Skip to main content
Versa Networks

Configure Antivirus

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.png For supported software information, click here.

You enable unified threat management (UTM) capabilities on Versa Operating SystemTM (VOSTM) devices by configuring threat profiles in security access policy rules. VOS devices support the following threat profiles:

  • Antivirus
  • Vulnerability (IDS/IPS)

This article discusses how to configure antivirus threat profiles.

The VOS antivirus software scans files received or transmitted in live traffic. When the last byte of a file is transmitted, the antivirus software extracts the file and scans it for viruses.

You can scan the following types of traffic:

  • Web traffic sent using FTP and HTTP
  • Email traffic sent use IMAP, MAPI, POP3, and SMTP

The following table lists the types of files that the antivirus software can scan.

7zip cpp html mp3 ppt tif
android dll jar mpeg ppptx torrent
appleplist doc jpeg msi psd txt
avi docx lha msoffice rar wav
bat dwg lnk pdf reg wmf
bmp elf lzh pgp rm wmv
c exe mach_o php rtf xls
cab flv mdb pif sh xlsx
class gif

mdi

 pl tar xml
coff gzip mov png targa

zip

To enable VOS devices to scan files for viruses, you must configure at least one antivirus profile and then associate it with a rule in an NGFW policy. The antivirus profile is then applied to all traffic that matches the policy rule. The VOS software provides predefined antivirus profiles, and you can configure custom antivirus profiles. For predefined antivirus profiles, the maximum scannable file size is 512 KB. For custom antivirus profiles, you can configure the maximum scannable file size.

To scan files larger than 512 KB, you must create a custom antivirus profile and associate it with a storage profile created for that purpose. The files can be stored, or buffered, on either hard disk or RAM disk (if supported by the hardware) before they are processed, to provide for faster processing times.

When the antivirus software extracts a file from a live flow and buffers it, the file data is forwarded to the destination except for the last data packet, and then the antivirus software scans the file for viruses based on the configured antivirus profile. If the file contains a virus, the action in the antivirus profile is enforced on the packet or session. If no virus is detected, the last data packet held by the VOS device is forwarded to the destination. After the antivirus scans the file, the file is automatically deleted from the storage space.

The antivirus software follows these rules when scanning extracted files for viruses:

  • If the file type matches a file type in the antivirus profile, the entire file is extracted and buffered on the VOS device.
  • If the file type does not match any configured file type, the file extraction is aborted.
  • If the file is less than 512 KB, the file is buffered in memory.
  • If the file is more than 512 KB, or if not enough RAM is available, the file is stored on the hard disk or RAM disk depending on the configured storage profile.
  • If the storage is full and a file cannot be saved on the storage device, the file extraction is aborted. In such a scenario, the action specified for the antivirus profile for disk full is considered.

Configure Storage for Antivirus Files

For custom antivirus profiles that scan files larger than 512 KB, you must configure storage for the files. The files are then buffered on either hard disk or RAM disk before they are processed, to provide for faster processing times. Note that if you want to scan files larger than 512 KB, you must configure a custom antivirus profile, because predefined antivirus profiles scan files only up to 512 KB.

You can configure the antivirus file storage at the system and organization level:

  • System level—You configure the hard disk and RAM disk storage for the entire VOS device. All storage profiles that you create at the organization level are allocated hard disk and RAM disk from this single pool of hard disk and RAM disk on an as-needed basis. With system-level storage, if one organization is consuming a large amount of hard disk or RAM disk, storage space for other organizations might be limited or unavailable.
  • Organization level—You configure storage profiles for the hard disk and RAM disk storage for each organization. The amount of storage space that you allocate for an organization can be used only by that organization. This means that if the antivirus software is scanning large amounts of traffic such that the organization might temporarily need more hard disk or RAM disk storage, no additional storage is available to the organization even though the VOS device might have storage space that is not being used by other organizations.

The total amount of hard disk and RAM disk configured for all organizations on a VOS device must be less than or equal to the total hard disk and RAM disk space configured for the VOS devices at the system level.

Configure System-Level File Storage

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > System > Storage Configurations in the left menu bar.

    storage-configurations-menu.png
  4. Click the edit-icon.png Edit icon. The Edit Storage Configuration Setting popup window displays.

    edit-storage-config-setting-hard-disk-tab.png
  5. Select the Hard Disk tab and enter information for the following fields.
     
    Field Description
    Path Enter the path to the file storage directory.
    Default: /tmp
    Common Pool Size

    Enter the size of the common memory pool available for all tenants, in megabytes. The space for the common pool is taken from the maximum disk size.
    Maximum Size Enter the maximum size of the hard disk, in megabytes.
    Range: 256 through 131072 MB
    Default: 256 MB
  6. Select the RAM Disk tab and enter information for the following fields.

    edit-storage-config-setting-ram-disk-tab.png
     
    Field Description
    Common Pool Size Enter the size of the common RAM disk memory pool for all tenants, in megabytes.
    Maximum Size Enter the maximum size of the RAM disk, in megabytes.
    Range: 0 through 32768 MB
    Default: 0 MB
  7. Click OK.

Configure Organization-Level Storage

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Others > Organization > Profiles > Storage Profiles in the left menu bar.

    storage-profiles-menu.png
  4. Click the add.png Add icon. In the Add Storage Profile popup window, enter information for the following fields.

    add-storage-profile.png
     
    Field Description
    Name Enter a name for the storage profile.
    Description Enter a text description for the storage profile.
    Hard Disk Size

    Enter the size of the guaranteed hard disk, in megabytes.
    Range: 256 through 131072 MB
    Default: 256 MB
    RAM Disk Size Enter the size of the guaranteed RAM disk, in megabytes.
    Range: 0 through 32768 MB
    Default: 0
  5. Click OK.

View Predefined Antivirus Profiles

The antivirus software provides the following predefined antivirus profiles:

  • Scan web traffic
  • Scan email traffic
  • Scan web and email traffic

Note that for antivirus profiles, Versa does not provide a predefined profile called Versa Recommended profile.

To view predefined antivirus profiles:

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Objects and Connectors > Objects > Predefined > Antivirus Profile in the left menu bar. The table in the main pane lists the predefined antivirus profiles. The following table describes each profile.

    predefined-antivirus-profile-menu.png
     
    Field Description
    Scan Web Traffic Scan all web traffic sent using the HTTP and FTP protocols. The Action column shows the "deny" action, which is the default action for web traffic
    Scan Email Traffic Scan all email traffic sent using the IMAP, MAPI, POP3, and SMTP protocols. The Action column shows the "alert" action, which is the default action for email traffic.
    Scan Web and Email Traffic

    Scan all web and email traffic. The Action column shows the "recommended-action" action, which takes the default actions listed above for web traffic (deny) and email traffic (alert).

Note that if you want to scan files larger than 512 KB, you must configure a custom antivirus profile, because predefined antivirus profiles scan files only up to 512 KB. If you want to use a predefined profile and scan files larger than 512 KB, because you cannot associate a storage profile with a predefined antivirus profile, you must create a custom profile that clones the configuration of predefined profile with then storage profile associated with it and then use that customer profile in your security rule.

Configure Custom Antivirus Profiles

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Next-Gen Firewall > Security > Profiles > Antivirus in the left menu bar, and select an organization in the horizontal menu bar.

    services-profiles-antivirus-menu.png
  4. Click the add.png Add icon. In the Add Antivirus Profile window, enter information for the following fields.

    add-antivirus-profile.png
     
    Field Description
    Name Enter a name for the antivirus profile.
    Description Enter a text description of the antivirus profile.
    Direction

    Select the direction of the traffic on which to perform the antivirus scan:

    • Both (download and upload)
    • Download
    • Upload
    LEF Profile Select a LEF profile to use to register logs for the antivirus profile. For information about configuring a LEF profile, see Configure Log Export Functionality. For information associating a LEF profile to the configuration of a feature or service, see Apply Log Export Functionality.
    Action

    Select an enforcement action to take when traffic matches the profile:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Deny— Do not allow the file to pass and, if a LEF profile is configured, log the action
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    Storage Profile Select the storage profile to use to determine where to store files that are being scanned for viruses.
    Action on Disk Full

    Select an action to take if the file storage area is full:

    • Alert—Allow the file to pass and, if a LEF profile is configured, log the action.
    • Allow—Allow the file to pass without logging the action.
    • Deny—Do not allow the file to pass and, if a LEF profile is configured, log the action
    • Reject—Reset the connection to the server and client and, if a LEF profile is configured, log the action.
    File Type

    Select the type of file to scan for viruses. Click the add.png Add icon, and in the subsequent table row, select the file type from the drop-down list. To scan all file types, select the file type "any".
    Protocol Select the type protocol whose files you want to scan for viruses. Click the add.png Add icon, and in the subsequent table row, select the protocol from the drop-down list..
  5. Click OK.

Apply an Antivirus Profile to an Access Policy

  1. In Director view:
    1. Select the Administration tab in the top menu bar.
    2. Select Appliances in the left menu bar.
    3. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Configuration tab in the top menu bar.
  3. Select Services > Next-Gen Firewall > Security > Policies in the left menu bar.

    ngfw-security-policies-rules-menu.png
  4. Click the Rules tab to view the security policy access rules.
  5. Select an access policy rule. The Edit Rule popup window displays.
  6. Select the Enforce tab, and enter information for the following fields.

    ngfw-edit-rule-enforce-tab.png
     
    Field Description
    Actions (Group of Fields) Click Apply Security Profile.
    Profiles Click to select a single antivirus profile
    • Antivirus
    		 Click and then select the antivirus profile to use for the access policy rule. The list displays the predefined and custom antivirus profiles.
    Profile Groups Click to select a profile group.
    • Antivirus
    		 Click and then select the antivirus profile to use for the access policy rule. The list displays the predefined and custom antivirus profiles. For more information, see Configure Security Profile Groups.
  7. Click OK.

Monitor Antivirus Profile Statistics

You monitor antivirus profiles to view the antivirus scan reports when a profile is used. For more information, see Monitor Device Services.

To monitor antivirus profiles:

  1. Select the Administration tab in the top menu bar.
    1. Select Appliances in the left menu bar.
    2. Select a device name in the main panel. The view changes to Appliance view.
  2. Select the Monitor tab in the top menu bar.
  3. Select the Provider Organization > Services tab.
  4. Select NGFW > Antivirus, and then select Predefined Profile or User Defined Profile from the drop-down list. The antivirus profile statistics display.

monitor-antivirus-tab.png

The following screenshots provide examples of the antivirus statistics that are displayed.

When you select Predefined Profile from the left drop-down, the Scan Web and Email Traffic profile from the middle drop-down, and Predefined Protocol from the right drop-down, the following information displays. Similar information displays when you select the Scan Web Traffic or Scan Email Traffic profile.

monitor-av-predefined-protocol.png

Field Description
Protocol List of predefined protocols scanned for antivirus.
Flows Blocked Number of protocols flows blocked by the antivirus software.
Flows Allowed

Number of protocols flows allowed by the antivirus software.

When you select Predefined Profile from the left drop-down, the Scan Web and Email Traffic profile from the middle drop-down, and Predefined File Type from the right drop-down, the following information displays. Similar information displays when you select the Scan Web Traffic or Scan Email Traffic profile.

monitor-av-predefined-file-type.png

Field Description
File Type Type of file scanned by the antivirus software.
Scan Count Total number of antivirus scans for the file type.
Block Count

Total number of files blocked by the antivirus software.

When you select Predefined Profile from the left drop-down, the Scan Web and Email Traffic profile from the middle drop-down, and Predefined Statistics from the right drop-down, the following information displays. Similar information displays when you select the Scan Web Traffic or Scan Email Traffic profile.

monitor-av-predefined-statistics.png

Field Description
Name

Name of the statistics record:

  • Action alert count—Number of flows for which an alert was sent.
  • Action allow count—Number of flows allowed.
  • Action block count—Number of flows blocked.
  • Action on disk full count—Number of actions performed when the disk was full.
  • Action reject count—Number of flows rejected.
  • EOF received count—Number of end-of-file (EOF) markers received.
  • File in queue count—Number of files in the queue.
  • Filetype mismatch count—Number of flows with a file type mismatch.
  • Flow bypass count—Number of bypassed flows.
  • Profile hit count—Number of times an antivirus profile matched.
Value Statistics value for the record.

Display Antivirus Threat Logs

To monitor the antivirus threats that are occurring in your network, view malware threat monitoring reports:

  1. In Director view, select the Analytics tab from the top menu bar. The view changes to Analytics view.
  2. Select Home > Security > Threats in the left menu bar to view the security threats dashboard. For more information, see Security Dashboards.
  3. Select the Malware tab to display information about top antivirus malware and infected applications.

    analytics-antivirus-malware-tab.png
  4. Drill down to display detailed antivirus logs matching the drill key.

    analytics-av-drilldown.png
  5. Select Home > Logs > Threat Detection in the left menu bar to view logs. Select the Antivirus tab in the main pane.

    analytics-logs-antivirus-tab.png

Troubleshoot Antivirus

To troubleshoot antivirus-based security issues, such as disk full, run the show orgs org-services tenant-name security profiles av statistics CLI command.

To view storage details such as RAM disk and hard disk allocation, run the show orgs org-services tenant-name security profiles storage statistics CLI command.

Supported Software Information

Releases 20.2 and later support all content described in this article.