Saturday, 24 November 2012

SRX UTM - Antivirus

The antivirus UTM module monitors traffic on all supported UTM protocols (SMTP, POP3, IMAP, HTTP and FTP) and will detect/block malicious code. In this post  'Full Antivirus (Kaspersky)' will be configured. I'm unable to demonstrate 'Express Antivirus' as this is not supported on the hardware I am using for this lab (SRX100). I will also not demonstrate Sophos Protection, however the Sophos Protection will follow the same configuration structure as the Full Antivirus Protection. This post builds on UTM knowledge discussed in the UTM Overview Post, please feel free to reference this post first. The diagram below outlines the basic lab setup for this exercise.

Configure Full Antivirus Protection (Kaspersky)
1. Confirm Licensing 
A license is required to use the antivirus UTM module. The command 'show system license' displays the installed licenses. The license 'av_key_kaspersky_engine' is needed for this exercise.

2. Create Custom Objects
Custom objects can be created and used as various black and whitelists. The antivirus module supports multiple black and whitelists, one for MIME patterns and another for URL patterns. The screenshot below outlines some examples of custom objects.

3. Create Antivirus Feature-Profile
The antivirus feature profile contains settings for the whole antivirus UTM module as well as profile specific information. Black and whitelist are defined for the whole antivirus module. Also the type of scanning engine is defined (in this case we are using 'kaspersky-lab-engine'). After these settings are complete a profile is created by the name of 'KASP-AV' and profile specific parameters are set. In this option we set a specific notification option in the profile. Many other options exists in the profile such as default action in certain conditions (file size, too many compression levels, etc.).

4. Create UTM Policy
In this step a UTM policy is created. Protocol-profiles are specified within the utm policy for the respective module (in this example anti-virus). The screenshot below outlines the commands used to configure a UTM policy for antivirus on all supported protocols.

5. Attach UTM Policy to Security Policy
This step is referencing the UTM policy on the desired security policy. In the example below the UTM policy created in step#3 is configured under the existing security policy 'OUTBOUND-INTERNET-ACCESS'



Verify Full Antivirus Protection (Kaspersky)
1. Browse to AV test site eicar.org
The website www.eicar.org is a well-known antivirus test site. The site itself does not contain any viruses, however it is present in all antivirus databases. The website has a section where files can be downloaded, I downloaded eicar_com.zip file and was promted with the message "VIRUS FOUND!". This was the custom string we configured under the antivirus profile.

2. Show UTM stats via CLI
The command 'show security utm anti-virus status' outlines the antivirus signature version, update interval and when the next update will occur.

The command 'show security utm anti-virus statistics' outlines high level antivirus statistics such as number of screened files, clean files, and threats found.

3. View Antivirus Logs
Antivirus logs can also be written to a syslog file or sent to an external syslog server. Matching on 'AV_' seemed to do the trick however, this might cause some other non-antivirus events to be captured. To be absolutely sure only UTM Antivirus events are captured you could alternatively set the match statement to be 'RT_UTM: AV_'. The screenshot below outlines the commands to create a syslog file and log antivirus events.

The screenshot below is an example of an antivirus event. This event is generated when a virus is detected, this includes the source and destination clients involved, URL, and infected object details.




Conclusion
The configuration of Kaspersky vs. Sophos Protection is very similar, however they are different scan engines and do have different profile related settings. For detailed options please reference the Junos 11.1 documentation. This post concludes the UTM topic.


No comments:

Post a Comment