Verification and Check

This section describes the verification and check operations after the antivirus feature is configured.

Verification

After configuring the antivirus feature, you can do as follows to check the configuration result:

Check the antivirus profile.

Choose Object > Security Profiles > Antivirus, click the name of the antivirus profile to be checked, and verify that the parameter settings in the profile are correct.
Check the security policy configuration.

Choose Policy > Security Policy > Security Policy, click the name of the security policy to be checked, and verify that the antivirus part correctly references the antivirus profile.

Viewing Logs

After the security policy references the antivirus profile, the FW checks whether the traffic that matches the security policy is virus-infected. If a virus is detected, the FW blocks the virus and generates a log.

Choose Monitor > Log > Threat Log to view virus logs. The following figure shows a virus log for the EICAR test file.

The following table describes the meanings of each field.

Field	Description
View	Click . In View Threat Log Details, the details on each field in a threat log are displayed. In View Threat Log Details, click the Source Address/Destination Address/Application/Security Policy/Profile/Source Region/Destination Region/Threat Name field value. When the threat log type is virus log, you can see the Hash Value field in View Threat Log Details. This field enables you to view the Hash value of the virus file. When the threat log type is virus log, intrusion log, or botnet, Trojan horse, and worm log, you can see the Accessed Content field in View Threat Log Details. This field enables you to view URL content contained in the threats.
Attack Evidence Collection	Click . View and analyze collected packets for virus or intrusion. NOTE: Only the audit administrator has the permission of viewing the collected packets.
Time	Time when a threat log is generated.
Threat Type	Threat type: Virus Intrusion Botnet, Trojan horse, and worm Attack
Severity	Severity level: Low Medium High Mirror The severity level is the same as that in the signature database. Focus on high-risk threats. If a threat is not blocked, add the attack source to the blacklist to block the threat.
Threat ID	ID of a threat. NOTE: If Threat Type is virus or intrusion, click Threat ID to add the virus or intrusion to the running or another configuration file as an virus or signature exception. Note that if the configuration file corresponding to the log does not exist, add the virus or intrusion to another configuration file. Virus/signature exceptions cannot be added to the default configuration file.
Threat Name	Name of a threat.
Source Zone	Source security zone of traffic.
Destination Zone	Destination security zone of traffic.
Attacker	IP address/user of an attacker.
Victim	IP address/user of a victim.
Source Address/Source Port	Source IP address/Source port of traffic.
Destination Address/Destination Port	Destination IP address/Destination port of traffic.
Application	Application type of traffic.
Protocol	Protocol type of traffic.
Action	Actions against various threats: Allow Alert Block Declare Delete-attachment
Security Policy	Security policy that traffic matches.
Profile	Security profile that traffic matches.
Source Region	Attacking region.
Destination Region	Attacked region.
Virtual System	Virtual system that generates the traffic.