Verification and Check

This section describes the verification and check operations after the antivirus feature is configured.

Verification

After configuring the antivirus feature, you can do as follows to check the configuration result.

Operation	Command
View the current antivirus scan mode.	display av scan-mode
View the maximum number of files that can be detected concurrently by the IAE on each CPU and the maximum size of a single file detected by the IAE in full-text scanning mode.	display av full-scan-mode { max-file-number \| max-file-size }
View the antivirus profile.	display profile type av [ name name [ protocol \| exception { application \| av-signature-id } \| whitelist [ host \| url \| source-address \| destination-address ] ] ]
View a specific virus signature or a virus family in the antivirus signature database.	display av-signature { av-signature-id \| database }

After configuring the antivirus feature, you can do as follows to view or clear statistics:

Operation	Command
View antivirus statistics.	View antivirus statistics in quick scanning mode: display av statistics [ slot slot-id cpu cpu-id ] View antivirus statistics in full-text scanning mode: display av full-scan-mode statistics [ slot slot-id cpu cpu-id ]
Clear antivirus statistics.	Clear antivirus statistics in quick scanning mode: reset av statistics [ slot slot-id cpu cpu-id ] Clear antivirus statistics in full-text scanning mode: reset av full-scan-mode statistics [ slot slot-id cpu cpu-id ]

Operation

Command

View antivirus statistics.

View antivirus statistics in quick scanning mode: display av statistics [ slot slot-id cpu cpu-id ]

View antivirus statistics in full-text scanning mode: display av full-scan-mode statistics [ slot slot-id cpu cpu-id ]

Clear antivirus statistics.

Clear antivirus statistics in quick scanning mode: reset av statistics [ slot slot-id cpu cpu-id ]

Clear antivirus statistics in full-text scanning mode: reset av full-scan-mode statistics [ slot slot-id cpu cpu-id ]

Viewing Logs

After the security policy references the antivirus profile, the FW checks whether the traffic that matches the security policy is virus-infected. If a virus is detected, the FW blocks the virus and generates a log. The following figure shows a virus log for the EICAR test file.

AV/4/VIRUS(l)[0]:A virus was detected. (SyslogId=1, VSys="public", Policy="policy1",
 SrcIp=192.168.1.2, DstIp=192.168.0.2, SrcPort=21, DstPort=53038, SrcZone=untrust, DstZone=trust,
 User="unknown", Protocol=TCP, Application="FTP", Profile="profile_av", EventNum=1, SignatureId=16424404,
 VirusName="EICAR.Test.FILE.1", DetectionType="virus detect", Direction=download, FileName="eicar.com",
 FileType="com", Action=Block, Hash=267D772D8ED87333)

The following table describes the meanings of each field.

Field	Description
SyslogId	Log ID
VSys	Name of the virtual system
Policy	Name of the security policy
SrcIp	Source IP address
DstIp	Destination IP address
SrcPort	Source port
DstPort	Destination port
SrcZone	Source zone
DstZone	Destination zone
User	User name
Protocol	Protocol
Application	Application
Profile	Profile name
EventNum	Number of events
SignatureId	Signature ID
VirusName	Name of the virus
DetectionType	Detect type: virus detect: virus detection in quick scanning mode heuristic detect full-scan virus detect: virus detection in full-text scanning mode
Direction	Packets transfers direction
FileName	Name of the file
FileType	Type of the file
Action	Action
Hash	File hash value

If you consider that a detected virus is a false positive, you can obtain the virus ID from the log and configure the virus as an exception in the antivirus profile view. The FW will permit files infected by this virus.