Antivirus detection on the USG6000


The antivirus function detects and processes virus files by using a professional intelligent detection engine based on a virus signature database that is updated constantly. Virus detection and processing are described as follows:
1. Virus detection
Virus detection is performed by the intelligent detection engine. After traffic flows into the intelligent detection engine, the engine:
(1) Performs in-depth analysis on the traffic and identifies the protocol type of the traffic and the file transmission direction.
(2) Determines whether virus detection is supported for the file transmission protocol and the file transmission direction.
The USG6000 supports virus detection for files transmitted through the following protocols: FTP, HTTP, POP3, SMTP, IMAP, NFS, and SMB.
The USG6000 supports virus detection for files transmitted in different directions.
a. Upload: The client sends files to the server.
b. Download: The server sends files to the client.
(3) Virus detection
The intelligent detection engine extracts the signature of a file meeting virus detection conditions, and matches the extracted signature with the signatures in the virus signature database. If the signature is matched, this file is a virus file and is processed based on the configuration file. If the signature is not matched, the file is transmitted.
The virus signature database contains common virus signatures collected by Huawei. The virus signature database defines common virus signatures and assigns a unique virus ID to each virus signature. After the virus signature database is loaded to the device, viruses defined in the signature database can be identified. The virus signature database must be updated from the security center ( constantly to ensure that latest viruses are identified in a timely manner.

2. Antivirus processing
When a virus file is detected:
(1) The intelligent detection engine determines whether the virus file is a virus exception. If so, the file is transmitted.
(2) If the virus file is not a virus exception, the intelligent detection engine determines whether the virus file is an application exception. If so, the specified action (transmitting the file, raising an alarm, or blocking the file) is taken.
(3) If the virus file is not a virus exception or an application exception, the action specified in the configuration file is taken.

Other related questions:
Packet detection protocols supported by the USG6000 series
TCP, ICMP, Hypertext Transfer Protocol (HTTP), Domain Name Service (DNS), and Remote Authentication Dial In User Service (RADIUS) are supported. If any service type provided by the server is not included in the five protocols, it is recommended that ICMP be used to verify the reachability of the server.

Whether the USG6000 supports the antivirus function
The antivirus function can be used only after a license is purchased and activated. The whole USG6000 series devices support the antivirus function.

Query of antivirus logs on the USG6000 series
By checking threat logs, you can view detection and defense records for network threats such as viruses, learn historical and ongoing threat events, and adjust security policies or implement active defense in a timely manner. You can view threat logs only when the current device model supports hard disks and has hard disks installed. For the USG6000 series, you can view antivirus log details on the web UI. 1. Choose Monitor > Log > Threat Log to view threat logs such as antivirus logs. 2. Choose Customize and select/deselect conditions for threat log display. The following items can be customized: time, threat type, threat ID, threat name, source zone, destination zone, attacker, target, source address:source port, destination address:destination port, application, protocol, action, security policy, profile, source region, destination region, and virtual system.

Methods used to prevent antivirus storms and improve antivirus efficiency
You are advised to deploy antivirus software that is optimized for virtualization platforms, such as Symantec SEP 12.1 and later. (1) Preventing antivirus storms. A control center provides unified scheduling for antivirus tasks. Set automatic virus removal and database update to be performed during low traffic hours. (2) Sharing scan results and improving system efficiency. The HASH value in a VM's scan result file is sent to the control center, which sends this value to other VMs. The antivirus software on other VMs stores a HASH value list locally.

What If the ISM installer is detected as a virus by antivirus software?
Antivirus software occasionally detects the ISM installer as a virus and then isolates it, resulting in the ISM installer unable to be started. However, the ISM installer is actually security-proven and exerts no impact on any other computerized applications. In this case, add the ISM installer to the trusted application list of antivirus software to resolve the problem.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top