No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Mechanism

Mechanism

This section describes the mechanism and procedure of antivirus.

The Central AP employs the advanced Intelligent Awareness Engine (IAE) and constantly updated virus signature database to detect and remove viruses. After file reputation detection is enabled, you can deeply inspect files using the sandbox. Figure 26-44 shows the antivirus mechanism.

Figure 26-44  Antivirus mechanism

Virus Detection by the IAE

The Central AP uses the IAE to perform virus detection. After traffic enters the IAE, the IAE:

  1. Analyzes the traffic and identifies its protocol type and file transfer direction.

  2. Checks whether antivirus applies to this protocol type and file transfer direction.

    The antivirus function of the Central AP applies to the following protocols:

    • File Transfer Protocol (FTP)
    • Hypertext Transfer Protocol (HTTP)
    • Post Office Protocol - Version 3 (POP3)
    • Simple Mail Transfer Protocol (SMTP)
    • Internet Message Access Protocol (IMAP)
    • Network File System (NFS)
    • Server Message Block (SMB)

    The Central AP supports antivirus in upload and download direction:

    • Upload: Indicates file transfer from a client to a server.
    • Download: Indicates file transfer from a server to a client.
    NOTE:

    Connection requests are initiated by clients. Therefore, when configuring attack defense profiles, set the security zone where the client resides as the source zone and that where the server resides as the destination zone.

    Example 1: A user in the trust zone needs to download files from the FTP server in the untrust zone. In this case, set the trust zone as the source security zone and the untrust zone as the destination security zone on the attack defense profile configuration page and set the FTP inspection direction to Download on the antivirus configuration page.

    Example 2: A user in the trust zone needs to upload email to the SMTP server in the dmz. In this case, set the trust zone as the source security zone and the dmz as the destination security zone on the attack defense profile configuration page and set the SMTP inspection direction to Upload on the antivirus configuration page.

  3. Performs virus detection.

    The IAE extracts signatures of applicable files and compares the extracted features with virus signatures in the virus signature database. If a match is found, the file is considered infected and processed according to the action specified in the profile. If no match is found, the file is permitted. If file reputation detection is enabled, files that do not match the virus signature database can be sent to the sandbox for in-depth detection.

    Huawei analyzes and summarizes common virus signatures to construct the virus signature database. This database defines common virus signatures and assigns a unique virus ID to each signature. After the database is loaded, the device can identify viruses that match the signatures defined in the database. To identify new viruses, the virus signature database must be constantly updated from the security center (sec.huawei.com).

Antivirus Process

After viruses are identified in a file in transfer, the Central AP:

  1. Checks whether this virus is an exception. If yes, the file is permitted.

    To prevent file transfer failures resulting from false positives, virus exception IDs that users identify as false positives. If the detected virus matches a virus exception, the response action on the file is permit.

  2. If the virus does not match any virus exception, check whether it matches an application exception. If it matches an application exception, it is processed according to actions (permit, alert, or block) for application exceptions.

    The action of an application exception can be different from that for the protocol used by the application. Multiple applications may use a same protocol. For example, traffic of 163.com and yahoo.com is transmitted over HTTP.

    Actions for applications and protocols have different priorities:

    • If the action for a protocol is defined but no action is defined for any application, the action for the protocol applies to all applications that use the protocol.
    • If the action for a protocol is defined and the action for an application that uses the protocol is defined, the action for the application takes precedence over that for the protocol.

    For example, traffic of 163.com and yahoo.com is transmitted over HTTP.

    • If the response action for HTTP is Block, response actions for 163.com and yahoo.com are also Block.
    • If you have added 163.com to Application Exception List and set its response action to Alert, yahoo.com still inherits the response action of HTTP, which is Block, whereas 163.com uses the response action of Alert.
  3. If the virus matches neither virus exceptions nor application exceptions, the action for protocol and transfer direction specified in the profile applies.

    The following table shows actions of the Central AP for different protocols in different directions.

    Protocol

    Transfer Direction

    Action

    Description

    HTTP

    Upload/Download

    Alert/Block. The default action is Block.

    • Alert: The device permits files and generates virus logs.
    • Block: The device blocks the files and generates virus logs.

    FTP

    Upload/Download

    Alert/Block. The default action is Block.

    NFS

    Upload/Download

    Alert.

    SMB

    Upload/Download

    Alert/Block. The default action is Block.

    SMTP

    Upload

    Alert.

    POP3

    Download

    Alert.

    IMAP

    Upload/Download

    Alert.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 116330

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next