Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an Anti-Malware Profile

SRX Series Firewalls leverage the insights from Juniper Advanced Threat Prevention Cloud (Juniper ATP Cloud) to counteract malevolent content through security regulations. The anti-malware profile characterizes which materials to inspect for malware and determines the procedure upon its detection. Employing a staged methodology, Juniper ATP Cloud scrutinizes and identifies malware efficiently. Discovery of malware by the analysis suspends subsequent examination processes in the pipeline. In accordance with set configurations, security directives preclude the delivery of such harmful content to the intended recipient.

  1. Select SRX > Security Subscriptions > Anti-malware.
    The Anti-malware page is displayed.
  2. Click +.
    The Create Anti-malware Profile page is displayed.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK to save the changes.
    Table 1: Fields on the Create Anti-malware Profile Page

    Field

    Description

    Name

    Enter a name for the anti-malware profile.

    The name must be a unique string of alphanumeric, special characters and 64 characters maximum. Special characters such as & ( ) ] ? " # are not allowed.

    Verdict threshold

    Select a threshold value from the list.

    The threshold value determines when a file is considered malware. If the cloud service returns a file verdict equal to or higher than the configured threshold, then that file is considered as malware.

    Protocols

    HTTP

    Enable this option to inspect advanced anti-malware (AAMW) files downloaded by hosts through HTTP protocol. The AAMW files are then submitted to Juniper ATP Cloud for malware screening.

    Once you enable this option, configure the following:

    • Action (known verdict)—Select Permit or Block action from the list based on the detected malware.

    • Action (unknown verdict)—Select Permit or Block action from the list based on the detected malware having a verdict of “unknown.”

    • Notification—Select one of the following options to permit or block actions based on detected malware:

      • Redirect URL—Enter HTTP URL redirection for a customized client notification based on detected malware with the block action.

      • Redirect message—Enter the message for a customized client notification based on detected malware with the block action.

        Range: 1 through 1023

      • File name—Click Browse to upload a customized file to which users will be directed. The files must be in .php, .html, or .py format and the files will be stored in /jail/var/tmp.

    • Inspection profile—Select a Juniper ATP Cloud profile name from the list. The Juniper ATP Cloud profile defines the types of files to scan.

      To view the default and other inspection profiles on the SRX device, your device must be enrolled with Juniper ATP Cloud.

    • Logs—Enable this option to add the event to the log file.

    IMAP

    Enable this option to inspect and manage email attachments sent over IMAP email management.

    Once you enable this option, configure the following:

    • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name from the list. The ATP Cloud profile defines the types of files to scan.

      To view the default and other inspection profiles on the SRX device, your device must be enrolled with Juniper ATP Cloud.

    • Logs—Enable this option to add the event to the log file.

    SMB

    Enable this option to inspect files downloaded by hosts through Server Message Block (SMB) protocol. SMB protocol enables applications or users to access files and other resources on a remote server.

    Once you enable this option, configure the following:

    • Action—Select Permit or Block action from the list based on the downloaded files.

    • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name from the list. The ATP Cloud profile defines the types of files to scan.

      To view the default and other inspection profiles on the SRX device, your device must be enrolled with Juniper ATP Cloud.

    • Logs—Enable this option to add the event to the log file.

    SMTP

    Enable this option to inspect and manage email attachments sent over SMTP email management.

    Once you enable this option, configure the following:

    • Inspection profile—Select a Juniper Advanced Threat Prevention (ATP) Cloud profile name from the list. The ATP Cloud profile defines the types of files to scan.

      To view the default and other inspection profiles on the SRX device, your device must be enrolled with Juniper ATP Cloud.

    • Logs—Enable this option to add the event to the log file.

    Fallback Actions

    Global fallback action

    Select None, Permit, or Block action from the list to permit or block the file regardless of its threat level.

    Logs

    Enable this option to add the event to the log file.

    Specific Fallback Configurations

    • Invalid content size:

      • Select None, Permit, or Block action from the list if the content size exceeds the supported range (32 MB).

      • Logs—Enable this option to add the event to the log file.

    • Out of resource action

      • Select None, Permit, or Block action from the list if the service is out of resources.

      • Logs—Enable this option to add the event to the log file.

    • Service not ready action

      • Select None, Permit, or Block action from the list if the service is not yet ready.

      • Logs—Enable this option to add the event to the log file.

    • Submission timeout action

      • Select None, Permit, or Block action from the list if the submission is timed out.

      • Logs—Enable this option to add the event to the log file.

    • Unknown file action:

      • Select None, Permit, or Block action from the list if the file type is unknown.

      • Logs—Enable this option to add the event to the log file.

    • Verdict timeout action

      • Select None, Permit, or Block action from the list if the verdict response is timed out.

      • Logs—Enable this option to add the event to the log file.

    Additional Logging

    Files under verdict threshold

    Enable this option to create a system log entry when the file verdict number is less than the threshold.

    Blocklist

    Enable this option to create a system log entry when an attempt is made to access that are listed in the blocklist.

    Allowlist

    Enable this option to create a system log entry when an attempt is made to access that are listed in the allowlist.

Related Documentation