How to configure Antivirus and related commands to troubleshoot

Overview

This article covers how to configure antivirus on Versa devices and the related CLI commands to validate and troubleshoot AV issues.

Section 1 — Configuration

To configure antivirus on Versa devices, refer to:

• Configure Antivirus (NGFW) — Versa Docs
• Anti-Virus — Video Demo

Section 2 — Troubleshooting

Step 1 — Validate the Configuration from CLI

admin@CPE01-cli> show configuration orgs org-services Provider security profiles av Block_Compressed_Files | display set

set orgs org-services Provider security profiles av Block_Compressed_Files lef-profile-default true
set orgs org-services Provider security profiles av Block_Compressed_Files file-type [ 7zip tar zip ]
set orgs org-services Provider security profiles av Block_Compressed_Files action deny
set orgs org-services Provider security profiles av Block_Compressed_Files protocol [ FTP HTTP ]

Verify the following:

• The protocol, file extension, and direction in the traffic matches the AV profile configuration.
• The correct AV profile is called in the rule.
• For SSL traffic, an SSL decryption profile must be configured on the device.
• For FTP traffic, FTP ALG should be enabled.

Step 2 — Check Session Details

Confirm the policy being matched and check for drop packets/modules:

show orgs org org-name sessions extensive | select source-ip x.x.x.x | select destination-ip y.y.y.y | match-all

Step 3 — Validate Malware Logs on Analytics

Check if there are any events logged for Antivirus in the Malware logs. You need to have the LEF profile configured on the AV profile for logs to be sent to Analytics.

Step 4 — Check AV Profile Statistics

show orgs org-services org-name security profiles av statistics predefined-profile name
show orgs org-services org-name security profiles av statistics user-defined-profile name

Example output:

admin@CPE01-cli> show orgs org-services Provider security profiles av statistics predefined-profile "Scan Email Traffic"

 av-profile-hit-cnt         3
 av-action-allow-cnt        1
 av-action-alert-cnt        0
 av-action-reject-cnt       0
 av-action-block-cnt        2
 av-action-on-disk-full-cnt 0
 av-file-in-queue-cnt       0
 av-eof-rcvd-cnt            0
 av-flow-bypass-cnt         0
 av-filetype-mismatch-cnt   0

            Flows      Flows      Num ctx
 Protocol   Blocked    Allowed    switches
 ---------  -------    -------    --------
 http           2           1           0
 ftp            0           0           0
 smtp           0           0           0
 imap           0           0           0
 pop3           0           0           0
 mapi           0           0           0
 smb            0           0           0

Look for the flows blocked under the respective protocol as well as the block count for the relevant file type.

Step 5 — Clear AV Cache (False Positives)

If the file is not malicious and is being marked as a false positive, check the cache hit count and clear the AV cache:

vsh connect vsmd
show av cache-db statistics
clear av cache-db entries

Step 6 — Check Disk Space and Memory

shell
df -kh

If there are high memory alarms, refer to: How to Troubleshoot High Memory Issues on VOS Device

Step 7 — Check SPACK and AV Version

show security security-package information
show security av information

Example output:

admin@CPE01-cli> show security av information
                   REF      APPLIED
VERSION       FLAVOR  VERSION  VERSIONS
-----------------------------------------
201305081923  Full    -        -

Step 8 — Enable AV Debug Logs

configure
set debug av all-flags level all send to file name /var/log/versa/av.log
commit

Caution: Run this only in the presence of TAC and for a brief period. Delete the debug configuration immediately after to avoid CPU/memory issues.