06-Anti-virus commands
Chapters Download (88.74 KB)
anti-virus signature auto-update
anti-virus signature auto-update-now
display anti-virus signature family-info
display anti-virus signature information
Use anti-virus apply policy to apply an anti-virus policy to a DPI application profile.
Use undo anti-virus apply policy to remove the application.
Syntax
anti-virus apply policy policy-name mode { alert | protect }
undo anti-virus apply policy
Default
No anti-virus policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an anti-virus policy mode.
alert: Only logs matching packets.
protect: Takes the action specified in the anti-virus policy on matching packets.
Usage guidelines
An anti-virus policy takes effect only after it is applied to a DPI application profile. You can apply only one anti-virus policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply anti-virus policy abc to DPI application profile sec. Set the anti-virus policy mode to protect.
[Sysname] app-profile sec
[Sysname-app-profile-sec] anti-virus apply policy abc mode protect
Use anti-virus policy to create an anti-virus policy and enter its view, or enter the view of an existing anti-virus policy.
Use undo anti-virus policy to delete an anti-virus policy.
Syntax
anti-virus policy policy-name
undo anti-virus policy policy-name
Default
An anti-virus policy named default exists.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
policy-name: Specifies the anti-virus policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
All virus signatures in the virus signature library are available for an anti-virus policy, whether the policy is the default policy or a user-defined policy.
The default anti-virus policy cannot be modified or deleted.
Examples
# Create anti-virus policy abc and enter its view.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc]
Use anti-virus parameter-profile to specify a parameter profile for an anti-virus action.
Use undo anti-virus parameter-profile to remove the parameter profile specified for an anti-virus action.
Syntax
anti-virus { email | logging | redirect } parameter-profile profile-name
undo anti-virus { email | logging | redirect } parameter-profile
Default
No parameter profile is specified for an anti-virus action.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
email: Specifies the email action.
logging: Specifies the logging action.
redirect: Specifies the redirect action.
parameter-profile parameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Before you can specify a parameter profile for an anti-virus action, configure the parameter profile in the DPI engine. For more information, see DPI engine configuration in DPI Configuration Guide.
A parameter profile defines the parameters for executing an action. For example, you can configure parameters such as the email server address and email recipients in the email parameter profile, and then apply the profile to the email action.
If no parameter profile is specified for an anti-virus action, or if the specified parameter profile does not exist, the default parameter settings of the action are used.
Examples
# Create an email parameter profile named av1 and specify a plaintext login password (abc123) in the parameter profile.
<Sysname> system-view
[Sysname] inspect email parameter-profile av1
[Sysname-inspect-email-av1] password simple abc123
[Sysname-inspect-logging-av1] quit
# Specify parameter profile av1 for the email action.
[Sysname] anti-virus email parameter-profile av1
Related commands
inspect email parameter-profile
inspect logging parameter-profile
inspect redirect parameter-profile
Use anti-virus signature auto-update to enable automatic virus signature library update and enter automatic virus signature library update configuration view.
Use undo anti-virus signature auto-update to disable automatic virus signature library update.
Syntax
anti-virus signature auto-update
undo anti-virus signature auto-update
Default
Automatic virus signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
To automatically update the virus signature library, make sure the device can access the H3C website.
Examples
# Enable automatic virus signature library update and enter automatic virus signature library update configuration view.
<Sysname> system-view
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate]
Related commands
update schedule
Use anti-virus signature auto-update-now to manually trigger an automatic signature library update.
Syntax
anti-virus signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
After you execute this command, the device immediately starts the automatic signature library update process whether automatic signature library update is enabled or not. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Manually trigger an automatic signature library update.
[Sysname] anti-virus signature auto-update-now
Use anti-virus signature rollback to roll back the virus signature library.
Syntax
anti-virus signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
factory: Rolls back the virus signature library to the factory default version.
last: Rolls back the virus signature library to the previous version.
Usage guidelines
If a virus signature library update causes abnormal situations or a high false alarm rate, you can roll back the virus signature library.
Before performing a virus signature library rollback, the device backs up the current virus signature library as the previous version. For example, the previous version is V1 and the current version is V2. If you perform a rollback to the previous version, version V1 becomes the current version and version V2 becomes the previous version. If you perform a rollback to the previous version again, version V2 becomes the current version and version V1 becomes the previous version.
Examples
# Roll back the virus signature library to the previous version.
[Sysname] anti-virus signature rollback last
Use anti-virus signature update to manually update the virus signature library.
Syntax
anti-virus signature update file-path
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the virus signature file path, a string of 1 to 255 characters.
Usage guidelines
If the device cannot access the H3C website, use one of the following methods to manually update the virus signature library:
· Local update—Updates the virus signature library by using the locally stored virus signature file.
Store the update file on the global active MPU for successful signature library update.
The following table describes the format of the file-path argument for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The signature file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The signature file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The signature file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the virus signature library by using the virus signature file stored on an FTP or TFTP server.
The following table describes the format of the file-path argument for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The signature file is stored on an FTP server. |
ftp://username:password@server/filename |
The username argument represents the FTP login username. The password argument represents the FTP login password. The server argument represents the IP address or host name of the FTP server. If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash. |
|
The signature file is stored on a TFTP server. |
tftp://server/filename |
The server argument represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see Layer 3—IP Services Configuration Guide. |
Examples
# Manually update the virus signature library by using a virus signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] anti-virus signature update tftp://192.168.0.10/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] anti-virus signature update ftp://user%3A123:user%40abc%[email protected]/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfa0:/av-1.0.23-en.dat. The current working directory is cfa0:.
<Sysname> system-view
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfa0:/dpi/av-1.0.23-en.dat. The current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfb0:/dpi/av-1.0.23-en.dat. The current working directory is the cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] anti-virus signature update dpi/av-1.0.23-en.dat
Use description to configure a description for an anti-virus policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An anti-virus policy does not have a description.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters. The description can contain spaces.
Usage guidelines
A description can identify an anti-virus policy or provide details about an anti-virus policy. Policies with descriptions can be easily maintained.
Examples
# Configure "RD Department anti-virus policy" as the description of anti-virus policy abc.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] description "RD Department anti-virus policy"
Use display anti-virus signature to display virus signature information.
Syntax
display anti-virus signature [ [ signature-id ] [ severity { critical | high | low | medium } ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
signature-id: Specifies a signature by its ID in the range of 1 to 4294967294. If you do not specify a signature ID, this command displays the total number of virus signatures in the virus signature library.
severity: Specifies a severity level of virus signatures.
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
You can use this command to display the severity level of virus signatures for a better use of the signature severity enable command.
Examples
# Display information about virus signature 10000001.
<Sysname> display anti-virus signature 10000001
Signature ID: 10000001
Name : Trojan [Downloader].VBS.Agent
Severity : Medium
Table 1 Command output
|
Field |
Description |
|
Signature ID |
ID of the virus signature. |
|
Name |
Name of the virus signature. |
|
Severity |
Severity level of the virus signature: Low, Medium, High, or Critical. |
# Display the total number of virus signatures and the number of virus signatures failed to be deployed from the virus signature library to the DPI engine.
<Sysname> display anti-virus signature
Total count:9206
failed:0
Use display anti-virus signature family-info to display virus signature family information.
Syntax
display anti-virus signature family-info
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display virus signature family information.
<Sysname> display anti-virus signature family-info
Total count: 6373
Family ID Family name
1 Virus.Win32.Virut.ce
2 Trojan.Win32.SGeneric
3 Virus.Win32.Nimnul.a
4 Virus.Win32.Virlock.j
Table 2 Command output
|
Field |
Description |
|
Total count |
Total number of virus signature families. |
|
Family ID |
ID of the virus signature family. |
|
Family name |
Name of the virus signature family. |
Use display anti-virus signature information to display virus signature library information.
Syntax
display anti-virus signature information
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display virus signature library information.
<Sysname> display anti-virus signature information
Anti-Virus signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.9 Wed Apr 22 09:51:13 2015 976432
Last - - -
Factory 1.0.0 Fri Dec 31 16:00:00 1999 20016
Table 3 Command output
|
Field |
Description |
|
Type |
Version type of the virus signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
|
SigVersion |
Version number of the virus signature library. |
|
ReleaseTime |
Release time of the virus signature library. |
|
Size |
Size of the virus signature library in bytes. |
Use display anti-virus statistics to display anti-virus statistics.
Syntax
display anti-virus statistics [ policy policy-name ] [ chassis chassis-number slot slot-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
policy policy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an anti-virus policy, this command displays anti-virus statistics for all anti-virus policies.
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays anti-virus statistics for all cards.
Examples
# Display anti-virus statistics.
<Sysname> display anti-virus statistics
Slot 2 in chassis 1:
Total Block: 0
Total Redirect: 0
Total Alert: 0
Type http ftp smtp pop3 imap smb nfs
Block 0 0 0 0 0 0 0
Redirect 0 0 0 0 0 0 0
Alert+Permit 0 0 0 0 0 0 0
Table 4 Command output
|
Field |
Description |
|
Total Block |
Total number of times that the block action is taken. |
|
Total Redirect |
Total number of times that the redirect action is taken. |
|
Total Alert |
Total number of times that the alert action is taken. |
|
Type |
Action type: · Block—Blocks and logs matching packets. · Redirect—Redirects matching HTTP connections to a URL and generates logs. · Alert+Permit—Permits and logs matching packets. |
|
http |
Number of times that the action is taken on HTTP packets. |
|
ftp |
Number of times that the action is taken on FTP packets. |
|
smtp |
Number of times that the action is taken on SMTP packets. |
|
pop3 |
Number of times that the action is taken on POP3 packets. |
|
imap |
Number of times that the action is taken on IMAP packets. |
|
smb |
Number of times that the action is taken on SMB packets. |
|
nfs |
Number of times that the action is taken on NFS packets. |
Use exception application to set an application as an application exception and specify an anti-virus action for the application exception.
Use undo exception application to remove an application exception or all application exceptions.
Syntax
exception application application-name action { alert | block | permit }
undo exception application { application-name | all }
Default
No application exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Parameters
application-name: Specifies the application name.
action: Specifies an action for the application exception.
all: Specifies all application exceptions.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
permit: Permits matching packets.
Usage guidelines
By default, an anti-virus action is protocol specific and applies to all applications carried by the protocol. To take a different action on an application, you can set the application as an exception and specify a different anti-virus action for the application. Application exceptions use application-specific actions and the other applications use protocol-specific actions. For example, the anti-virus action for HTTP is alert. To block the games carried by HTTP, you can set the games as application exceptions and specify the block action for them.
Examples
# Set the 163Email application as an application exception. Specify alert as the anti-virus action for the application exception.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception application 163Email action alert
Use exception signature to set a signature as a signature exception.
Use undo exception signature to remove a signature exception or all signature exceptions.
Syntax
exception signature signature-id
undo exception signature { signature-id | all }
Default
No signature exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Parameters
signature-id: Specifies the signature ID in the range of 1 to 4294967294.
all: Specifies all signature exceptions.
Usage guidelines
If a virus proves to be a false alarm, you can set the virus signature as a signature exception. Packets matching the signature exception are permitted to pass.
Examples
# Set virus signature 101000 as a signature exception.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception signature 101000
Related commands
display anti-virus signature
Use inspect to configure anti-virus for an application layer protocol.
Use undo inspect to cancel anti-virus for an application layer protocol.
Syntax
inspect { ftp | http | imap | nfs | pop3 | smb | smtp } [ direction { both | download | upload } ] [ action { alert | block | redirect } ]
undo inspect { ftp | http | imap | nfs | pop3 | smb | smtp }
Default
The device performs virus detection on the following packets:
· Upload and download packets for FTP, HTTP, SMB, NFS, and IMAP.
· Download packets for POP3.
· Upload packets for SMTP.
The anti-virus action for FTP, HTTP, NFS, and SMB is block and for IMAP, SMTP, and POP3 is alert.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Parameters
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
imap: Specifies the IMAP protocol.
nfs: Specifies the NFS protocol. Only NFSv3 is supported.
pop3: Specifies the POP3 protocol.
smb: Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.
smtp: Specifies the SMTP protocol.
direction: Specifies the anti-virus detection direction.
both: Specifies the upload and download directions.
download: Specifies the download direction.
upload: Specifies the upload direction.
action: Specifies an anti-virus action.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
redirect: Redirects matching HTTP connections to a URL and generates logs. This keyword is applicable to only uploading connections.
Usage guidelines
After you configure this command, the device performs virus detection on packets from the specified direction for the specified protocol. If viruses are detected, the device takes the specified action on the virus packets.
Connections of the protocols that anti-virus supports are all initiated by clients. For connections to be established successfully and anti-virus to function correctly, make sure the security zone or the zone pair is correctly configured. The security zone that the clients reside in must be the source security zone and the security zone that the servers reside in must be the destination security zone.
POP3 only supports download and SMTP only supports upload. You cannot specify the direction for POP3 and SMTP.
The anti-virus action for IMAP can only be alert.
Examples
# Configure anti-virus for HTTP. Specify the direction as download and the anti-virus action as alert.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] inspect http direction download action alert
# Cancel anti-virus for HTTP.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] undo inspect ftp
Use signature severity enable to enable the virus signatures at and above a severity level.
Use undo signature severity enable to restore the default.
Syntax
signature severity { critical | high | medium } enable
undo signature severity enable
Default
Virus signatures of all severity levels are enabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
medium: Specifies the medium severity level.
Usage guidelines
After you configure this command, only the virus signatures at and above the specified severity level take effect.
Examples
# Enable the virus signatures at and above the high level.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] signature severity high enable
Use update schedule to schedule the automatic virus signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { mon | tue | wed | thu | fri | sat | sun } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the virus signature library at a random time between 02:01:00 and 04:01:00 every day.
Views
Automatic virus signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the virus signature library every day.
weekly: Updates the virus signature library every week.
mon: Updates the virus signature library every Monday.
tue: Updates the virus signature library every Tuesday.
wed: Updates the virus signature library every Wednesday.
thu: Updates the virus signature library every Thursday.
fri: Updates the virus signature library every Friday.
sat: Updates the virus signature library every Saturday.
sun: Updates the virus signature library every Sunday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Examples
# Configure the device to automatically update the virus signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
anti-virus signature auto-update
