< Home

Web: Example for Configuring Antivirus

This section provides an example for configuring antivirus on the enterprise gateway device to protect intranet users and servers from viruses.

Networking Requirements

The FW is deployed at the network edge of the enterprise as the security gateway. To ensure that intranet users can securely download files and mails from the Web server and POP3 server and that the FTP server can securely receive the uploaded files of Internet users, configure the antivirus function on the FW to protect the intranet. Figure 1 shows the networking diagram.

Users need to receive mails from Ctdisk. Therefore, set the response action for Ctdisk to permit. An important file is blocked by the FW because of false positive (the virus ID is 16424404). To ensure that users can receive this file, configure virus exception for this virus.

Figure 1 Networking diagram of antivirus

Configuration Roadmap

  1. Set the IP address and security zone of the interface.
  2. Configure two antivirus profiles. In one profile, set the matching condition and action for HTTP and POP3 protocols and configure application exception for Ctdisk and virus exception for virus 16424404. In the other profile, set the matching condition and action for the FTP protocol.
  3. Configure a security policy, and reference the antivirus profile in the interzones from the trust zone to the untrust zone and from the untrust to the dmz zone respectively.

Procedure

  1. Set the IP address and security zone of the interface.
    1. Choose Network > Interface.
    2. Click GE0/0/1 and set the parameters as follows:

      Zone

      untrust

      IPv4

      IP Address

      1.1.1.1/24

    3. Click OK.
    4. Repeat the previous steps to set the parameters of interface GE0/0/2.

      Zone

      dmz

      IPv4

      IP Address

      10.2.0.1/24

    5. Repeat the previous steps to set the parameters of interface GE0/0/3.

      Zone

      trust

      IPv4

      IP Address

      10.3.0.1/24

  2. Configure an antivirus profile.
    1. Choose Object > Security Profiles > Antivirus.

    2. Click Add and set the parameters as follows:

    3. Click OK.
    4. Repeat the previous steps to set the parameters of av_ftp profile.

  3. Click Commit on the upper right and then click OK in the dialog box displayed.
  4. Configure a security policy for the direction from intranet users to the Internet (from the trust zone to the untrust zone).
    1. Choose Policy > Security Policy > Security Policy.
    2. Click Add Security Policy.
    3. Reference the antivirus profile in Add Security Policy, and set the parameters as follows:

      Name

      policy_av_1

      Description

      Intranet-User

      Source Zone

      trust

      Destination Zone

      untrust

      Action

      permit

      Content Security

      Antivirus

      av_http_pop3

    4. Click OK.
  5. Configure a security policy for the direction from the Internet to the intranet server (from the untrust zone to the dmz).

    Repeat the previous step to configure the security policy, and set the parameters as follows:

    Name

    policy_av_2

    Description

    Intranet-Server

    Source Zone

    untrust

    Destination Zone

    dmz

    Action

    permit

    Content Security

    Antivirus

    av_ftp

  6. Click Save on the upper right of the web interface, and click OK in the dialog box that is displayed.

Verification

  • When an intranet user attempts to download virus-infected files using HTTP, the download connection is interrupted.
  • When an intranet user attempts to download a virus-infected email using POP3, the attachments in the email are deleted.
  • When an extranet user attempts to upload virus-infected files, the upload connection is interrupted.
  • Intranet users can use the Ctdisk box to send and receive emails.
  • Intranet users can download important software infected with virus 16424404.

You can choose Monitor > Log > Threat Log to view threat logs whose threat type is virus. Click to view log details.

You can also verify the configuration using an EICAR test file.

The following part describes how to construct an EICAR test file. Considering such issues as incorrect input in construction, you can also access https://www.eicar.org/ to directly download an EICAR test file.

  1. Construct an EICAR test file and compress it.

    1. Create a .txt file on the PC and enter the following information:

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      The preceding 68 characters are known characters in the EICAR test file. In addition, you can add combinations of such characters as the space, tab, LF, CR, and CTRL-Z. Note that the total length of the EICAR test file cannot exceed 128 characters. For simplicity, you are advised to include only the preceding 68 characters in the EICAR test file. Pay attention to the third character in the string. It is the upper-case letter O instead of the digit 0.

    2. When saving the file, select All Files and name it EICAR.COM.
    3. Compress the EICAR.COM file into an eicar.zip file.

  2. Before configuring the ID (16424404) of the EICAR test file as a virus exception, test whether antivirus takes effect in the HTTP download direction.

    Create an HTML page that contains the eicar.zip file download path on the web server. When an intranet user accesses the page using HTTP and downloads the eicar.zip file, the download fails.

    To test whether antivirus takes effect in the HTTP download direction, you can also access https://www.eicar.org/ to directly download an EICAR test file for verification.

  3. Before configuring the ID (16424404) of the EICAR test file as a virus exception, test whether antivirus takes effect in the POP3 download direction.

    Send the eicar.zip file to a mailbox as an attachment. After an intranet user logs in to the mailbox and downloads the email that contains the eicar.zip file using POP3, the attachment in the email is deleted, and the following information is displayed in the email body:eicar.zip is deleted from the mail because it contains virus.

  4. After configuring the ID (16424404) of the EICAR test file as a virus exception, test whether the file can be downloaded using HTTP and POP3.

    The EICAR test file can be downloaded using HTTP and POP3.

  5. Test whether antivirus takes effect in the FTP upload direction.

    When an intranet user attempts to upload the eicar.zip file after logging in to the FTP server, the FTP client displays a file upload failure.

Configuration Scripts

The following lists related scripts of this configuration example.

#
 sysname FW
#
interface GigabitEthernet0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 ip address 10.2.0.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
 add interface GigabitEthernet0/0/3
#
firewall zone untrust
 add interface GigabitEthernet0/0/1
#
firewall zone dmz
 add interface GigabitEthernet0/0/2
#
profile type av name av_http_pop3   
 description http-pop3     
 http-detect direction download     
 undo ftp-detect      
 undo smtp-detect        
 pop3-detect action delete-attachment  
 undo imap-detect   
 undo nfs-detect 
 undo smb-detect  
 exception application name Ctdisk action allow   
 exception av-signature-id 16424404  
profile type av name av_ftp  
 description ftp   
 undo http-detect  
 ftp-detect direction upload
 undo smtp-detect  
 undo pop3-detect     
 undo imap-detect    
 undo nfs-detect  
 undo smb-detect  
#
security-policy
 rule name policy_av_1
  description Intranet-User
  source-zone trust
  destination-zone untrust
  profile av av_http_pop3
  action permit
 rule name policy_av_2
  description Intranet-Server
  source-zone untrust
  destination-zone dmz
  profile av av_ftp
  action permit
#
return
Parent Topic: Content Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >