[Dr. WoW Season 2] [No 4] Traffic Permitted, Virus Blocked---Antivirus Configuration Highlighted

Latest reply: May 8, 2018 17:10:35 828 1 2 0

Now that you are familiar with the antivirus mechanism, let's look at how to configure the antivirus function. The antivirus function involves multiple functional modules to coordinate.

 

20180508171529065001.png

 

The main configuration of the antivirus function involves configuring antivirus profiles and security policies. An antivirus profile defines the protocol, transfer direction, action, virus exception, and application exception. A security policy references an antivirus profile and defines the matching condition (on which traffic virus detection is implemented) and action (must be set to Permit). The functional modules provide the following functions:

20180508171529037002.pngUpdating the signature database improves the virus detection capability and efficiency. We'll describe how to update the signature database in subsequent posts.

20180508171530122003.pngPush message settings determine the notification information added to the body of emails. The NGFW provides default notification information. You can also customize the notification.

20180508171531779004.pngGlobal file-blocking parameters include the maximum layers of decompression and maximum file size for decompression. Properly setting these parameters will improve virus detection efficiency. File blocking is an important feature in content security, which we'll describe in later posts.

20180508171532116005.pngView threat logs. If a file is falsely reported as a virus file, you can add the virus ID as a virus exception. Then, after detecting this file, the NGFW will directly permit it.

20180508171532202006.pngAfter enabling the packet capture function in the antivirus profile, you can download virus data packets from the threat logs and then analyze virus signatures.

Now, let's look at the antivirus profile configuration page (using the USG6000 V100R001C30SPC100 as an example). Usually, we use the web UI to configure content security functions so that you do not need to remember a huge number of commands. However, some functions cannot be configured using the web UI and so are configured on the CLI.

fig04.png

 

The antivirus profile configuration page is divided into three areas. Area 1 is the basic configuration area. In this area, you can set the protocol, transmission direction, and actions. Area 2 is the virus exception configuration area. In this area, you can add virus IDs. Area 3 is the application exception configuration area. In this area, you can configure application exceptions and actions. Note that the antivirus whitelist must be configured using the CLI.

 

Example for Configuring Antivirus

Now let's get hands-on and look at several specific configuration examples. But, before we start, make sure that the antivirus signature database is loaded successfully and the antivirus signature database is running the latest version.

 

1. Blocking virus files transmitted using FTP

In the following figure, the NGFW is deployed between the FTP client and FTP server. Configure antivirus on the NGFW to scan the files uploaded from the FTP client to the FTP server and block viruses upon detection.

20180508171534715008.png

 

Configure an antivirus profile as follows, set the protocol, direction, and action, and reference the profile in a security policy.

20180508171534956009.jpg

 

After the configuration is complete, use the EICAR file to simulate a virus file and verify the antivirus function. The EICAR file is provided by the European Institute for Computer Antivirus Research for testing antivirus functions without using a real virus. Before verifying the antivirus function, confirm whether the current version supports the EICAR file detection. Here USG6000 V100R001C30SPC100 is used as an example, and this version supports EICAR file detection.

First, open a file editor program such as Notepad and input the following string: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Then, save the file naming it eicar.com. On the FTP client, upload the eicar.com file to the FTP server. Note that the eicar.com file cannot be uploaded. Check the threat logs on the NGFW. There will be a log indicating that the eicar.com file is blocked.

To permit the eicar.com file, note down the virus ID (16424404) contained in the threat log and add it as to the virus exception list, as shown in the following figure.

20180508171535848010.png

 

On the FTP client, upload the eicar.com file again. This time, the eicar.com file can be uploaded. This indicates that the virus exception settings have taken effect.

The configuration script is as follows:

#

profile type av name profile_av_ftp

 ftp-detect direction upload

 exception av-signature-id 16424404

#

security-policy

 rule name policy_av

  source-zone trust

  destination-zone untrust

  source-address 192.168.0.0 mask 255.255.255.0

  profile av profile_av_ftp

  action permit

#

 

2. Blocking virus files transmitted using SMTP

In the following figure, the NGFW is deployed between the email client and email server. Configure the antivirus function on the NGFW to scan the email sent from client A to client B for viruses. If an email attachment contains viruses, the NGFW permits the virus file but adds a warning to the email body indicating that a virus is detected.

20180508171536426011.png

 

Configure an antivirus profile as follows, set the protocol, direction, and action, and reference the profile in a security policy.

20180508171536784012.jpg

 

After the configuration is complete, client A sends to client B an email message containing the eicar.com file as an attachment. The email that client B receives still contains the eicar.com file, but a warning is displayed in the email body.

 

The configuration script is as follows:

#

profile type av name profile_av_smtp

smtp-detect action declare

security-policy

 rule name policy_av 

  source-zone trust

  destination-zone untrust

  source-address 192.168.0.0 mask 255.255.255.0

  profile av profile_av_smtp

  action permit

#

If client B receives an email message that contains two warnings in the email body, it is probably because the email message passed through two NGFWs that both have the antivirus function enabled. For example, if the Declare action is configured on one NGFW for the SMTP protocol, and the Delete Attachment action is configured on the other NGFW for the POP3 protocol, two warnings will be displayed in the email body.

 

3. Blocking virus files transmitted using SMB

In the following figure, the NGFW is deployed between the PC and file server. Configure the antivirus function on the NGFW to scan the files uploaded from the PC to the file server for viruses.

20180508171537504013.png

 

In this example, we will also verify how the maximum layers of decompression influence virus detection. In the global file-blocking parameters, set the maximum layers of decompression to 3 layers and set the action for the files that exceed the maximum layers to Allow, as shown in the following figure.

20180508171538507014.png

 

Configure an antivirus profile as follows, set the protocol, direction, and action, and reference the profile in a security policy.

20180508171538948015.png

 

Compress the eicar.com file four times and save it as eicar.zip. Copy the eicar.zip file from the PC to the file server. The eicar.zip file can be copied successfully. This file is not blocked by the NGFW, indicating that when the maximum decompression layer is exceeded, the NGFW permits the file.

Now, set the maximum layers of decompression to 5 layers and copy the eicar.zip file again. It is found that the eicar.zip file cannot be copied, and the eicar.zip file is blocked by the NGFW. This result indicates that when the maximum decompression layer is smaller than 5 layers, the NGFW performs virus detection.

The configuration script is as follows:

#

 file-detect decompress depth 5

#

profile type av name profile_av_smb

smb-detect direction upload

security-policy

 rule name policy_av

  source-zone trust

  destination-zone untrust

  source-address 192.168.0.0 mask 255.255.255.0

  profile av profile_av_smb

  action permit

#

 

So far, we have verified the antivirus function on the NGFW for FTP, SMTP, and SMB using the EICAR file. If the NGFW can be connected to the Internet, we can visit the EICAR website (http://www.eicar.org/85-0-Download.html) on an intranet PC to download EICAR files in many formats to verify the NGFW antivirus detection function for HTTP.

After learning about the NGFW antivirus function, I hope that you now have a sound understanding of the antivirus mechanism and configuration methods. Besides viruses, cyberspace is also prone to various other threats, such as attacks, botnets, Trojan horses, and worms, all of which threaten network security. Since the Internet has become an indispensable part of daily life, we have to equip ourselves. Huawei NGFW has made sufficient preparations for you.

 

 In the next post, we will introduce intrusion prevention. See you next time.

 

To view the list of all Dr. WoW technical posts, click here.

 

This post was last edited by dr.wow at 2018-05-08 09:22.
  • x
  • convention:

w1
Created May 8, 2018 17:10:35 Helpful(0) Helpful(0)

:) Good case
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login