[Dr. WoW Season 2] [No 3] Traffic Permitted, Virus Blocked---Antivirus Mechanism

Latest reply: May 19, 2018 01:27:13 809 1 2 0

In the last two posts, we looked at NGFW functions and the differences between NGFW and UTM devices. In this post, we'll be looking at NGFW content security functions. Content security includes a series of functions and distinguishes NGFWs from other firewalls. First, let's look at the antivirus function.


About Viruses

The first thing that comes to mind when we talk about viruses is the type that infects humans. Some of them can cause disease and some of them are deadly. Similarly, cyberspace is plagued with viruses, albeit a digital kind rather than organic. In cyberspace, viruses are malicious code that infects or attaches to application programs or files. They are destructive, evasive, and infectious, seriously threatening host systems and network security. As such, viruses must be prevented, both the human and cyberspace types.

While medicine is used to prevent viruses that infect humans, a host's antivirus software or a firewall's antivirus functions are used to prevent viruses in cyberspace. Antivirus software and antivirus functions work hand in hand with different detection mechanisms and in different positions.



Virus Vector Identification

Legacy firewalls filter packets based on network-layer information, such as IP address, port number, and protocol. This information provides little help in detecting whether a packet contains a virus. To detect viruses, rather than simply filter packets, NGFWs inspect application-layer information – NGFWs look at what the packets contain.

One of the most common vectors for viruses to spread is through file transfer protocols. Let's take a look at some of these protocols:

l  FTP

FTP is the most common file transfer protocol. It involves two roles: FTP client and FTP server. The FTP client can both upload and download files to and from the FTP server, which means that file (virus) spreading directions can be either upload or download.


The Hypertext Transfer Protocol (HTTP) is a common Web browsing protocol that can also be used to transfer files. It also has two file-transfer directions. The client (browser) can both upload and download files to and from the server.


The Simple Mail Transfer Protocol (SMTP) is the most common mail transfer protocol, which is used for email transmission from a client to a mail server and from one mail server to another. Sending email through SMTP is a "push" process. Therefore, the file transfer direction is only upload (sending email).

l  POP3

Post Office Protocol 3 (POP3) is used by clients to read email from a mail server. Reading email through POP3 is a "pull" process. Therefore, the file transfer direction is only download (receiving email).


The Interactive Mail Access Protocol (IMAP) is used by clients to send and receive emails to and from a mail server and supports direct client operation to email on the mail server. Therefore, the file transfer directions of IMAP include both upload (sending email) and download (receiving email).

l  NFS

The Network File System (NFS) protocol is a file sharing protocol that provides access to files over a network. The file transfer direction includes upload and download.

l  SMB

The Server Message Block (SMB) protocol is a file sharing protocol that provides access to files over a network. Its file transfer directions are also upload and download.

Virus Detection

The NGFW compares file signatures in packets to virus signatures stored in an antivirus signature database. To ensure effective detection and network security, the database must contain a comprehensive and accurate list of signatures. Because new viruses and variants emerge so frequently, the list of signatures must be kept up-to-date. Let's see how the antivirus function works. The antivirus process is not a simple detect-and-block process because there are always exceptions. Sometimes, you may not need to detect viruses for a specific traffic flow, and sometimes an identified file does not contain a virus and needs to be permitted. NGFWs also need to consider these exceptions as we do.



The antivirus process is described as follows:

1. After protocol identification, check whether the identified protocol is one of the seven protocols described earlier. If yes, the traffic is delivered to the next step. Otherwise, virus detection is not performed.

2. Check whether the traffic matches the whitelist (including the domain name, URL, source/destination IP address, and IP address segment rules). If no match is found, the traffic is delivered to the next step. If a match is found, virus detection is not performed. To exempt the traffic of an IP address from virus detection, add the IP address to the whitelist.

3. Scan the files for viruses and compare the file signatures with the virus signatures in the antivirus signature database. The NGFW also supports high-risk signature (heuristic) detection. That is, if the NGFW discovers that a file has potential risks, it considers the file virus-infected. In this detection mode, the NGFW errs on the side of caution and, rather than risk permitting a potentially infected file may block some legitimate files. Therefore, this detection mode is usually disabled.

4. After detecting a virus, the NGFW determines whether the virus file is a virus exception. If it is not a virus exception, the traffic is delivered to the next step. If it is a virus exception, the NGFW permits the file.

5. The NGFW checks whether the virus file application is an exception. The application refers to the application (such as online storage applications) that is encapsulated in HTTP. An application exception can be used to configure an action that is different from that for the HTTP protocol. If the application is an exception, the NGFW takes the action specified in the application exception. If the application is not an exception, the NGFW takes the action that is defined for the protocol.

The protocols and actions are listed in the following table.


Transfer Direction






Alert: The NGFW permits the virus file.

Block: The NGFW blocks the virus file.

Declare: The NGFW permits the virus file but adds a warning about the virus to the email body.

Delete Attachment: The NGFW permits the email, deletes the attachment from the email, and adds a warning about the virus to the email body.






Alert/Declare/Delete Attachment



Alert/Declare/Delete Attachment











The NGFW provides different actions for each protocol. These are described as follows:

1. For the NFS protocol, the NGFW provides only the Alert action, because if a file is blocked, user experience is affected.

2. For the SMTP and POP3 protocols, the NGFW does not provide the Block action, because users' right to read mail content should not be impinged and virus detection should be limited only to email attachments. Instead, the NGFW provides the Declare and Delete Attachment actions.

3. For the IMAP protocol, the NGFW does not provide the Block action, because the IMAP protocol is designed to continuously receive email in addition to not impinging on users' right to read mail content. If one email message is detected to be virus-infected, subsequent email messages may also be blocked. Because it is difficult to modify email content that uses the IMAP protocol (the NGFW can use a proxy to prevent email content tampering for the SMTP and POP3 protocols), the NGFW also does not provide the Declare or Delete Attachment action.

Antivirus Configuration Logic

Now that you are familiar with the antivirus mechanism, let's look at how to configure the antivirus function. The antivirus function involves multiple functional modules to coordinate.



The main configuration of the antivirus function involves configuring antivirus profiles and security policies. An antivirus profile defines the protocol, transfer direction, action, virus exception, and application exception. A security policy references an antivirus profile and defines the matching condition (on which traffic virus detection is implemented) and action (must be set to Permit). The functional modules provide the following functions:

20180426202813746004.pngUpdating the signature database improves the virus detection capability and efficiency. We'll describe how to update the signature database in subsequent posts.

20180426202814400005.pngPush message settings determine the notification information added to the body of emails. The NGFW provides default notification information. You can also customize the notification.

20180426202814630006.pngGlobal file-blocking parameters include the maximum layers of decompression and maximum file size for decompression. Properly setting these parameters will improve virus detection efficiency. File blocking is an important feature in content security, which we'll describe in later posts.

20180426202815223007.pngView threat logs. If a file is falsely reported as a virus file, you can add the virus ID as a virus exception. Then, after detecting this file, the NGFW will directly permit it.

20180426202816083008.pngAfter enabling the packet capture function in the antivirus profile, you can download virus data packets from the threat logs and then analyze virus signatures.

Now, let's look at the antivirus profile configuration page (using the USG6000 V100R001C30SPC100 as an example). Usually, we use the web UI to configure content security functions so that you do not need to remember a huge number of commands. However, some functions cannot be configured using the web UI and so are configured on the CLI.



The antivirus profile configuration page is divided into three areas. Area 1 is the basic configuration area. In this area, you can set the protocol, transmission direction, and actions. Area 2 is the virus exception configuration area. In this area, you can add virus IDs. Area 3 is the application exception configuration area. In this area, you can configure application exceptions and actions. Note that the antivirus whitelist must be configured using the CLI. 


In the next post, we will introduce how to configure Antivirus. See you next time.


To view the list of all Dr. WoW technical posts, click here.


This post was last edited by dr.wow at 2018-05-08 09:29.
  • x
  • convention:

Created May 19, 2018 01:27:13 Helpful(0) Helpful(0)

  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits