< Home

Configuring Antivirus

This section describes how to configure antivirus.

Context

The FW has a default antivirus profile named default, which defines the default action in the upload or download direction of each protocol, as shown in the following figure. You cannot modify or delete the default profile.

You can run the display profile type av name default command on the CLI to view the configuration information about the default profile. IF you use the CLI to reference the default profile in a security policy, you must enter the complete profile name (such as default). Otherwise, the profile fails to be referenced. To view the configuration result, run the display current-configuration command. Then you can view that the security policy references the default profile, but the configuration information about the default profile is not displayed.

Table 1 Default antivirus profile

Name

Protocol

Virus Detection in the Upload Direction

Virus Detection in the Download Direction

Default Action

default

HTTP

Enable

Enable

Block

FTP

Enable

Enable

Block

SMTP

Enable

-

Alert

POP3

-

Enable

Alert

IMAP

Enable

Enable

Alert

NFS

Enable

Enable

Alert

SMB

Enable

Enable

Block

Attack Evidence Collection: disabled

Application Exception List: not configured

Virus Exception List: not configured

The FW supports user-defined profiles. You can specify the action for each protocol.

Procedure

  1. Configure the antivirus scan mode.

    av scan-mode { full | quick }

    Antivirus supports two virus scan modes:

    • Full-text scanning: After this mode is enabled, in-depth content detection is performed on files. This mode features a high detection rate of virus files but a low detection speed and high performance consumption.

    • Quick scanning: After this mode is enabled, fast content detection is performed on files. This mode features a high detection speed and low performance consumption but a relatively low detection rate of virus files.

    By default, the antivirus scan mode is full-text scanning. To switch to the quick scanning mode, run the av scan-mode quick command in the system view to enable the quick scanning mode.

  2. If the antivirus scan mode is full-text scanning, you can set the maximum number of files that can be detected concurrently by the IAE on each CPU and the maximum size of a single file detected by the IAE.

    av full-scan-mode { max-file-number max-file-number | max-file-size max-file-size }

    By default, in full-text scanning mode, a maximum of 10 files can be detected concurrently by the IAE on each CPU, and the maximum size of a single file detected by the IAE is 2048 KB.

    When the antivirus scan mode is full-text scanning, you can run the av full-scan-mode max-file-number command to set the maximum number of files that can be detected concurrently by the IAE on each CPU in full-text scanning mode. When the device supports IAE running on multiple CPUs, the maximum number of files detected concurrently by the device is equal to the value of max-file-number multiplied by the number of CPUs. If the number of files to be concurrently detected by the device exceeds the maximum value, the excess files will not be detected. You can run the av full-scan-mode max-file-size command to set the maximum size of a single file detected by the IAE in full-text scanning mode. If the size of a file to be detected exceeds the maximum size, the file will not be detected.

  3. Optional: Enable the function of sending virus files to the cloud sandbox in full scan mode.

    av submit-detected-file enable

    By default, this function is disabled, and the device does not send detected virus files to the cloud sandbox.

    In full scan mode, you can enable the function of sending virus files to the cloud sandbox so that the device can send detected virus files to the cloud sandbox for further analysis and source tracing.

    • The device supports this function only in full scan mode, not in quick scan mode.
    • This function requires the device to interwork with the cloud sandbox, and takes effect only when the cloud sandbox interworking function is available and the cloud sandbox interworking parameters are correctly configured. For details about how to configure cloud sandbox interworking, see Configuring Cloud Sandbox Inspection.
    • The types of files sent to the cloud sandbox configured in this function are not restricted by the types configured in APT defense, but subject to the types of files that can be detected in antivirus full scan mode.
    • The size of files sent to the cloud sandbox configured in this function is not limited by the size configured in APT defense.

  4. Create an antivirus profile in the system view.

    profile type av name name

  5. Optional: Configure a description for the antivirus profile.

    description description

  6. Optional: Configure attack evidence collection function.

    collect-attack-evidence enable

    • The attack evidence collection function relies on hard disks and available only when the hard disks are installed.

    • Attack evidence collection does not apply to HTTPS traffic.

    • When the TCP proxy function is enabled on a device, the attack evidence collection function is unavailable.
    • By default, attack evidence collection has the following restrictions:
      • A maximum of five attack evidence collection sessions are supported for a single threat ID on a single CPU.
      • When the system memory space is less than 200 MB, the device does not collect attack evidence. When the system memory space is restored to 400 MB, the device restores attack evidence collection.
      • A single CPU can cache a maximum of 512 MB attack evidence data. When the data volume of attack evidence reaches the maximum, attack evidence collection is not performed.
      • By default, the maximum data volume of attack evidence that can be cached in a single session is as follows:
        • Versions earlier than V600R007C20SPC500: 100 KB. If the size of the file whose data needs to be collected exceeds 100 KB, the device does not perform attack evidence collection on the session.
        • V600R007C20SPC500 to V600R007C20SPC601 versions: 30 KB. If the size of the file whose data needs to be collected exceeds 30 KB, the device does not perform attack evidence collection on the session.
        • V600R007C20SPC602 and later versions: 10 KB. If the size of the file whose data needs to be collected exceeds 10 KB, the device does not perform attack evidence collection on the session.

        You are advised to run the debugging collect-attack-evidence max-session-size max-session-size command to increase the threshold for the maximum data volume of attack evidence that the device can collect for a single session. The recommended threshold is 2000 KB.

    • Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.

  7. Optional: Configure heuristic detection.

    heuristic-detect enable

    This command takes effect only in antivirus quick scanning mode. It does not take effect in full-text scanning mode.

    If a file is detected to be risky as a suspected virus file, the environment that has high security requirements can enable the antivirus heuristic detection function.

    The antivirus heuristic detection secures network environment and minimizes risks but compromises the antivirus detection performance and may increase false positives. Therefore, antivirus heuristic detection is disabled by default.

  8. Configure the protocols and traffic directions requiring virus detection and the response action for detected viruses.

    Protocol

    Command

    HTTP

    http-detect direction { both | download | upload } [ action { alert | block } ]

    FTP

    ftp-detect direction { both | download | upload } [ action { alert | block } ]

    SMTP

    smtp-detect [ action { alert | declare | delete-attachment } ]

    POP3

    pop3-detect [ action { alert | declare | delete-attachment } ]

    IMAP

    imap-detect direction { both | download | upload } [ action { alert | declare | delete-attachment } ]

    NFS

    nfs-detect direction { both | download | upload }

    SMB

    smb-detect direction { both | download | upload } [ action { alert | block } ]

  9. Optional: Configure application exception.

    exception application name name [ action { alert | allow | block } ]

  10. Optional: Configure virus exception.

    exception av-signature-id av-signature-id [ action { allow | block-source-ip [ timeout timeout ] } ]

    The device supports configuring response actions for exception signatures, including allow and blacklist (directly add the source or destination addresses of traffic that matches exception signatures to a blacklist). In addition, the timeout parameter can be used to configure the timeout period of the blacklist.

  11. Optional: Configure whitelist rules.

    whitelist { host host-text | url url-text | source-address { ip-address | range start-ip-address end-ip-address } | destination-address { ip-address | range start-ip-address end-ip-address } }

  12. Reference the antivirus profile in the security policy.

    For details on how to configure the security policy, see Configuring a Security Policy.

  13. Commit the configuration in the system view.

    engine configuration commit

    The created or modified antivirus profile does not take effect immediately. You need to commit the configuration to activate the configuration. To save time, commit the configuration after you complete all operations on the antivirus profile.

  14. Optional: Configure the antivirus log aggregation function in the system view.

    av log merge enable

    After the antivirus log aggregation function is enabled, the system will aggregate multiple same antivirus logs generated in a short period into one log.

  15. Optional: Enable the function of extracting the complete hash value from the PE file in the system view.

    av extract hash enable

    In antivirus quick scanning mode, if the complete hash value needs to be extracted from the PE file, you need to configure the av extract hash enable command. In full-text scanning mode, the complete hash value is extracted from the PE file by default. Therefore, you do not need to configure this command.

    In a scenario where the function of extracting the complete hash value from the PE file is enabled, if the FW detects viruses in a PE file, and the response action is alert or declare, the antivirus log displays the complete hash value.

Follow-up Procedure

After configuring the antivirus profile, adjust it as follows:

  • Run the rename new-name command in the antivirus profile view to rename the profile.
  • In the system view, run the profile type av copy old-name [ new-name ] command to create a profile by copying an existing one.
Parent Topic: Configuring Antivirus Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >