Scan Manager Configuration

Note: This feature is supported on devices that support embedded antivirus (AV) scanning.

AV scanning requires that you load a database of AV patterns onto the security device and periodically update the pattern file. To do so, you must register the device and purchase an AV pattern license key, which includes a subscription for the AV signature service. For the life of the subscription, you can load the current version of the database and update it as newer versions become available.

Edit the following options to configure the Scan Manager:

Antivirus Pattern File: Displays the current database of AV patterns.

Pattern Update Server: Enter the path of the pattern update URL.

Send Admin E-mail after Pattern Update: Notifies the administrator via e-mail that an updated pattern file is available.

Auto Pattern Update: Select this checkbox to automatically update the AV pattern file from an Pattern Update Server at user-defined intervals.

Interval: Enter a value (in minutes) between 10 and 10080 minutes (10080 = 168 hours = 7 days = 1 week).

Update Now: Enter the URL for the Pattern Update Server in the Pattern Update Server field and click Update Now to manually update the AP pattern file immediately.

The URL to update the AV pattern file is device-dependent, because a smaller database is downloaded to the lower-end devices.

Traffic Options On Scan Engine Limitation

Options

Description

Exceed Decompression Layer

Select Permit if you want the scan engine to allow traffic to pass when it reaches the configured value set in the profile. See Security > Antivirus > profile > Edit > Decompress Layer The value specifies how many layers of nested compressed files the internal AV scanner can decompress before it executes the virus scan. The default setting varies for each protocol.

For example, if a message contains a compressed .zip file that contains another compressed .zip file, there are two compression layers, and decompressing both files requires a decompress-layer setting of 2.
.

Select Drop if you want the scan engine to drop traffic when it reaches the configured value set in the profile.

Password File

Select Permit if you want the scan engine to allow password-protected files to pass.

Select Drop if you want the scan engine to drop password-protected files.

Corrupt File

Select Permit if you want the scan engine to allow corrupted files to pass.

Select Drop if you want the scan engine to drop corrupted files.

Out of Resource

Select Permit if you want the scan engine to allow traffic to pass when the device runs out of resources. This value is platform-dependent.  

Select Drop if you want the scan engine to drop traffic when the device runs out of resources.

Engine not Ready

Select Permit if you want the device to allow traffic to pass if the scan engine is not ready to scan traffic.

Select Drop if you want the device to drop traffic if the scan engine is not ready to scan traffic.

Timeout

Select Permit if you want the scan engine to allow traffic to pass if the protocol-based profile times out. The timeout value is configured for each protocol in a profile. See Security > Antivirus > Profile > Edit.

Select Drop if you want the scan engine to drop traffic if the protocol-based profile times out.

Exceed Content Size Limit: Enter a value greater than 20 KB to configure the Maximum Content Size for a single message that the internal AV scanner scans for virus patterns. Refer to the Release Notes for device-specific values.

Select Permit to pass traffic without examining it if the total content of an incoming message exceeds the configured Maximum Content Size.

Select Drop to drop the message content without checking for viruses if the total content of an incoming message exceeds the configured Maximum Content Size.

Note: The default 10 megabytes of decompressed file content is per message and not the total number of concurrent messages being examined. If the Deep Inspection (DI) feature is also enabled, Juniper Networks recommends configuring a Maximum Content Size value of 6 MB.

Too many requests: Select Permit to pass traffic without examining, if the total number of concurrent messages exceeds the maximum number of messages supported on the device. Refer to the Release Notes for device-specific values.

Select Drop to drop the message content without checking for viruses if the total number of concurrent messages exceeds the maximum messages supported on the device. For example, on some devices, traffic is fed to the scan engine in 16 queues with 16 messages in each queue. If Messages Overflow is set to drop, then the 257th message is dropped.