Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-WAF commands
- 09-Proxy policy commands
- 10-IP reputation commands
- 11-Domain reputation commands
- 12-APT defense commands
- 13-DLP commands
- 14-Content moderation commands
- 15-Network asset scan commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Anti-virus commands | 194.42 KB |
Contents
anti-virus signature auto-update
anti-virus signature auto-update-now
display anti-virus signature family-info
display anti-virus signature library
Anti-virus commands
The following compatibility matrix shows the support of hardware platforms for anti-virus:
|
Hardware platform |
Module type |
Anti-virus compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E4 M9000-AI-E8 M9000-AI-E16 |
Blade V firewall module |
Yes |
|
M9000-AK001 |
Blade V firewall module |
Yes |
|
M9000-X06 M9000-X06-B M9000-X06-B-G M9000-X06-G M9000-X10 |
Blade VI firewall module |
Yes |
|
M9000-AI-X06 M9000-AI-X10 |
Blade VI firewall module |
Yes |
Non-default vSystems do not support some of the anti-virus commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, see Virtual Technologies Configuration Guide.
anti-virus apply policy
Use anti-virus apply policy to apply an anti-virus policy to a DPI application profile.
Use undo anti-virus apply policy to remove the application.
Syntax
anti-virus apply policy policy-name mode { alert | protect }
undo anti-virus apply policy
Default
No anti-virus policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an anti-virus policy mode.
alert: Only logs matching packets.
protect: Takes the action specified in the anti-virus policy on matching packets.
Usage guidelines
An anti-virus policy takes effect only after it is applied to a DPI application profile. You can apply only one anti-virus policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply anti-virus policy abc to DPI application profile sec. Set the anti-virus policy mode to protect.
[Sysname] app-profile sec
[Sysname-app-profile-sec] anti-virus apply policy abc mode protect
anti-virus cache min-time
Use anti-virus cache min-time to set the minimum cache period for an anti-virus MD5 entry.
Use undo anti-virus cache min-time to restore the default.
Syntax
anti-virus cache min-time value
undo anti-virus cache min-time
Default
The minimum cache period of an anti-virus MD5 entry is 10 minutes.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
value: Specifies the minimum cache period in minutes. The value range is 10 to 720.
Usage guidelines
Non-default vSystems do not support this command.
When anti-virus cloud query is required, the device performs the following tasks:
1. Creates an MD5 entry in the cache.
2. Submits the MD5 value to the cloud server.
3. Updates the cached MD5 entry with the returned cloud query result.
Setting the minimum cache period for anti-virus MD5 entries ensures that the cached entries will not be overwritten by new entries during the specified period of time.
When the anti-virus cache is full, the system identifies the cache period of the oldest MD5 entry to determine whether to overwrite it with a new entry that requires cloud query:
· If the cache period of the entry is equal to or shorter than the minimum cache period, the system does not delete the entry. The new entry is not cached and cloud query will not be performed.
· If the cache period of the entry is longer than the minimum cache period, the system overwrites it with the new entry and submits the new entry to the cloud server.
After the anti-virus cache size command sets a smaller cache size, the system will delete the exceeding oldest entries immediately without checking their minimum cache periods.
Examples
# Set the minimum cache period for an anti-virus MD5 entry to 36 minutes.
<Sysname> system-view
[Sysname] anti-virus cache min-time 36
Related commands
anti-virus cache size
anti-virus cache size
Use anti-virus cache size to set the anti-virus cache size.
Use undo anti-virus cache size to restore the default.
Syntax
anti-virus cache size cache-size
undo anti-virus cache size
Default
The anti-virus cache can cache a maximum of 100000 entries.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
cache-size: Specifies the cache size in the range of 100000 to 200000.
Usage guidelines
Non-default vSystems do not support this command.
The device caches the anti-virus query result returned from the cloud server for subsequent virus inspection. The query result identifies whether or not the MD5 value submitted for cloud query is a virus.
If you set a smaller anti-virus cache size, the system will delete the existing oldest entries without checking their minimum cache periods.
Examples
# Set the anti-virus cache size to 20000.
<Sysname> system-view
[Sysname] anti-virus cache size 200000
Related commands
anti-virus cache min-time
anti-virus parameter-profile
Use anti-virus parameter-profile to specify a parameter profile for an anti-virus action.
Use undo anti-virus parameter-profile to remove the parameter profile specified for an anti-virus action.
Syntax
anti-virus { email | logging | redirect } parameter-profile profile-name
undo anti-virus { email | logging | redirect } parameter-profile
Default
No parameter profile is specified for an anti-virus action.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
email: Specifies the email action.
logging: Specifies the logging action.
redirect: Specifies the redirect action.
parameter-profile profile-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Before you can specify a parameter profile for an anti-virus action, configure the parameter profile in the DPI engine. For more information, see DPI engine configuration in DPI Configuration Guide.
A parameter profile defines the parameters for executing an action. For example, you can configure parameters such as the email server address and email recipients in the email parameter profile, and then apply the profile to the email action.
If no parameter profile is specified for an anti-virus action, or if the specified parameter profile does not exist, the default parameter settings of the action are used.
Examples
# Create an email parameter profile named av1 and specify a plaintext login password (abc123) in the parameter profile.
<Sysname> system-view
[Sysname] inspect email parameter-profile av1
[Sysname-inspect-email-av1] password simple abc123
[Sysname-inspect-logging-av1] quit
# Specify parameter profile av1 for the email action.
[Sysname] anti-virus email parameter-profile av1
Related commands
inspect email parameter-profile
inspect logging parameter-profile
inspect redirect parameter-profile
anti-virus policy
Use anti-virus policy to create an anti-virus policy and enter its view, or enter the view of an existing anti-virus policy.
Use undo anti-virus policy to delete an anti-virus policy.
Syntax
anti-virus policy policy-name
undo anti-virus policy policy-name
Default
An anti-virus policy named default exists.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies the anti-virus policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
All virus signatures in the virus signature library are available for an anti-virus policy, whether the policy is the default policy or a user-defined policy.
The default anti-virus policy cannot be modified or deleted.
Examples
# Create anti-virus policy abc and enter its view.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc]
anti-virus signature auto-update
Use anti-virus signature auto-update to enable automatic virus signature library update and enter automatic virus signature library update configuration view.
Use undo anti-virus signature auto-update to disable automatic virus signature library update.
Syntax
anti-virus signature auto-update
undo anti-virus signature auto-update
Default
Automatic virus signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
To automatically update the virus signature library, make sure the device can access the H3C website.
Examples
# Enable automatic virus signature library update and enter automatic virus signature library update configuration view.
<Sysname> system-view
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate]
Related commands
update schedule
anti-virus signature auto-update-now
Use anti-virus signature auto-update-now to manually trigger an automatic signature library update.
Syntax
anti-virus signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After you execute this command, the device immediately starts the automatic signature library update process whether automatic signature library update is enabled or not. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Manually trigger an automatic signature library update.
[Sysname] anti-virus signature auto-update-now
anti-virus signature rollback
Use anti-virus signature rollback to roll back the virus signature library.
Syntax
anti-virus signature rollback { factory | last }
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
factory: Rolls back the virus signature library to the factory default version.
last: Rolls back the virus signature library to the previous version.
Usage guidelines
Non-default vSystems do not support this command.
If a virus signature library update causes abnormal situations or a high false alarm rate, you can roll back the virus signature library.
Before performing a virus signature library rollback, the device backs up the current virus signature library as the previous version. For example, the previous version is V1 and the current version is V2. If you perform a rollback to the previous version, version V1 becomes the current version and version V2 becomes the previous version. If you perform a rollback to the previous version again, version V2 becomes the current version and version V1 becomes the previous version.
Examples
# Roll back the virus signature library to the previous version.
[Sysname] anti-virus signature rollback last
anti-virus signature update
Use anti-virus signature update to manually update the virus signature library.
Syntax
anti-virus signature update file-path [ vpn-instance vpn-instance-name ] [ source { ip | ipv6 } { ip-address | interface interface-type interface-number } ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the virus signature file path, a string of 1 to 255 characters.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the TFTP or FTP server belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
source: Specifies a source IP address for packets sent to the TFTP or FTP server. If you do not specify this keyword, the IP address of the outgoing interface for packets sent to the TFTP or FTP server is used.
ip ip-address: Specifies a source IPv4 address for packets sent to the TFTP or FTP server.
ipv6 ip-address: Specifies a source IPv6 address for packets sent to the TFTP or FTP server.
interface interface-type interface-number: Specifies an interface by its type and number. The interface's primary IP address or the lowest IPv6 address will be used as the source IP address for packets sent to the TFTP or FTP server.
Usage guidelines
|
|
CAUTION: The H3C website provides different signature libraries for devices with different memory sizes and software versions. You must obtain the signature library that is suitable for your device. If your device has a small memory (8 GB or less) but you choose a signature library that is for a large memory (more than 8 GB), the signature update might result in device anomaly. |
Non-default vSystems do not support this command.
If the device cannot access the H3C website, use one of the following methods to manually update the virus signature library:
· Local update—Updates the virus signature library by using the locally stored virus signature file.
(In standalone mode.) Store the update file on the active MPU for successful signature library update.
(In IRF mode.) Store the update file on the global active MPU for successful signature library update.
The following table describes the format of the file-path argument for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The signature file is stored in the current working directory. |
filename |
To display the current working directory, use the pwd command. For information about the pwd command, see file system management in Fundamentals Command Reference. |
|
The signature file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use the cd command to open the directory where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
|
The signature file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use the cd command to open the root directory of the storage medium where the file is stored. For information about the cd command, see file system management in Fundamentals Command Reference. |
· FTP/TFTP update—Updates the virus signature library by using the virus signature file stored on an FTP or TFTP server.
The following table describes the format of the file-path argument for different update scenarios.
|
Update scenario |
Format of file-path |
Remarks |
|
The signature file is stored on an FTP server. |
ftp://username:password@server/filename |
The username argument represents the FTP login username. The password argument represents the FTP login password. The server argument represents the IP address or host name of the FTP server. If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash. |
|
The signature file is stored on a TFTP server. |
tftp://server/filename |
The server argument represents the IP address or host name of the TFTP server. |
|
|
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see DNS configuration in Layer 3—IP Services Configuration Guide. |
In manual update of the virus signature library, you can configure the source keyword to specify the source IP address for packets sent to the TFTP or FTP server. For example, if the device-sent packets destined for the TFTP or FTP server must be translated by NAT, you must configure a source IP address that satisfies the NAT translation rules. If a separate NAT device is used in the network, make sure there is a route between the specified source IP address and the NAT device.
If you specify both the source and the vpn-instance keywords in the anti-virus signature update command, make sure the VPN instance to which the specified source IP address or interface belongs is the same as that specified by the vpn-instance keyword.
Examples
# Manually update the virus signature library by using a virus signature file stored on a TFTP server.
<Sysname> system-view
[Sysname] anti-virus signature update tftp://192.168.0.10/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on an FTP server. The FTP login username and password are user:123 and user@abc/123, respectively.
<Sysname> system-view
[Sysname] anti-virus signature update ftp://user%3A123:user%40abc%[email protected]/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfa0:/av-1.0.23-en.dat. The current working directory is cfa0:.
<Sysname> system-view
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfa0:/dpi/av-1.0.23-en.dat. The current working directory is cfa0:.
<Sysname> cd dpi
<Sysname> system-view
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directory cfb0:/dpi/av-1.0.23-en.dat. The current working directory is the cfa0:.
<Sysname> cd cfb0:/
<Sysname> system-view
[Sysname] anti-virus signature update dpi/av-1.0.23-en.dat
cloud-query enable
Use cloud-query enable to enable MD5 value-based anti-virus cloud query.
Use undo cloud-query enable to disable MD5 value-based anti-virus cloud query.
Syntax
cloud-query enable
undo cloud-query enable
Default
MD5 value-based anti-virus cloud query is disabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
You can enable cloud query in an anti-virus policy. If the file in a flow does not match any rule in the local virus signature library, the device will send the MD5 value of the file to the cloud server for cloud query. The cloud server determines whether the MD5 value is a virus and returns the result to the device so appropriate action can be taken.
Examples
# Enable MD5 value-based anti-virus cloud query in anti-virus policy news.
<Sysname> system-view
[Sysname] anti-virus policy news
[Sysname-anti-virus-policy-news] cloud-query enable
description
Use description to configure a description for an anti-virus policy.
Use undo description to restore the default.
Syntax
description text
undo description
Default
An anti-virus policy does not have a description.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters. The description can contain spaces.
Usage guidelines
A description can identify an anti-virus policy or provide details about an anti-virus policy. Policies with descriptions can be easily maintained.
Examples
# Configure "RD Department anti-virus policy" as the description of anti-virus policy abc.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] description "RD Department anti-virus policy"
display anti-virus cache
Use display anti-virus cache to display anti-virus cache information.
Syntax
In standalone mode:
display anti-virus cache [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-virus cache [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays information for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays information for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Usage guidelines
Non-default vSystems do not support this command.
The anti-virus cache contains the anti-virus query results returned from the cloud server. For anti-virus to cache the cloud query results, cloud query must be enabled in a minimum of one anti-virus policy.
If the file in a flow does not match any rule in the local virus signature library, the device will send the MD5 value of the file to the cloud server for cloud query.
· If the MD5 value matches a virus rule, the result will be cached as an entry on the hit entry list.
· If the MD5 value does not match any virus rule or if it matches a non-virus rule, the result will be cached as an entry on the non-hit entry list.
Examples
# Display anti-virus cache information.
<Sysname> display anti-virus cache
Slot 1:
Anti-virus cache information:
Cloud-query state: Disabled
Total cached non-hit entries: 0
Total cached hit entries: 0
Non-hit list min update interval: 0 seconds
Non-hit list max update interval: 0 seconds
Hit list min update interval: 0 seconds
Hit list max update interval: 0 seconds
Last query message sent: 0 seconds ago
Last query result received: 0 seconds ago
Table 1 Command output
|
Field |
Description |
|
Cloud-query state |
Enabling state of the cloud query. |
|
Total cached non-hit entries |
Number of entries on the non-hit entry list. |
|
Total cached hit entries |
Number of entries on the hit entry list. |
|
Non-hit list min update interval |
Time elapsed since the last update on the non-hit entry list, in seconds. |
|
Non-hit list max update interval |
Time elapsed since the first entry was created on the non-hit entry list, in seconds. |
|
Hit list min update interval |
Time elapsed since the last update on the hit entry list, in seconds. |
|
Hit list max update interval |
Time elapsed since the first entry was created on the hit entry list, in seconds. |
|
Last query message sent |
Time elapsed since the last query request was sent, in seconds. |
|
Last query result received |
Time elapsed since the last query result was received, in seconds. |
Related commands
cloud-query enable
display anti-virus signature
Use display anti-virus signature to display virus signature information.
Syntax
display anti-virus signature [ [ signature-id ] | [ severity { critical | high | low | medium } ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
signature-id: Specifies a signature by its ID in the range of 1 to 4294967294. If you do not specify a signature ID, this command displays the total number of virus signatures in the virus signature library.
severity: Specifies a severity level of virus signatures.
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
You can use this command to display the severity level of virus signatures for a better use of the signature severity enable command.
Examples
# Display information about virus signature 10000001.
<Sysname> display anti-virus signature 10000001
Signature ID: 10000001
Name : Trojan [Downloader].VBS.Agent
Severity : Medium
Table 2 Command output
|
Field |
Description |
|
Signature ID |
ID of the virus signature. |
|
Name |
Name of the virus signature. |
|
Severity |
Severity level of the virus signature: Low, Medium, High, or Critical. |
# Display the total number of virus signatures and the number of virus signatures failed to be deployed from the virus signature library to the DPI engine.
<Sysname> display anti-virus signature
Total count:9206
failed:0
display anti-virus signature family-info
Use display anti-virus signature family-info to display virus signature family information.
Syntax
display anti-virus signature family-info
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display virus signature family information.
<Sysname> display anti-virus signature family-info
Total count: 6373
Family ID Family name
1 Virus.Win32.Virut.ce
2 Trojan.Win32.SGeneric
3 Virus.Win32.Nimnul.a
4 Virus.Win32.Virlock.j
Table 3 Command output
|
Field |
Description |
|
Total count |
Total number of virus signature families. |
|
Family ID |
ID of the virus signature family. |
|
Family name |
Name of the virus signature family. |
display anti-virus signature library
Use display anti-virus signature library to display virus signature library information.
Syntax
display anti-virus signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display virus signature library information.
<Sysname> display anti-virus signature library
Anti-Virus signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.9 Wed Apr 22 09:51:13 2015 976432
Last - - -
Factory 1.0.0 Fri Dec 31 16:00:00 1999 20016
Table 4 Command output
|
Field |
Description |
|
Type |
Version type of the virus signature library: · Current—Current version. · Last—Previous version. · Factory—Factory default version. |
|
SigVersion |
Version number of the virus signature library. |
|
ReleaseTime |
Release time of the virus signature library. |
|
Size |
Size of the virus signature library in bytes. |
display anti-virus statistics
Use display anti-virus statistics to display anti-virus statistics.
Syntax
In standalone mode:
display anti-virus statistics [ policy policy-name ] [ slot slot-number [ cpu cpu-number ] ]
In IRF mode:
display anti-virus statistics [ policy policy-name ] [ chassis chassis-number slot slot-number [ cpu cpu-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policy policy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an anti-virus policy, this command displays anti-virus statistics for all anti-virus policies.
slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays anti-virus statistics for all cards. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays anti-virus statistics for all cards. (In IRF mode.)
cpu cpu-number: Specifies a CPU by its number. This option is available only if multiple CPUs are available on the specified slot.
Examples
# (In standalone mode.) Display anti-virus statistics for slot 4.
<Sysname> display anti-virus statistics slot 4 cpu 1
CPU 1 on slot 4:
Total Block: 0
Total Redirect: 0
Total Alert: 0
Type http ftp smtp pop3 imap
Block 0 0 0 0 0
Redirect 0 0 0 0 0
Alert+Permit 0 0 0 0 0
Table 5 Command output
|
Field |
Description |
|
Total Block |
Total number of times that the block action is taken. |
|
Total Redirect |
Total number of times that the redirect action is taken. |
|
Total Alert |
Total number of times that the alert action is taken. |
|
Type |
Action type: · Block—Blocks and logs matching packets. · Redirect—Redirects matching HTTP connections to a URL and generates logs. · Alert+Permit—Permits and logs matching packets. |
|
http |
Number of times that the action is taken on HTTP packets. |
|
ftp |
Number of times that the action is taken on FTP packets. |
|
smtp |
Number of times that the action is taken on SMTP packets. |
|
pop3 |
Number of times that the action is taken on POP3 packets. |
|
imap |
Number of times that the action is taken on IMAP packets. |
exception application
Use exception application to set an application as an application exception and specify an anti-virus action for the application exception.
Use undo exception application to remove an application exception or all application exceptions.
Syntax
exception application application-name action { alert | block | permit }
undo exception application { application-name | all }
Default
No application exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
application-name: Specifies the application name.
action: Specifies an action for the application exception.
all: Specifies all application exceptions.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
permit: Permits matching packets.
Usage guidelines
By default, an anti-virus action is protocol specific and applies to all applications carried by the protocol. To take a different action on an application, you can set the application as an exception and specify a different anti-virus action for the application. Application exceptions use application-specific actions and the other applications use protocol-specific actions. For example, the anti-virus action for HTTP is alert. To block the games carried by HTTP, you can set the games as application exceptions and specify the block action for them.
Examples
# Set the 163Email application as an application exception. Specify alert as the anti-virus action for the application exception.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception application 163Email action alert
exception md5
Use exception md5 to set an MD5 value as an MD5 exception.
Use undo exception md5 to remove an MD5 exception or all MD5 exceptions.
Syntax
exception md5 md5-value
undo exception md5 { md5-value | all }
Default
No MD5 exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
md5-value: Specifies an MD5 value.
all: Specifies all MD5 exceptions.
Usage guidelines
If false positives occur for a virus, you can set the MD5 value of the virus as an MD5 exception. The device will permit subsequent packets matching the MD5 exception to pass.
You can get the MD5 value of the virus through the threat log.
Examples
# In anti-virus policy abc, set MD5 value 2b9c5137769b613f0ea11bd51c324afc as an MD5 exception.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception md5 2b9c5137769b613f0ea11bd51c324afe
exception signature
Use exception signature to set a signature as a signature exception.
Use undo exception signature to remove a signature exception or all signature exceptions.
Syntax
exception signature signature-id
undo exception signature { signature-id | all }
Default
No signature exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
signature-id: Specifies the signature ID in the range of 1 to 4294967292.
all: Specifies all signature exceptions.
Usage guidelines
If a virus proves to be a false alarm, you can set the virus signature as a signature exception. Packets matching the signature exception are permitted to pass.
Examples
# Set virus signature 101000 as a signature exception.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception signature 101000
Related commands
display anti-virus signature
inspect
Use inspect to configure anti-virus for an application layer protocol.
Use undo inspect to cancel anti-virus for an application layer protocol.
Syntax
inspect { ftp | http | imap | nfs | pop3 | smb | smtp } direction { both | download | upload } [ cache-file-size file-size ] action { alert | block | redirect }
undo inspect { ftp | http | imap | nfs | pop3 | smb | smtp }
Default
The device performs virus detection on the following packets:
· Upload and download packets for FTP, HTTP, SMB, NFS, and IMAP.
· Download packets for POP3.
· Upload packets for SMTP.
The anti-virus action for FTP, HTTP, NFS, and SMB is block and for IMAP, SMTP, and POP3 is alert.
The maximum size for the file that can be cached for inspection is 1 MB.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
imap: Specifies the IMAP protocol.
nfs: Specifies the NFS protocol. Only NFSv3 is supported.
pop3: Specifies the POP3 protocol.
smb: Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.
smtp: Specifies the SMTP protocol.
direction: Specifies the anti-virus detection direction. You cannot specify this keyword for POP3 and SMTP because POP3 supports only download and SMTP supports only upload.
both: Specifies the upload and download directions.
download: Specifies the download direction.
upload: Specifies the upload direction.
cache-file-size file-size: Specifies the size of a file that can be cached for inspection. The file size is in the range of 1 to 24 MB. Only the HTTP protocol supports this option. Non-default vSystems do not support this parameter.
action: Specifies an anti-virus action. The anti-virus action for IMAP can only be alert.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
redirect: Redirects matching HTTP connections to a URL and generates logs. This keyword is applicable to only uploading connections.
Usage guidelines
After you configure this command, the device performs virus detection on packets from the specified direction for the specified protocol. If viruses are detected, the device takes the specified action on the virus packets.
The direction keyword is not available for the POP3 and SMTP protocols because the POP3 protocol supports only the download direction and the SMTP protocol supports only the upload direction.
With the HTTP protocol and the block action configured, in addition to blocking and logging matching packets, the device also supports displaying an alarm message on the client browser. A default message is predefined. To configure a user-defined alarm message, you can execute the import block warning-file command to import the message from a file. For more information about the warning file, see DPI engine configuration in DPI Configuration Guide.
Connections of the protocols that anti-virus supports are all initiated by clients. For connections to be established successfully and anti-virus to function correctly, make sure the security zone or the zone pair is correctly configured. The security zone that the clients reside in must be the source security zone and the security zone that the servers reside in must be the destination security zone.
Examples
# Configure anti-virus for HTTP. Specify the direction as download and the anti-virus action as alert.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] inspect http direction download action alert
# Cancel anti-virus for HTTP.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] undo inspect ftp
Related commands
import block warning-file
signature severity enable
Use signature severity enable to enable the virus signatures at and above a severity level.
Use undo signature severity enable to restore the default.
Syntax
signature severity { critical | high | medium } enable
undo signature severity enable
Default
Virus signatures of all severity levels are enabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
medium: Specifies the medium severity level.
Usage guidelines
After you configure this command, only the virus signatures at and above the specified severity level take effect.
Examples
# Enable the virus signatures at and above the high level.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] signature severity high enable
update schedule
Use update schedule to schedule the automatic virus signature library update.
Use undo update schedule to restore the default.
Syntax
update schedule { daily | weekly { mon | tue | wed | thu | fri | sat | sun } } start-time time tingle minutes
undo update schedule
Default
The device starts updating the virus signature library at a random time between 02:01:00 and 04:01:00 every day.
Views
Automatic virus signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the virus signature library every day.
weekly: Updates the virus signature library every week.
mon: Updates the virus signature library every Monday.
tue: Updates the virus signature library every Tuesday.
wed: Updates the virus signature library every Wednesday.
thu: Updates the virus signature library every Thursday.
fri: Updates the virus signature library every Friday.
sat: Updates the virus signature library every Saturday.
sun: Updates the virus signature library every Sunday.
start-time time: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingle minutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
· Start time minus half the tolerance time.
· Start time plus half the tolerance time.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Configure the device to automatically update the virus signature library every Monday at a random time between 20:25:00 and 20:35:00.
<Sysname> system-view
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
anti-virus signature auto-update
warning parameter-profile
Use warning parameter-profile to apply a warning parameter profile to an anti-virus policy, and enable sending the alarm message defined in the profile.
Use undo warning parameter-profile to restore the default.
Syntax
warning parameter-profile profile-name
undo warning parameter-profile
Default
No warning parameter profile is applied and the device does not support sending alarm messages.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
profile-name: Specifies a warning parameter profile by its name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).
Usage guidelines
Non-default vSystems do not support this command.
If an endpoint user visits a virus-infected website, the device will display an alarm message on the user's browser. The alarm message is stored in the warning parameter profile applied to the policy. For more information about configuring a warning parameter profile, see DPI engine configuration in DPI Configuration Guide.
In an RBM-based hot backup networking environment where asymmetric-path traffic exists, sending of alarm messages is not supported. This command will not take effect even if you have configured it. For more information about RBM-based hot backup, see High Availability Configuration Guide.
With this command configured, the device will proxy HTTP traffic matching the anti-virus policies, which will greatly affect device performance. Determine whether to configure this command based on the actual situation.
Examples
# Apply warning parameter profile av1 to anti-virus policy abc and enable the sending of alarm message defined in the profile.
<Sysname> system-view
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] warning parameter-profile av1
Related commands
inspect warning parameter-profile
