Anti-virus FAQ

Q.     How does anti-virus work?

A.     Anti-virus uses the deep packet inspection (DPI) technology to perform protocol analysis, signature search, and content extraction on the payloads of incoming packets. It then takes alert, block, or redirect action on matching packets according to the configured anti-virus policy. Anti-virus collaborates with the DPI engine. To use anti-virus, you need to create a DPI application profile that uses an anti-virus policy and apply the application profile to an interzone policy. You can create a custom anti-virus policy or use the predefined anti-virus policy named default.

Q.     What types of packets can anti-virus detect?

A.     The anti-virus feature provided by H3C currently supports detecting packets transmitted by protocols such as FTP, HTTP, IMAP, POP3, SMTP, and NFS. Anti-virus can detect the following information:

·     The body part of an HTTP packet.

·     The content of a file transmitted through FTP.

·     The body and attachment parts of an email transmitted through IMAP, POP3, or SMTP.

·     NFSv3 packets.

Q.     Why cannot an anti-virus policy applied to an interzone policy match any packets?

A.     The possible causes are as follows:

·     The device has no license required. Devices without licenses cannot match virus packets.

·     The packet matching rules in the anti-virus policy have not been deployed to the DPI engine kernel. When the device receives virus packets and no packet matching rules exist, no virus packets will be matched.

Q.     What's the matching order of virus exceptions and application exceptions in an anti-virus policy?

A.     The device performs virus exception matching before application exception matching for a packet. If the packet matches a virus exception, the device takes the corresponding virus exception action. If no matching virus exception is found, the device matches the packet against application exceptions. If the packet matches an application exception, the device takes the corresponding application exception action. If no matching application exception is found, the device takes the action configured for the anti-virus policy.

Q.     Why anti-virus matching statistics are found on the DPI engine even if the interzone policy has no anti-virus policy?

A.     If the interzone policy applies no application profile, no matching statistics will be found in the anti-virus service statistics. However, as long as an application profile that applies an anti-virus policy exists in the configuration, the anti-virus policy rules will take effect on the DPI engine. Thus, anti-virus matching statistics will be found on the DPI engine.

Q.     Why the detection direction (download or upload) in the anti-virus matching statistics is different from that in the DPI engine matching statistics?

A.     If you specify only one detection direction (download or upload) for anti-virus, the device performs virus detection on packets from only the specified direction. However, the DPI engine performs detection on packets from both directions and collects statistics globally. Thus, the detection directions in two types of statistics are different.

Q.     Why no traffic logs and threat logs are generated even if the device receives a large number of packets?

A.     Possible causes are as follows:

·     The ntopd process is abnormal.

·     The log storage space of the device is full.

·     The memory threshold of the device is reached.

Q.     Can anti-virus recognize packets in a dual-active network?

A.     Anti-virus can recognize packets if you enable support for dual-active mode and configure corresponding RBM configurations on both the uplink and downlink switches of the devices. In dual-active mode, asymmetric traffic will be sent to the same device through the RBM tunnel. This ensures that DPI processing for traffic is performed on the same device and therefore ensures the recognition rate. However, because the traffic is sent through the RBM tunnel, traffic forwarding is limited by the bandwidth of the RBM tunnel interfaces.

Q.     Why cannot the MD5-supported device block packets after the MD5 virus signature library is updated?

A.     The causes are as follows:

·     You have not enabled MD5 hash-based virus inspection for all files. Before the device performs MD5 inspection, you must execute the inspect md5-verify all-files command to enable MD5 hash-based virus inspection for all files.

·     Currently, the device supports performing MD5 hashing on only executable files, Microsoft office files, and compressed files.

Q.     When to enable MD5 value-based anti-virus cloud query? How to know if the cloud query feature is enabled and works?

A.     When the signature library on the device is small or cannot identify viruses, you can enable MD5 value-based anti-virus cloud query. To view the enabling status of cloud query, execute the display anti-virus cache command and view the output displayed in the Cloud-query state field. If matching records are displayed in the display anti-virus cache command output, it indicates that the cloud server has processed packets.