Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-Proxy policy commands
- 09-WAF commands
- 10-APT defense commands
- 11-IP reputation commands
- 12-Domain reputation commands
- 13-DGA detection commands
- 14-Intelligent service platform commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-Anti-virus commands | 201.61 KB |
Contents
anti-virus signature auto-update
anti-virus signature auto-update-now
display anti-virus signature family-info
display anti-virus signature library
enhanced-inspect anti-virus cache-file-size
enhanced-inspect anti-virus enable
Anti-virus commands
Non-default vSystems do not support some of the anti-virus commands. For information about vSystem support for a command, see the usage guidelines on that command. For information about vSystem, seeVirtual Technologies Configuration Guide.
anti-virus apply policy
Useanti-virus apply policyto apply an anti-virus policy to a DPI application profile.
Useundo anti-virus apply policyto remove the application.
Syntax
anti-virus apply policypolicy-namemode{alert|protect}
undo anti-virusapplypolicy
Default
No anti-virus policy is applied to a DPI application profile.
Views
DPI application profile view
Predefined user roles
network-admin
context-admin
vsys-admin
vsys-operator
Parameters
policy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters.
mode: Specifies an anti-virus policy mode.
alert: Only logs matching packets.
protect: Takes the action specified in the anti-virus policy on matching packets.
Usage guidelines
An anti-virus policy takes effect only after it is applied to a DPI application profile. You can apply only one anti-virus policy to a DPI application profile. If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Apply anti-virus policyabcto DPI application profilesec. Set the anti-virus policy mode toprotect.
[Sysname] app-profile sec
[Sysname-app-profile-sec] anti-virus apply policy abc mode protect
anti-viruscache min-time
Useanti-virus cache min-timeto set the minimum cache period for an anti-virus MD5 entry.
Useundo anti-virus cache min-timeto restore the default.
Syntax
anti-virus cache min-timevalue
undo anti-virus cache min-time
Default
The minimum cache period of an anti-virus MD5 entry is 10 minutes.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
value: Specifies the minimum cache period in minutes. The value range is 10 to 720.
Usage guidelines
Non-default vSystems do not support this command.
When anti-virus cloud query is required, the device performs the following tasks:
1.Creates an MD5 entry in the cache.
2.Submits the MD5 value to the cloud server.
3.Updates the cached MD5 entry with the returned cloud query result.
Setting the minimum cache period for anti-virus MD5 entries ensures that the cached entries will not be overwritten by new entries during the specified period of time.
When the anti-virus cache is full, the system identifies the cache period of the oldest MD5 entry to determine whether to overwrite it with a new entry that requires cloud query:
·If the cache period of the entry is equal to or shorter than the minimum cache period, the system does not delete the entry. The new entry is not cached and cloud query will not be performed.
·If the cache period of the entry is longer than the minimum cache period, the system overwrites it with the new entry and submits the new entry to the cloud server.
After theanti-virus cache sizecommand sets a smaller cache size, the system will delete the exceeding oldest entries immediately without checking their minimum cache periods.
Examples
# Set the minimum cache period for an anti-virus MD5 entry to 36 minutes.
[Sysname] anti-virus cache min-time 36
Related commands
anti-virus cache size
anti-virus cache size
Useanti-virus cache sizeto set the anti-virus cache size.
Useundo anti-virus cache sizeto restore the default.
Syntax
anti-virus cachesizecache-size
undo anti-virus cache size
Default
The anti-virus cache can cache a maximum of 100000 entries.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
cache-size: Specifies the cache size in the range of 100000 to 200000.
Usage guidelines
Non-default vSystems do not support this command.
The device caches the anti-virus query result returned from the cloud server for subsequent virus inspection. The query result identifies whether or not the MD5 value submitted for cloud query is a virus.
If you set a smaller anti-virus cache size, the system will delete the existing oldest entries without checking their minimum cache periods.
Examples
# Set the anti-virus cache size to 20000.
[Sysname] anti-virus cache size 200000
Related commands
anti-virus cache min-time
anti-virus logging
Useanti-virus loggingto enable anti-virus logging.
Useundo anti-virus loggingto disable anti-virus logging.
Syntax
anti-virus logging
undo anti-virus logging
Default
Anti-virus logging is enabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After this feature is enabled for an anti-virus policy, the system generates a syslog message when a packet matches the policy and sends the syslog message to a log host.
After this feature is disabled for an anti-virus policy, the system does not generate syslog messages for anti-virus packet matching in the policy.
Examples
# Disable logging for anti-virus policypolicy1.
[Sysname] anti-virus policy policy1
[Sysname-anti-virus-policy-policy1] undo anti-virus logging
Related commands
display anti-virus policy
anti-virus parameter-profile
Useanti-virusparameter-profileto specify a parameter profile for an anti-virus action.
Useundo anti-virus parameter-profileto remove the parameter profile specified for an anti-virus action.
Syntax
anti-virus{email|logging|redirect}parameter-profileprofile-name
undoanti-virus{email|logging|redirect}parameter-profile
Default
No parameter profile is specified for an anti-virus action.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
email: Specifies the email action.
logging: Specifies the logging action.
redirect: Specifies the redirect action.
parameter-profileparameter-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
Before you can specify a parameter profile for an anti-virus action, configure the parameter profile in the DPI engine. For more information, see DPI engine configuration inDPI Configuration Guide.
A parameter profile defines the parameters for executing an action. For example, you can configure parameters such as the email server address and email recipients in the email parameter profile, and then apply the profile to the email action.
If no parameter profile is specified for an anti-virus action, or if the specified parameter profile does not exist, the default parameter settings of the action are used.
Examples
# Create an email parameter profile namedav1and specify a plaintext login password (abc123) in the parameter profile.
[Sysname] inspect email parameter-profile av1
[Sysname-inspect-email-av1] password simple abc123
[Sysname-inspect-logging-av1] quit
# Specify parameter profileav1for the email action.
[Sysname] anti-virus email parameter-profile av1
Related commands
inspect email parameter-profile
inspect logging parameter-profile
inspect redirect parameter-profile
anti-virus policy
Useanti-virus policyto create an anti-virus policy and enter its view, or enter the view of an existing anti-virus policy.
Useundo anti-virus policyto delete an anti-virus policy.
Syntax
anti-virus policypolicy-name
undo anti-virus policypolicy-name
Default
An anti-virus policy nameddefaultexists.
Views
System view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
policy-name: Specifies the anti-virus policy name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
All virus signatures in the virus signature library are available for an anti-virus policy, whether the policy is the default policy or a user-defined policy.
The default anti-virus policy cannot be modified or deleted.
Examples
# Create anti-virus policyabcand enter its view.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc]
anti-virus signature auto-update
Useanti-virus signature auto-updateto enable automatic virus signature library update and enter automatic virus signature library update configuration view.
Useundo anti-virus signature auto-updateto disable automatic virus signature library update.
Syntax
anti-virus signature auto-update
undo anti-virus signature auto-update
Default
Automatic virus signature library update is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
To automatically update the virus signature library, make sure the device can access the H3C website.
Examples
# Enable automatic virus signature library update and enter automatic virus signature library update configuration view.
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate]
Related commands
update schedule
anti-virus signature auto-update-now
Useanti-virus signature auto-update-nowto manually trigger an automatic signature library update.
Syntax
anti-virus signature auto-update-now
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
After you execute this command, the device immediately starts the automatic signature library update process whether automatic signature library update is enabled or not. The device automatically backs up the current signature library before overwriting it.
You can execute this command anytime you find a new version of signature library on the H3C website.
Examples
# Manually trigger an automatic signature library update.
[Sysname] anti-virus signature auto-update-now
anti-virus signature rollback
Useanti-virus signature rollbackto roll back the virus signature library.
Syntax
anti-virus signature rollback{factory|last}
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
factory: Rolls back the virus signature library to the factory default version.
last: Rolls back the virus signature library to the previous version.
Usage guidelines
Non-default vSystems do not support this command.
If a virus signature library update causes abnormal situations or a high false alarm rate, you can roll back the virus signature library.
Before performing a virus signature library rollback, the device backs up the current virus signature library as the previous version. For example, the previous version is V1 and the current version is V2. If you perform a rollback to the previous version, version V1 becomes the current version and version V2 becomes the previous version. If you perform a rollback to the previous version again, version V2 becomes the current version and version V1 becomes the previous version.
Examples
# Roll back the virus signature library to the previous version.
[Sysname] anti-virus signature rollback last
anti-virus signature update
Useanti-virus signature updateto manually update the virus signature library.
Syntax
anti-virus signature updatefile-path[vpn-instancevpn-instance-name] [source{ip|ipv6} {ip-address|interfaceinterface-type interface-number} ]
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-path: Specifies the virus signature file path, a string of 1 to 255 characters.
vpn-instancevpn-instance-name: Specifies the MPLS L3VPN instance to which the TFTP or FTP server belongs. Thevpn-instance-nameargument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the TFTP or FTP server belongs to the public network.
source: Specifies a source IP address for packets sent to the TFTP or FTP server. If you do not specify this keyword, the IP address of the outgoing interface for packets sent to the TFTP or FTP server is used.
ipip-address: Specifies a source IPv4 address for packets sent to the TFTP or FTP server.
ipv6ip-address: Specifies a source IPv6 address for packets sent to the TFTP or FTP server.
interfaceinterface-type interface-number: Specifies an interface by its type and number. The interface's primary IP address or the lowest IPv6 address will be used as the source IP address for packets sent to the TFTP or FTP server.
Usage guidelines
|
CAUTION: The H3C website provides different signature libraries for devices with different memory sizes and software versions. You must obtain the signature library that is suitable for your device. If your device has a small memory (8 GB or less) but you choose a signature library that is for a large memory (more than 8 GB), the signature update might result in device anomaly. |
Non-default vSystems do not support this command.
If the device cannot access the H3C website, use one of the following methods to manually update the virus signature library:
·Local update—Updates the virus signature library by using the locally stored virus signature file.
Store the update file on the master device for successful signature library update.
The following table describes the format of thefile-pathargument for different update scenarios.
Update scenario |
Format offile-path |
Remarks |
The signature file is stored in the current working directory. |
filename |
To display the current working directory, use thepwdcommand. For information about thepwdcommand, see file system management inFundamentals Command Reference. |
The signature file is stored in a different directory on the same storage medium. |
filename |
Before updating the signature library, you must first use thecdcommand to open the directory where the file is stored. For information about thecdcommand, see file system management inFundamentals Command Reference. |
The signature file is stored on a different storage medium. |
path/filename |
Before updating the signature library, you must first use thecdcommand to open the root directory of the storage medium where the file is stored. For information about thecdcommand, see file system management inFundamentals Command Reference. |
·FTP/TFTP update—Updates the virus signature library by using the virus signature file stored on an FTP or TFTP server.
The following table describes the format of thefile-pathargument for different update scenarios.
Update scenario |
Format offile-path |
Remarks |
The signature file is stored on an FTP server. |
ftp://username:password@server/filename |
Theusernameargument represents the FTP login username. Thepasswordargument represents the FTP login password. Theserverargument represents the IP address or host name of the FTP server. If a colon (:), at sign (@), or forward slash (/) exists in the username or password, you must convert it into its escape characters. The escape characters are %3A or %3a for a colon, %40 for an at sign, and %2F or %2f for a forward slash. |
The signature file is stored on a TFTP server. |
tftp://server/filename |
Theserverargument represents the IP address or host name of the TFTP server. |
NOTE: To update the signature library successfully, make sure the device and the FTP or TFTP server can reach each other. If you specify the FTP or TFTP server by its host name, you must also make sure the device can resolve the host name into an IP address through static or dynamic DNS. For more information about DNS, see DNS configuration inLayer 3—IP Services Configuration Guide. |
In manual update of the virus signature library, you can configure thesourcekeyword to specify the source IP address for packets sent to the TFTP or FTP server. For example, if the device-sent packets destined for the TFTP or FTP server must be translated by NAT, you must configure a source IP address that satisfies the NAT translation rules. If a separate NAT device is used in the network, make sure there is a route between the specified source IP address and the NAT device.
If you specify both thesourceand thevpn-instancekeywords in theanti-virus signature updatecommand, make sure the VPN instance to which the specified source IP address or interface belongs is the same as that specified by thevpn-instancekeyword.
Examples
# Manually update the virus signature library by using a virus signature file stored on a TFTP server.
[Sysname] anti-virus signature update tftp://192.168.0.10/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on an FTP server. The FTP login username and password areuser:123anduser@abc/123, respectively.
[Sysname] anti-virus signature update ftp://user%3A123:user%40abc%2F123@192.168.0.10/av-1.0.2-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directorycfa0:/av-1.0.23-en.dat. The current working directory iscfa0:.
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directorycfa0:/dpi/av-1.0.23-en.dat. The current working directory iscfa0:.
[Sysname] anti-virus signature update av-1.0.23-en.dat
# Manually update the virus signature library by using a virus signature file stored on the device. The file is stored in directorycfb0:/dpi/av-1.0.23-en.dat. The current working directory is thecfa0:.
[Sysname] anti-virus signature update dpi/av-1.0.23-en.dat
cloud-query enable
Usecloud-query enableto enable MD5 value-based anti-virus cloud query.
Useundo cloud-query enableto disable MD5 value-based anti-virus cloud query.
Syntax
cloud-query enable
undo cloud-query enable
Default
MD5 value-based anti-virus cloud query is disabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
Usage guidelines
Non-default vSystems do not support this command.
You can enable cloud query in an anti-virus policy. If the file in a flow does not match any rule in the local virus signature library, the device will send the MD5 value of the file to the cloud server for cloud query. The cloud server determines whether the MD5 value is a virus and returns the result to the device so appropriate action can be taken.
Examples
# Enable MD5 value-based anti-virus cloud query in anti-virus policynews.
[Sysname]anti-virus policy news
[Sysname-anti-virus-policy-news]cloud-query enable
description
Usedescriptionto configure a description for an anti-virus policy.
Useundo descriptionto restore the default.
Syntax
descriptiontext
undo description
Default
An anti-virus policy does not have a description.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 255 characters. The description can contain spaces.
Usage guidelines
A description can identify an anti-virus policy or provide details about an anti-virus policy. Policies with descriptions can be easily maintained.
Examples
# Configure"RD Department anti-virus policy"as the description of anti-virus policyabc.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] description "RD Department anti-virus policy"
display anti-virus cache
Usedisplay anti-virus cacheto display anti-virus cache information.
Syntax
display anti-virus cache[slotslot-number]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
slotslot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays information for all member devices.
Usage guidelines
Non-default vSystems do not support this command.
The anti-virus cache contains the anti-virus query results returned from the cloud server. For anti-virus to cache the cloud query results, cloud query must be enabled in a minimum of one anti-virus policy.
If the file in a flow does not match any rule in the local virus signature library, the device will send the MD5 value of the file to the cloud server for cloud query.
·If the MD5 value matches a virus rule, the result will be cached as an entry on the hit entry list.
·If the MD5 value does not match any virus rule or if it matches a non-virus rule, the result will be cached as an entry on the non-hit entry list.
Examples
# Display anti-virus cache information.
Slot 1:
Anti-virus cache information:
Cloud-query state: Disabled
Total cached non-hit entries: 0
Total cached hit entries: 0
Non-hit list min update interval: 0 seconds
Non-hit list max update interval: 0 seconds
Hit list min update interval: 0 seconds
Hit list max update interval: 0 seconds
Last query message sent: 0 seconds ago
Last query result received: 0 seconds ago
Table 1Command output
Field |
Description |
Cloud-query state |
Enabling state of the cloud query. |
Total cached non-hit entries |
Number of entries on the non-hit entry list. |
Total cached hit entries |
Number of entries on the hit entry list. |
Non-hit list min update interval |
Time elapsed since the last update on the non-hit entry list, in seconds. |
Non-hit list max update interval |
Time elapsed since the first entry was created on the non-hit entry list, in seconds. |
Hit list min update interval |
Time elapsed since the last update on the hit entry list, in seconds. |
Hit list max update interval |
Time elapsed since the first entry was created on the hit entry list, in seconds. |
Last query message sent |
Time elapsed since the last query request was sent, in seconds. |
Last query result received |
Time elapsed since the last query result was received, in seconds. |
Related commands
cloud-query enable
display anti-virus signature
Usedisplay anti-virus signatureto display virus signature information.
Syntax
display anti-virus signature[[signature-id]|[severity{critical|high|low|medium}]]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
signature-id: Specifies a signature by its ID in the range of 1 to 4294967294. If you do not specify a signature ID, this command displays the total number of virus signatures in the virus signature library.
severity: Specifies a severity level of virus signatures.
critical: Specifies the critical severity level.
high: Specifies the high severity level.
low: Specifies the low severity level.
medium: Specifies the medium severity level.
Usage guidelines
You can use this command to display the severity level of virus signatures for a better use of thesignature severity enablecommand.
Examples
# Display information about virus signature 10000001.
Signature ID: 10000001
Name : Trojan [Downloader].VBS.Agent
Severity : Medium
Table 2Command output
Field |
Description |
Signature ID |
ID of the virus signature. |
Name |
Name of the virus signature. |
Severity |
Severity level of the virus signature:Low,Medium,High, orCritical. |
# Display the total number of virus signatures and the number of virus signatures failed to be deployed from the virus signature library to the DPI engine.
Total count:9206
failed:0
display anti-virus signature family-info
Usedisplay anti-virus signature family-infoto display virus signature family information.
Syntax
display anti-virus signature family-info
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display virus signature family information.
Total count: 6373
Family ID Family name
1 Virus.Win32.Virut.ce
2 Trojan.Win32.SGeneric
3 Virus.Win32.Nimnul.a
4 Virus.Win32.Virlock.j
Table 3Command output
Field |
Description |
Total count |
Total number of virus signature families. |
Family ID |
ID of the virus signature family. |
Family name |
Name of the virus signature family. |
display anti-virus signaturelibrary
Usedisplay anti-virus signature libraryto display virus signature library information.
Syntax
display anti-virus signature library
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Examples
# Display virus signature library information.
Anti-Virus signature library information:
Type SigVersion ReleaseTime Size
Current 1.0.9 Wed Apr 22 09:51:13 2015 976432
Last - - -
Factory 1.0.0 Fri Dec 31 16:00:00 1999 20016
Table 4Command output
Field |
Description |
Type |
Version type of the virus signature library: ·Current—Current version. ·Last—Previous version. ·Factory—Factory default version. |
SigVersion |
Version number of the virus signature library. |
ReleaseTime |
Release time of the virus signature library. |
Size |
Size of the virus signature library in bytes. |
display anti-virusstatistics
Usedisplay anti-virus statisticsto display anti-virus statistics.
Syntax
display anti-virus statistics[policypolicy-name][slotslot-number]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
vsys-admin
vsys-operator
Parameters
policypolicy-name: Specifies an anti-virus policy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify an anti-virus policy, this command displays anti-virus statistics for all anti-virus policies.
slotslot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays anti-virus statistics for all member devices.
Examples
# Display anti-virus statistics for slot 4.
CPU 1 on slot 4:
Total Block: 0
Total Redirect: 0
Total Alert: 0
Type http ftp smtp pop3 imap
Block 0 0 0 0 0
Redirect 0 0 0 0 0
Alert+Permit 0 0 0 0 0
Table 5Command output
Field |
Description |
Total Block |
Total number of times that the block action is taken. |
Total Redirect |
Total number of times that the redirect action is taken. |
Total Alert |
Total number of times that the alert action is taken. |
Type |
Action type: ·Block—Blocks and logs matching packets. ·Redirect—Redirects matching HTTP connections to a URL and generates logs. ·Alert+Permit—Permits and logs matching packets. |
http |
Number of times that the action is taken on HTTP packets. |
ftp |
Number of times that the action is taken on FTP packets. |
smtp |
Number of times that the action is taken on SMTP packets. |
pop3 |
Number of times that the action is taken on POP3 packets. |
imap |
Number of times that the action is taken on IMAP packets. |
enhanced-inspect anti-virus cache-file-size
Useenhanced-inspect anti-virus cache-file-sizeto set the maximum size of a cache file to be inspected by anti-virus enhanced inspection.
Useundo enhanced-inspect anti-virus cache-file-sizeto restore the default.
Syntax
enhanced-inspect anti-virus cache-file-sizefile-size
undo enhanced-inspect anti-virus cache-file-size
The following compatibility matrix shows the support of hardware platforms for this command:
Series |
Models |
Command compatibility |
F5000 series |
F5000-AI-40, F5000-AI-20, F5000-AI-15 |
Yes |
F5000-AI160, F5000-CN160, F5000-CN-G85, F5000-CN-G65, F5000-CN-G55 |
No |
|
F1000 series |
F1000-AI-25 |
Yes |
Default
The maximum size is 1 MB for a cache file to be inspected by anti-virus enhanced inspection.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
file-size: Specifies the maximum size of a cache file to be inspected by anti-virus enhanced inspection. The value range for this argument is 1 to 10 MB.
Usage guidelines
Non-default vSystems do not support this command.
For this command to take effect, first enable anti-virus enhanced inspection.
After enhanced anti-virus inspection is enabled, the device delivers cache files to the intelligent service platform module for enhanced anti-virus inspection and then clears the local cache files. If a cache file exceeds the size limit, it will not be delivered to the intelligent service platform module.
Examples
# Set the maximum size to 5 MB for a cache file to be inspected by anti-virus enhanced inspection.
[Sysname]enhanced-inspect anti-virus cache-file-size 5
Related commands
enhanced-inspect anti-virus enable
enhanced-inspect anti-virusenable
Useenhanced-inspect anti-virus enableto enable enhanced anti-virus inspection.
Useundo enhanced-inspect anti-virus enableto disable enhanced anti-virus inspection.
enhanced-inspect anti-virus enable
undo enhanced-inspect anti-virus enable
The following compatibility matrix shows the support of hardware platforms for this command:
Series |
Models |
Command compatibility |
F5000 series |
F5000-AI-40, F5000-AI-20, F5000-AI-15 |
Yes |
F5000-AI160, F5000-CN160, F5000-CN-G85, F5000-CN-G65, F5000-CN-G55 |
No |
|
F1000 series |
F1000-AI-25 |
Yes |
Enhanced anti-virus inspection is disabled.
System view
context-admin
Non-default vSystems do not support this command.
This feature enables the device to deliver files in which anti-virus does not detect any virus to the intelligent service platform module for enhanced inspection. Use this feature to increase virus detection rate.
# Enable enhanced anti-virus inspection.
[Sysname]enhanced-inspect anti-virus enable
exception application
Useexception applicationto set an application as an application exception and specify an anti-virus action for the application exception.
Useundoexception applicationto remove an application exception or all application exceptions.
Syntax
exception applicationapplication-nameaction{alert|block|permit}
undo exception application{application-name|all}
Default
No application exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
application-name: Specifies the application name.
action: Specifies an action for the application exception.
all: Specifies all application exceptions.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
permit: Permits matching packets.
Usage guidelines
By default, an anti-virus action is protocol specific and applies to all applications carried by the protocol. To take a different action on an application, you can set the application as an exception and specify a different anti-virus action for the application. Application exceptions use application-specific actions and the other applications use protocol-specific actions. For example, the anti-virus action for HTTP is alert. To block the games carried by HTTP, you can set the games as application exceptions and specify the block action for them.
Examples
# Set the163Emailapplication as an application exception. Specify alert as the anti-virus action for the application exception.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception application 163Email action alert
exception md5
Useexception md5to set an MD5 value as an MD5 exception.
Useundo exception md5to remove an MD5 exception or all MD5 exceptions.
Syntax
exception md5md5-value
undo exception md5{md5-value|all}
Default
No MD5 exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
md5-value: Specifies an MD5 value.
all: Specifies all MD5 exceptions.
Usage guidelines
If false positives occur for a virus, you can set the MD5 value of the virus as an MD5 exception. The device will permit subsequent packets matching the MD5 exception to pass.
You can get the MD5 value of the virus through the threat log.
Examples
# In anti-virus policy abc, set MD5 value2b9c5137769b613f0ea11bd51c324afcas an MD5 exception.
[Sysname]anti-virus policy abc
[Sysname-anti-virus-policy-abc]exception md5 2b9c5137769b613f0ea11bd51c324afe
exception signature
Useexception signatureto set a signature as a signature exception.
Useundo exception signatureto remove a signature exception or all signature exceptions.
Syntax
exceptionsignaturesignature-id
undo exception signature{signature-id|all}
Default
No signature exceptions exist.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
signature-id: Specifies the signature ID in the range of 1 to 4294967292.
all: Specifies all signature exceptions.
Usage guidelines
If a virus proves to be a false alarm, you can set the virus signature as a signature exception. Packets matching the signature exception are permitted to pass.
Examples
# Set virus signature 101000 as a signature exception.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] exception signature 101000
Related commands
display anti-virus signature
inspect
Useinspectto configure anti-virus for an application layer protocol.
Useundo inspectto cancel anti-virus for an application layer protocol.
Syntax
inspect{ftp|http|imap|nfs|pop3|smb|smtp}direction{both|download|upload}[cache-file-sizefile-size]action{alert|block|redirect}
undoinspect{ftp|http|imap|nfs|pop3|smb|smtp}
Default
The device performs virus detection on the following packets:
·Upload and download packets for FTP, HTTP, SMB, NFS, and IMAP.
·Download packets for POP3.
·Upload packets for SMTP.
The anti-virus action for FTP, HTTP, NFS, and SMB is block and for IMAP, SMTP, and POP3 is alert.
The maximum size for the file that can be cached for inspection is 1 MB.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
ftp: Specifies the FTP protocol.
http: Specifies the HTTP protocol.
imap: Specifies the IMAP protocol.
nfs: Specifies the NFS protocol. Only NFSv3 is supported.
pop3: Specifies the POP3 protocol.
smb: Specifies the SMB protocol. Only SMBv1 and SMBv2 are supported.
smtp: Specifies the SMTP protocol.
direction: Specifies the anti-virus detection direction. You cannot specify this keyword for POP3 and SMTP because POP3 supports onlydownloadand SMTP supports onlyupload.
both: Specifies the upload and download directions.
download: Specifies the download direction.
upload: Specifies the upload direction.
cache-file-sizefile-size: Specifies the size of a file that can be cached for inspection. The file size is in the range of 1 to 24 MB. Only the HTTP protocol supports this option. Non-default vSystems do not support this command.
action: Specifies an anti-virus action. The anti-virus action for IMAP can only bealert.
alert: Permits and logs matching packets.
block: Blocks and logs matching packets.
redirect: Redirects matching HTTP connections to a URL and generates logs. This keyword is applicable to only uploading connections.
Usage guidelines
After you configure this command, the device performs virus detection on packets from the specified direction for the specified protocol. If viruses are detected, the device takes the specified action on the virus packets.
Thedirectionkeyword is not available for the POP3 and SMTP protocols because the POP3 protocol supports only the download direction and the SMTP protocol supports only the upload direction.
With the HTTP protocol and theblockaction configured, in addition to blocking and logging matching packets, the device also supports displaying an alarm message on the client browser. A default message is predefined. To configure a user-defined alarm message, you can execute theimport block warning-filecommand to import the message from a file. For more information about the warning file, see DPI engine configuration inDPI Configuration Guide.
Connections of the protocols that anti-virus supports are all initiated by clients. For connections to be established successfully and anti-virus to function correctly, make sure the security zone or the zone pair is correctly configured. The security zone that the clients reside in must be the source security zone and the security zone that the servers reside in must be the destination security zone.
Examples
# Configure anti-virus for HTTP. Specify the direction as download and the anti-virus action as alert.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] inspect http direction download action alert
# Cancel anti-virus for HTTP.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] undo inspect ftp
Related commands
import block warning-file
signature severity enable
Usesignature severity enableto enable the virus signatures at and above a severity level.
Useundo signature severity enableto restore the default.
Syntax
signature severity{critical|high|medium}enable
undosignature severity enable
Default
Virus signatures of all severity levels are enabled.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
critical: Specifies the critical severity level.
high: Specifies the high severity level.
medium: Specifies the medium severity level.
Usage guidelines
After you configure this command, only the virus signatures at and above the specified severity level take effect.
Examples
# Enable the virus signatures at and above the high level.
[Sysname] anti-virus policy abc
[Sysname-anti-virus-policy-abc] signature severity high enable
update schedule
Useupdate scheduleto schedule the automatic virus signature library update.
Useundo update scheduleto restore the default.
Syntax
updateschedule{daily|weekly{mon|tue|wed|thu|fri|sat|sun}}start-timetimetingleminutes
undo update schedule
Default
The device starts updating the virus signature library at a random time between 02:01:00 and 04:01:00 every day.
Views
Automatic virus signature library update configuration view
Predefined user roles
network-admin
context-admin
Parameters
daily: Updates the virus signature library every day.
weekly: Updates the virus signature library every week.
mon: Updates the virus signature library every Monday.
tue: Updates the virus signature library every Tuesday.
wed: Updates the virus signature library every Wednesday.
thu: Updates the virus signature library every Thursday.
fri: Updates the virus signature library every Friday.
sat: Updates the virus signature library every Saturday.
sun: Updates the virus signature library every Sunday.
start-timetime: Specifies the start time in the hh:mm:ss format. The value range is 00:00:00 to 23:59:59.
tingleminutes: Specifies the tolerance time in minutes. The value range is 0 to 120. An automatic library update will occur at a random time between the following time points:
·Start time minus half the tolerance time.
·Start time plus half the tolerance time.
Usage guidelines
Non-default vSystems do not support this command.
Examples
# Configure the device to automatically update the virus signature library every Monday at a random time between 20:25:00 and 20:35:00.
[Sysname] anti-virus signature auto-update
[Sysname-anti-virus-autoupdate] update schedule weekly mon start-time 20:30:00 tingle 10
Related commands
anti-virus signature auto-update
warning parameter-profile
Usewarning parameter-profileto apply a warning parameter profile to an anti-virus policy, and enable sending the alarm message defined in the profile.
Useundo warning parameter-profileto restore the default.
Syntax
warning parameter-profileprofile-name
undo warning parameter-profile
Default
No warning parameter profile is applied and the device does not support sending alarm messages.
Views
Anti-virus policy view
Predefined user roles
network-admin
context-admin
vsys-admin
Parameters
profile-name: Specifies a warning parameter profile by its name, a case-insensitive string of 1 to 63 characters. Valid characters are letters, digits, underscores (_).
Usage guidelines
Non-default vSystems do not support this command.
If an endpoint user visits a virus-infected website, the device will display an alarm message on the user's browser. The alarm message is stored in the warning parameter profile applied to the policy. For more information about configuring a warning parameter profile, see DPI engine configuration inDPI Configuration Guide.
In an RBM-based hot backup networking environment where asymmetric-path traffic exists, sending of alarm messages is not supported. This command will not take effect even if you have configured it. For more information about RBM-based hot backup, seeHigh Availability Configuration Guide.
With this command configured, the device will proxy HTTP traffic matching the anti-virus policies, which will greatly affect device performance. Determine whether to configure this command based on the actual situation.
Examples
# Apply warning parameter profileav1to anti-virus policyabcand enable the sending of alarm message defined in the profile.
[Sysname]anti-virus policyabc
[Sysname-anti-virus-policy-abc] warning parameter-profile av1
Related commands
inspect warning parameter-profile
