Subscribe

CDOT 8.3.1 vscan only passing .exe files to McAfee AV Scanner

I have an 8040 Cluster running 8.3.1P1 and using McAfee VirusScan 8.8 with the current release of VSES for NetApp, NetApp VSCAN is configured as per NetApp best practice and the McAfee VSES is configured as 'we' beleve to be correct.

 

When we place eicar test pattern files in the CIFS shares only the files with a .exe extension are detected and deleted by the AV, we have tested with .txt .com and .vbs extension and they are not even scanned.  It looks likes they are not even being passed to AV server by VSCAN despite VSCAN being configured to scan all extensions.

 

Our 7-mode filer / McAfee AV detects all the test virus files,

 

Has anyone else experienced problems with AV scanning on CDOT 8.3.x and only .exe files being scanned.

Re: CDOT 8.3.1 vscan only passing .exe files to McAfee AV Scanner

HI,

 

Can you share the vscan profile output for teh specific vserver?

 

vserver vscan on-access-policy show -vserver xx-xxx-xx -policy-name xxxx_xxxx

 

Regards,

Mani

Re: CDOT 8.3.1 vscan only passing .exe files to McAfee AV Scanner

Hi Mani

 

This is the output : 


Vserver: XXXX-template_test
Policy: template_test
Policy Status: on
Policy Config Owner: vserver
File-Access Protocol: CIFS
Filters: scan-execute-access
Max File Size Allowed for Scanning: 2GB
File Paths Not to Scan: -
File Extensions Not to Scan: -
File Extensions to Scan: *
Scan Files with No Extension: true

 

NetApp support have verified our config, the McAfee side only reports .exe files being passed to it.

 

Cheers

Matt

Re: CDOT 8.3.1 vscan only passing .exe files to McAfee AV Scanner

Hi,

 

can you change the vscan on-access -policy  to scan-mandatory

 

vscan on-access-policy modify -vserver xxxxx_xxxxx -policy-name template_test -filters scan-mandatory 

 

you can control the vscan operation by modifying vscan-fileop-profile on the CIFS shares.

 

 

cifs share modify -vserver xxxxx_xxxx -share-name tst_share -vscan-fileop-profile no-scan standard strict writes-only

 

 

i use writes-only in my environment.

 

cifs share show -share-name share-name$ -fields vscan-fileop-profile
vserver share-name vscan-fileop-profile
------------- ------------------ --------------------
cluster share-name$ writes-only

 

let me know if this makes any difference.

 

Regards,

Mani