Antivirus Scanning Profile for HTTP Traffic

Note: Juniper Networks supports external or internal antivirus (AV) on select devices. Your security device communicates with the external AV scan engine using Internet Content Adaptation Protocol (ICAP).

Edit the following options to configure an AV profile for scanning HTTP traffic:

Profile name: Displays the AV profile name

Enable: Click the check box to enable scanning of HTTP traffic. By default, scanning is enabled.

Scan Mode: This option applies for internal AV scanning only. Select the appropriate scan mode:

Decompress Layer: This option applies for internal AV scanning only. Enter a value between 1 and 8. The upper limit value is device-dependent. The value specifies how many layers of nested compressed files the internal AV scanner can decompress before it executes the virus scan. The default setting for HTTP is 2. See Example.

If a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers, and decompressing both files requires a decompress-layer setting of 2. Valid settings are between 1 and 4, so the AV scanner can decompress up to 4 layers of compressed files.

Note: Some protocols use content encoding when transmitting data. The AV scan engine needs to decode this layer, which is considered a decompression level before it scans for virus.

Include Extension List: This option applies for internal AV scanning only. Select an extension list to include for AV scanning. This option instructs the security device to only scan files with extensions specified in the file extension list. Make sure the above scan-mode option is set to scan-ext. To create a file extension list, see File Extension Configuration.

Exclude Extension List: This option applies for internal AV scanning only. Select an extension list to exclude from AV scanning. This option instructs the security device to not scan files with extensions specified in the list.  Make sure the above scan-mode option is set to scan-ext. To create a file extension list, see File Extension Configuration.

Skip Scanning for Selected MIME types: Select the check box to disable scanning of a set of Multipurpose Internet Mail Extensions (MIME) content types and subtypes of HTTP entities. By default the Skip Scanning option is selected.

Mime List: Select a configured MIME list. If the above Skipmime Enable option is checked, the security device does not scan the MIME content types specified in the selected MIME list. Default MIME list: ns-skip-mime-list The default MIME list, ns-skip-mime-list includes the following predefined MIME types:

application/x-director; application/pdf; image/; video/
audio/; text/css; text/html

Because most HTTP entities are composed of the above content types, HTTP scanning only applies to a small subset of HTTP entities, such as /zip and application/exe content types, where viruses are most likely to be hiding.
.

Timeout: Enter a value between 1 and 1800 seconds to specify the timeout value for AV scanning. The default is 180 seconds.

Virus Detection Notify with Protocol Code: Click this check box to enable the AV scanner to drop the infected packet and send a warning message to the HTTP client.