communication by issuing STARTTLS command. For POP3S, use STLS command.

Starting in Junos OS Release 23.1R1, Content Security supports the new antivirus Sophos Live Protection version 2.0. The new version of Sophos antivirus uses an HTTPS connection for the device-to-server communication. For the HTTPS connection, you must create an SSL initiation profile and add the profile to the default configuration of the Sophos engine.

Starting in Junos OS Release 24.4R1, we introduce Web proxy support for Content Security Sophos 2.0 antivirus. In addition, we introduce the file reputation groups based on the file reputation value to control the traffic and provide more control over security.

Sophos Antivirus Features

Sophos antivirus has the following main features:

  • Sophos antivirus expanded MIME decoding support—Sophos antivirus offers decoding support for HTTP, POP3, SMTP, and IMAP. MIME decoding support includes the following for each supported protocol:

    • Multipart and nested header decoding

    • Base64 decoding, printed quote decoding, and encoded word decoding in the subject field

  • Sophos antivirus supports HTTPS traffic—Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic. Sophos antivirus over SSL forward proxy does so by intercepting HTTPS traffic passing through the SRX Series Firewall. The security channel from the SRX Series Firewall is divided as one SSL channel between the client and the SRX Series Firewall and another SSL channel between the SRX Series Firewall and the HTTPS server. SSL forward proxy acts as the terminal for both channels and forwards the cleartext traffic to Content Security. Content Security extracts the URL and the file checksum information from cleartext traffic. The Sophos antivirus scanner determines whether to block or permit the requests.

    SSL forward proxy does not support client authentication. If client authentication is required by the server, Content Security bypasses the traffic. Content Security bypasses the HTTPS traffic under the following conditions:

    • If SSL proxy does not parse the first handshake packet from the client, SSL forward proxy bypasses the traffic.

    • If the SSL proxy handshake with the client and server is incomplete because of compatibility issues, connection drops.

    • If the system resource is low, SSL forward proxy cannot handle the new connection and Sophos antivirus bypasses the traffic.

    • If HTTPS traffic hits the allowlist of SSL forward proxy, SSL forward proxy and Sophos antivirus bypass the traffic.

  • Sophos antivirus scan result handling—With Sophos antivirus, the TCP, traffic is closed gracefully when a virus is found and the data content is dropped.

    The following fail mode options are supported: content-size, default, engine-not-ready, out-of-resource, timeout, and too-many-requests. You can set the following actions: block, log-and-permit, and permit. Fail mode handling of supported options with Sophos is much the same as with full antivirus.

  • Sophos Uniform Resource Identifier checking—Sophos provides Uniform Resource Identifier (URI) checking, which is similar to antispam realtime null route list (RBL) lookups. URI checking is a way of analyzing URI content in HTTP traffic against the Sophos database to identify malware or malicious content. Because malware is predominantly static, a checksum mechanism is used to identify malware to improve performance. Files that are capable of using a checksum include .exe, .zip, .rar, .swf, .pdf, and .ole2 (doc and xls).

    If you have a Juniper Networks device protecting an internal network that has no HTTP traffic, or has webservers that are not accessible to the outside world, you might want to turn off URI checking. If the webservers are not accessible to the outside world, it is unlikely that they contain URI information that is in the Sophos URI database. URI checking is on by default.

    Starting from Junos OS Release 18.4R1 onwards, the URI checking is off by default.

Understanding Sophos Antivirus Data File Update

Sophos antivirus uses a small set of data files that need to be updated periodically. These data files only contain information on guiding scanning logic and do not contain the full pattern database. The main pattern database, which includes protection against critical viruses, URI checks, malware, worms, Trojans, and spyware, is located on remote Sophos Extensible List servers maintained by Sophos.

The Sophos data files are updated over HTTP or HTTPS and can be updated manually or scheduled to update automatically. With Sophos antivirus:

  • The signature database auto-update interval is once a day by default. This interval can be changed.

  • There is no interruption in virus scanning capability during the data file update. If the update fails, the existing data files will continue to be used.

  • By default, the URL for Sophos antivirus data file update is http://update.juniper-updates.net/SAV/.

Note:

The Sophos antivirus scanning feature is a separately licensed subscription service. When your antivirus license key expires, functionality will no longer work because the pattern lookup database is located on remote Sophos servers. You have a 30-day grace period in which to update your license.

Comparison of Sophos Antivirus to Kaspersky Antivirus

The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1x49-D10 and Junos OS Release 17.3R1 onwards. For previous releases, Sophos Antivirus is much like Juniper Express Antivirus and also has similarities to the Full Antivirus feature:

  • Unlike the Juniper Express and Full Antivirus solutions, the antivirus and malware database for Sophos is stored on a group of remote Sophos Extensible List servers. Queries are performed using the DNS protocol. Sophos maintains these servers, so there is no need to download and maintain large pattern databases on the Juniper device. Because the database is remote, and there is a quicker response to new virus outbreaks. The Antivirus database has no size limitation, but there is a limitation with the scan file size.

    Note:

    Sophos antivirus uses a set of data files that need to be updated on a regular basis. These are not typical virus pattern files; they are a set of small files that help guide virus scanning logic. You can manually download the data files or set up automatic download.

  • Sophos does not provide the same prescreening detection as Kaspersky Antivirus. Sophos does provide a similar solution that is part of the Sophos engine and cannot be turned on and off.

  • The Sophos antivirus scanning feature is a separately licensed subscription service. Also, the pattern lookup database is located on remote servers maintained by Sophos, so when your antivirus license key expires, functionality will no longer work. You have a 30-day grace period in which to update your license.

Sophos Antivirus Configuration Overview

Sophos antivirus is part of the Content Security feature set, so you first configure Content Security options (custom objects), configure the Sophos Feature, then create a Content Security policy and a security policy. The security policy controls all traffic that is forwarded by the device, and the Content Security policy specifies which parameters to use to scan traffic. The Content Security policy is also used to bind a set of protocols to one or more Content Security feature profiles, including Sophos antivirus in this case.

You must complete the following tasks to configure Sophos antivirus:

  1. Configure Content Security custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects,
  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.
  3. Configure a Content Security policy. See Example: Configuring Sophos Antivirus Content Security Policies
  4. Configure a security policy. See Example: Configuring Sophos Antivirus Firewall Security Policies.

To configure Sophos antivirus live protection version 2.0, see Example: Configure Sophos Antivirus Live Protection Version 2.0.

To configure Sophos antivirus over SSL forward proxy to support HTTPS traffic, see Configure SSL Proxy with Content Security.

Example: Configuring Sophos Antivirus Custom Objects

This example shows you how to create Content Security global custom objects to be used with Sophos antivirus.

Requirements

Before you begin, read about Content Security custom objects. See Content Security Overview.

Overview

Configure MIME lists. This includes creating a MIME allowlist and a MIME exception list for antivirus scanning. In this example, you bypass scanning of QuickTime videos, unless if they contain the MIME type quicktime-inappropriate.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To configure a MIME list:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.

  2. Click the MIME Pattern List tab and then click Add.

  3. In the MIME Pattern Name box, type avmime2.

  4. In the MIME Pattern Value box, type video/quicktime, and click Add.

  5. In the MIME Pattern Value box, type image/x-portable-anympa, and click Add.

  6. In the MIME Pattern Value box, type x-world/x-vrml, and click Add.

Step-by-Step Procedure

To configure a MIME exception list:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.

  2. Click the MIME Pattern List tab and then select Add.

  3. In the MIME Pattern Name box, type exception-avmime2.

  4. In the MIME Pattern Value box, type video/quicktime-inappropriate and click Add.

Step-by-Step Procedure

Configure a URL pattern list (allowlist) of URLs or addresses that will be bypassed by antivirus scanning. After you create the URL pattern list, you will create a custom URL category list and add the pattern list to it.

Note:

Because you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

To configure a URL pattern allowlist:

  1. Click the Configure tab from the taskbar, and then select Security>UTM>Custom Objects.

  2. Click the URL Pattern List tab, and then click Add.

  3. In the URL Pattern Name box, enter urlist2.

  4. In the URL Pattern Value box, enter http://example.net. (You can also us the IP address of the server instead of the URL.)

Step-by-Step Procedure

Save your configuration:

  1. Click OK to check your configuration and save it as a candidate configuration.

  2. If you are done configuring the device, click Actions>Commit.

Note:

URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can use “*” only if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

Step-by-Step Procedure

To configure antivirus protection using the CLI, you must create your custom objects in the following order:

  1. Create the MIME allowlist.

    Create the MIME exception list.

  2. Configure a URL pattern list (allowlist) of URLs or addresses that you want to bypass. After you create the URL pattern list, you create a custom URL category list and add the pattern list to it. Configure a URL pattern list custom object by creating the list name and adding values to it as follows. As you use URL pattern lists to create custom URL category lists, you must configure URL pattern list custom objects before you configure custom URL category lists.

    Note:

    URL pattern wildcard support—The wildcard rule is as follows: \*\.[]\?* and you must precede all wildcard URLs with http://. You can only use “*” if it is at the beginning of the URL and is followed by a “.”. You can only use “?” at the end of the URL.

    The following wildcard syntax is supported: http://*.example.net, http://www.example.ne?, http://www.example.n??. The following wildcard syntax is not supported: *.example.net , www.example.ne?, http://*example.net, http://*.

  3. Configure a custom URL category list custom object by using the URL pattern list urllist2 that you created earlier:

Verification

Verify the Sophos Antivirus Custom Objects Configuration

Purpose

To verify the Sophos Antivirus custom objects configuration., enter the show security utm custom-objects command.

Action

From the operational mode, enter the show security utm custom-objects command to verify the Sophos Antivirus custom objects configuration.

Example: Configuring Sophos Antivirus Feature Profile

This example shows you how to configure a Sophos antivirus profile that defines the parameters that will be used for virus scanning.

Requirements

Before you begin:

Overview

The following configuration defines Sophos as the antivirus engine and sets parameters, such as the data file update interval, notification options for administrators, fallback options, and file size limits.

Note:

The [edit security utm feature-profile] hierarchy level is deprecated in Junos OS Release 18.2R1. For more information, see Content Security Overview.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

The following example shows you how to create a custom Sophos profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-sophos-av-defaults in your Content Security policy. See Example: Configuring Sophos Antivirus Content Security Policies.

  1. Select and configure the engine type. Because you are configuring Sophos antivirus, you configure sophos-engine:

    Step-by-Step Procedure
    1. Click the Configure tab from the taskbar, and then select Security>UTM>Anti-Virus.

    2. Click the Global Options tab and then click Sophos.

    3. Click OK and commit your changes.

  2. Return to the antivirus Global Options screen as you did in step 1, and set the following parameters:

    Step-by-Step Procedure
    1. In the MIME allowlist list, select exception-avmime2.

    2. In the URL allowlist list, select custurl2.

    3. In the Pattern update interval (sec) box, type 2880.

    4. In the box, type the e-mail address that will receive SophosAdmin e-mail data file update notifications. For example - admin@ example.net.

    5. In the Custom message subject box, type Sophos Data File Updated.

    6. Click OK to check your configuration and save it as a candidate configuration.

  3. Configure a profile for the sophos-engine and set parameters.

    Step-by-Step Procedure
    1. Click the Configure tab from the taskbar and then select Security>UTM>Anti-Virus. Click Add.

    2. In the Add profile box, click the Main tab.

    3. In the Profile name box, type sophos-prof1.

    4. In the Trickling timeout box, type 180.

      When enabling the trickling option, it is important to understand that trickling might send part of the file to the client during the antivirus scan. It is possible that some of the content could be received by the client and the client might become infected before the file is fully scanned.

    5. URI checking is on by default. To turn it off, clear yes in the URI check box.

    6. In the Content size Limit box, type 20000.

    7. In the Scan engine timeout box, type 1800.

  4. Configure fallback settings by clicking the Fallback settings tab. In this example, all fallback options are set to log and permit. Click Log and permit for the following items: Default action, Content size, Engine not ready, Timeout, Out of resource, Too many requests.

  5. Configure notification options by clicking the Notification options tab. You can configure notifications for both fallback blocking and fallback nonblocking actions and for virus detection.

    Step-by-Step Procedure

    To configure notifications for Fallback settings:

    1. For Notification type, click Protocol.

    2. For Notify mail sender, click yes.

    3. In the Custom message box, type Fallback block action occurred.

    4. In the Custom message subject box, type ***Antivirus fallback Alert***.

  6. To configure notification options for virus detection, click the Notification options cont... tab.

    Step-by-Step Procedure
    1. For the Notification type option button, select Protocol.

    2. For the Notify mail sender option button, select yes.

    3. In the Custom message box, type Virus has been detected.

    4. In the Custom message subject box, type ***Virus detected***.

  7. Click OK to check your configuration and save it as a candidate configuration.

  8. If you are done configuring the device, click Actions>Commit.

Step-by-Step Procedure

To configure the Sophos antivirus feature profile using the CLI:

The following example shows you how to create a custom Sophos profile. If you want to use the Juniper Networks preconfigured profile, use the profile named junos-sophos-av-defaults in your Content Security policy. See Example: Configuring Sophos Antivirus Content Security Policies.

  1. Select and configure the engine type. Because you are configuring Sophos antivirus, you configure sophos-engine.

  2. Commit the configuration.

  3. Select a time interval for updating the data files. The default antivirus pattern-update interval is 1440 minutes (every 24 hours). You can choose to leave this default, or you can change it. You can also force a manual update, if needed. To change the default from every 24 hours to every 48 hours:

  4. Configure the network device with the proxy server details, to download the pattern update from a remote server:

  5. In most circumstances, you will not need to change the URL to update the pattern database. If you do need to change this option, use the following command:

  6. You can configure the device to notify a specified administrator when data files are updated. This is an e-mail notification with a custom message and a custom subject line.

  7. Configure a list of fallback options as block, log and permit, or permit. The default setting is log-and-permit. You can use the default settings, or you can change them.

    Configure the content size action. In this example, if the content size is exceeded, the action taken is block.

    First create the profile named sophos-prof1.

    Configure the content size fallback-option to block.

    Configure the default fallback option to log-and-permit.

    Configure log-and-permit if the antivirus engine is not ready.

    Configure log-and-permit if the device is out of resources.

    Configure log-and-permit if a virus scan timeout occurs.

    Configure log-and-permit if there are too many requests for the virus engine to handle.

  8. Configure notification options. You can configure notifications for fallback blocking, fallback nonblocking actions, and virus detection.

    In this step, configure a custom message for the fallback blocking action and send a notification for protocol-only actions to the administrator and the sender.

  9. Configure a notification for protocol-only virus detection, and send a notification.

  10. Configure content size parameters.

    When you configure the content-size value, keep in mind that in certain cases, content size is available in the protocol headers, so the max-content-size fallback is applied before a scan request is sent. However, in many cases, content size is not provided in the protocol headers. In these cases, the TCP payload is sent to the antivirus scanner and accumulates until the end of the payload. If the accumulated payload exceeds the maximum content size value, then max-content-size fallback is applied. The default fallback action is log and permit, so you may want to change this option to block, in which case such a packet is dropped and a block message is sent to the client.

    In this example, if the content size exceeds 20 MB, the packet is dropped.

  11. URI checking is on by default. To turn off URI checking:

  12. Configure the timeout setting for the scanning operation to 1800 seconds.

  13. The Sophos Extensible List servers contain the virus and malware database for scanning operations. Set the response timeout for these servers to 3 seconds (the default is 2 seconds).

  14. Configure the Sophos Extensible List server retry option to 2 retries (the default is 1).

  15. Configure the trickling setting to 180 seconds. If you use trickling, you can also set timeout parameters. Trickling applies only to HTTP. HTTP trickling is a mechanism used to prevent the HTTP client or server from timing out during a file transfer or during antivirus scanning.

    When you enable the trickling option, keep in mind that trickling might send part of a file to the client during its antivirus scan. It is therefore possible that some of the content could be received by the client before the file has been fully scanned.

  16. Configure the antivirus module to use MIME bypass lists and exception lists. You can use your own custom object lists, or you can use the default list that ships with the device called junos-default-bypass-mime. In this example, you use the lists that you set up earlier.

  17. Configure the antivirus module to use URL bypass lists. If you are using a URL allowlist, this is a custom URL category you have previously configured as a custom object. URL allowlists are valid only for HTTP traffic. In this example you use the lists that you set up earlier.

Verification

Obtaining Information About the Current Antivirus Status

Purpose
Action

From operational mode, enter the show security utm anti-virus status command to view the antivirus status.

Meaning
  • Antivirus key expire date—The license key expiration date.

  • Update server—URL for the data file update server.

    • Interval—The time period, in minutes, when the device will update the data file from the update server.

    • Pattern update status—When the data file will be updated next, displayed in minutes.

    • Last result—Result of the last update. If you already have the latest version, this will display already have latest database.

  • Antivirus signature version—Version of the current data file.

  • Scan engine type—The antivirus engine type that is currently running.

  • Scan engine information—Result of the last action that occurred with the current scan engine.

Example: Configuring Sophos Antivirus Content Security Policies

This example shows how to create a Content Security policy for Sophos antivirus.

Requirements

Before you create the Content Security policy, create custom objects and the Sophos feature profile.

  1. Configure Content Security custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects.

  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.

Overview

After you have created an antivirus feature profile, you configure a Content Security policy for an antivirus scanning protocol and attach this policy to a feature profile. In this example, HTTP will be scanned for viruses, as indicated by the http-profile statement. You can scan other protocols as well by creating different profiles or adding other protocols to the profile, such as: imap-profile, pop3-profile, and smtp-profile.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To configure a Content Security policy for Sophos antivirus:

  1. Click the Configure tab from the taskbar, and then select Security>Policy>UTM Policies. Then click Add.

  2. Click the Main tab. In the Policy name box, type utmp3.

  3. Click the Anti-Virus profiles tab. In the HTTP profile list, select sophos-prof1.

  4. Click OK to check your configuration and save it as a candidate configuration.

  5. If you are done configuring the device, select Actions>Commit.

Step-by-Step Procedure

To configure a Content Security policy for Sophos antivirus:

  1. Go to the edit security Content Security hierarchy.

  2. Create the Content Security policy utmp3 and attach it to the http-profile sophos-prof1. You can use the default Sophos feature profile settings by replacing sophos-prof1 in the above statement with junos-sophos-av-defaults.

Verification

Verify the Content Security Policy Configuration

Purpose

To verify the Content Security policy configuration.

Action

From the operational mode, enter the show security utm utm-policy utmp3 command.

Example: Configuring Sophos Antivirus Firewall Security Policies

This example shows how to create a security policy for Sophos antivirus.

Requirements

Before you create the security policy, create custom objects, the Sophos feature profile, and the Content Security policy.

  1. Configure Content Security custom objects and MIME lists. See Example: Configuring Sophos Antivirus Custom Objects.

  2. Configure the Sophos antivirus feature profile. See Example: Configuring Sophos Antivirus Feature Profile.

  3. Configure a Content Security policy. See Example: Configuring Sophos Antivirus Content Security Policies.

Overview

Create a firewall security policy that will cause traffic from the untrust zone to the trust zone to be scanned by Sophos antivirus using the feature profile settings defined in Example: Configuring Sophos Antivirus Feature Profile. Because the match application configuration is set to any, all application types will be scanned.

Configuration

Procedure

GUI Quick Configuration
Step-by-Step Procedure

To configure a security policy for Sophos antivirus:

  1. Configure the untrust to trust policy to match any source address or destination address, and select the applications to be scanned to any.

    Step-by-Step Procedure
    1. Click the Configure tab from the taskbar, and then select Security>Policy>FW Policies. Then select Add.

    2. In the Policy Name box, type p3.

    3. In the Policy Action box, select permit.

    4. In the From Zone list, select untrust.

    5. In the To Zone list, select trust.

    6. In the Source Address and Destination Address boxes, make sure that Matched is set to any.

    7. In the Applications boxes, select any from the Application/Sets list, and move it to the Matched list.

  2. Attach the Content Security policy named utmp3 to the firewall security policy. This will cause matched traffic to be scanned by the Sophos antivirus feature.

    Step-by-Step Procedure
    1. From the Edit Policy box, click the Application Services tab.

    2. In the Content Security Policy list, select utmp3.

  3. Click OK to check your configuration and save it as a candidate configuration.

  4. If you are done configuring the device, select Actions>Commit.

Step-by-Step Procedure

To configure a security policy for Sophos antivirus:

  1. Configure the untrust to trust policy to match any source-address.

  2. Configure the untrust to trust policy to match any destination-address.

  3. Configure the untrust to trust policy to match any application type.

  4. Attach the Content Security policy named utmp3 to the firewall security policy. This will cause matched traffic to be scanned by the Sophos antivirus feature.

Verification

To verify the configuration, enter the show security policies command.

Verify the Security Policy Configuration

Purpose

To verify the security policy configuration, enter the show security policies command.

Action

From the operational mode, enter the show security policies command.

Example: Configure Sophos Antivirus Live Protection Version 2.0

Use this configuration example to configure and to verify the Sophos antivirus live protection version 2.0 on your device. Sophos antivirus is an in-the-cloud antivirus solution. The virus pattern and malware database on the external servers maintained by Sophos (Sophos Extensible List) servers isolate and protect your device. Starting in Junos OS Release 23.1R1, content security supports Sophos antivirus live protection version 2.0. The new antivirus version uses the HTTPS protocol to communicate between the SRX Series Firewall and Sophos server.

Tip:
Table 1: Estimated Timers

Readability Score

  • Flesch reading ease: 34

  • Flesch-Kincaid reading grade level: 11.9

Reading Time

Less than 15 minutes.

Configuration Time

Less than an hour.

Example Prerequisites

Hardware requirements SRX Series Firewall and vSRX Virtual Firewall
Software requirements Junos OS Release 23.1R1 or later
Licensing requirements

Sophos antivirus live protection version 2.0 license

Use the show system license command to make sure you have a valid Sophos antivirus license installed on your device. When your antivirus license key expires, functionality will no longer work because the pattern lookup database is on the remote Sophos servers.

Before You Begin

Benefits

The virus pattern and malware database on the external servers maintained by Sophos (Sophos Extensible List) servers isolate and protect your device.

Provides HTTPS based secure connection between the SRX Series Firewall and Sophos server.

Useful resources:

Know more

Sophos Antivirus Protection

Hands-on experience

vLab Sandbox: Zones / Policies

Learn more

Content Security Antivirus

Functional Overview

Table 2 provides a quick summary of the configuration components deployed in this example.

Table 2: Sophos Antivirus Functional Overview

Profiles

Initiation profile

The Sophos server configuration on the SRX Series Firewall includes the SSL initiation profile (ssl_init_prof).

The initiation profile is mandatory to enable the SRX Series Firewall to initiate an HTTPS session with the Sophos server for checking the packets. The SSL initiation profile also encrypts and decrypts packets to and from the Sophos server.

Proxy profile

The SSL proxy profile, ssl_pr1, enables the SRX Series Firewall to decrypt the packets for further application service processing when the client initiates the HTTPS session to the Web server.

Feature profile

The feature profile, content_security_sav_fp, applies to the firewall security policy (p1) using different content security policies and match criteria.

You can have more than one feature profiles for different content security policies.

Policies

Content security policy

The content security policy, content_security_p1, defines the antivirus protocols (HTTP, FTP, SMTP, POP3, and IMAP) and attaches this policy to a security feature profile, content_security_sav_fp, to implement it.

Security policies

Two security policies (p1 and trust_to_internet) have a simple match criteria to apply on the traffic between the security zones.

We attach the content_security_p1 content security policy and the ssl_pr1 proxy profile to the application services of the p1 security policy.

Security zones

trust

Network segment at the host (Client) zone.

untrust

Network segment at the destination server (Web service) zone.

internet

Network segment through which the SRX Series Firewall interacts with the Sophos server.

Protocols

HTTPS

HTTPS sessions establish between the client and the Web server, and the SRX Series Firewall and the Sophos server.
Primary verification tasks
  • Verify the type of antivirus scan engine installed on your device.

  • Confirm the Sophos antivirus engine operation.

Topology Overview

In this example, the client initiates a request to Web service through the SRX Series Firewall. When the SRX Series Firewall receives the request, it contacts the Sophos server for checking the authenticity of the Web service. The Sophos antivirus version 2.0 uses HTTPS connection for the SRX Series Firewall to Sophos server communication. Based on the response received from the Sophos server, the SRX Series Firewall permits or blocks the traffic as defined in the content security policy.

Topology Components Role Function
Client Requests Web service Initiates HTTPS session with the Web server through the SRX Series Firewall.
SRX Series Firewall Juniper Network's Firewall Initiates HTTPS session with the Sophos antivirus server. It also encrypts and decrypts the packets for the client.
Sophos server Antivirus server Authenticates the content received from the SRX Series Firewall.
Web server Web service provider Responds to the client's request.

Topology Illustration

Figure 1: Sophos Antivirus Live Protection TopologySophos Antivirus Live Protection Topology

Step-by-step Configuration on Device-Under-Test (DUT)

Note:

For complete sample configurations on the DUT, see:

  1. Configure the device interfaces.

  2. Enable Sophos antivirus on the device. Configure the forwarding mode and type of traffic the Sophos antivirus should check.

  3. Define an SSL initiation profile for adding to the Sophos server configuration on the SRX Series Firewall.

  4. Include the SSL initiation profile into the Sophos server configuration. This configuration is mandatory to enable the SRX Series Firewall to initiate an HTTPS session with the Sophos server for checking the packets. The initiation profile also encrypts and decrypts packets to and from the Sophos server.

  5. Define an SSL proxy profile for applying to the security policies. The SLL proxy profile enables the SRX Series Firewall to decrypt the packets for further application processing.

  6. Define the feature profile to indicate the type of traffic the Sophos antivirus should check by attaching the profile to the content security policies. You can define more than one feature profiles for different content security policies.

  7. Define security zones.

  8. Define a content security policy and attach a feature profile to it to indicate the type of traffic the Sophos server should check.

  9. Define security policies and configure match criteria to apply to traffic between the different security zones.

Verification

Provide a list of show commands used to verify the feature in this example.

Command Verification Task
show security utm anti-virus status

Displays the type and status of the antivirus installed on your device.

show security utm anti-virus statistics

Displays the performance statistics of the antivirus on your device.

Antivirus Scan Engine Type Verification

Purpose

Verify the antivirus scan engine type installed on your device.

Action

From operational mode, enter the show security utm anti-virus status to view the status of the antivirus installed.

Meaning

The sample output confirms the Sophos antivirus is available on your device.

Antivirus Scan Engine Performance Verification

Purpose

Verify the antivirus scan engine performance on your device.

Action

From operational mode, enter the show security utm anti-virus statistics to view the performance statistics of the antivirus on your device.

Meaning

The sample output Threat-found value shows that the antivirus detected 1 threat. The other statistics values are safe.

Appendix 1: Set Commands on All Devices

Set command output on all devices.

Appendix 2: Show Configuration Output on DUT

Show command output on the DUT.

From configuration mode, confirm your configuration by entering the show security utm, show interfaces, show security zones, show security policies, and show services ssl commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Configure Sophos Antivirus File Reputation Groups

The Sophos antivirus classifies the incoming traffic into four file reputation groups, which enable you to control the traffic and provide more control over security. Table 3 lists the four file reputation groups.

Table 3: File Reputation Groups

File Reputation Group

File Reputation Value

File Reputation Action

Malware

≤19

Block

Potentially Unwanted Applications

20 thru 29

You can configure to permit, log and permit, or block the traffic as per your requirement.

Unknown

30 thru 69

You can configure to permit, log and permit, or block the traffic as per your requirement.

Known good/Clean

≥70

Permit

To configure the file reputation action, use the following commands:

  1. Configure file reputation action for potentially unwanted appplications traffic:

  2. Configure file reputation action for unknown traffic:

You can view the status of the file reputation action using the show security utm anti-virus statistics command.

Configure Sophos Antivirus Live Protection Version 2.0 with Web Proxy

You can use a proxy server to establish a secure connection between your security device and the Sophos server. When you configure a proxy server, your device establishes a connection with proxy server and then the proxy server initiates a new connection with the Sophos server.

To configure the proxy server:

  1. Create an SSL initiation profile, see Configure SSL Proxy with Content Security.

  2. Attach the SSL initiation profile to Sophos default configuration:

  3. Configure the proxy profile:

  4. Attach the Web proxy profile to the Sophos default configuration:

You can view the status of the proxy server using the show security utm anti-virus status command.

Managing Sophos Antivirus Data Files

Before you begin:

  • Install a Sophos antivirus license. See the Installation and Upgrade Guide.

  • Configure Sophos as the antivirus feature for the device. See Example: Configuring Sophos Antivirus Feature Profile. To set the antivirus engine type, you run the set security utm feature-profile anti-virus type sophos-engine statement.

In this example, you configure the security device to update the data files automatically every 4320 minutes (every 3 days). The default data file update interval is 1440 minutes (every 24 hours).

To automatically update Sophos data files:

Note:

The following commands are performed from CLI operational mode.

To manually update data files:

To manually reload data files:

To manually delete data files:

To check the status of antivirus, which also shows the data files version:

To check the status of the proxy server:

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
24.4R1
Starting in Junos OS Release 24.4R1, we introduce Web proxy support for Content Security Sophos 2.0 antivirus. In addition, we introduce the file reputation groups based on the file reputation value to control the traffic and provide more control over security.
23.1R1
Starting in Junos OS Release 23.1R1, content security supports the new antivirus Sophos Live Protection version 2.0. The new version of Sophos antivirus uses an HTTPS connection for the device-to-server communication. For the HTTPS connection, you must create an SSL initiation profile and add the profile to the default configuration of the Sophos engine.
15.1X49-D100
Starting with Junos OS Release 15.1X49-D100, IPv6 pass-through traffic for HTTP, HTTPS, FTP, SMTP, POP3, IMAP protocols is supported for Sophos antivirus, Web filtering and Content filtering security features of Content Security.
15.1X49-D10
The full file-based antivirus feature is not supported from Junos OS Release 15.1X49-D10 and Junos OS Release 17.3R1 onwards.
15.1X49-D10
The Kaspersky and Express Antivirus feature is not supported from Junos OS Release 15.1x49-D10 and Junos OS Release 17.3R1 onwards.
12.3X48-D35
Starting with Junos OS Release 12.3X48-D35 and Junos OS Release 17.3R1, the Content Security Sophos antivirus (SAV) single session throughput is increased for optimizing tcp-proxy forwarding.
12.3X48-D25
Starting with Junos OS Release 12.3X48-D25 and Junos OS Release 17.3R1, Sophos antivirus over SSL forward proxy supports HTTPS traffic.