2016-07-22 08:46 AM
I have an 8040 Cluster running 8.3.1P1 and using McAfee VirusScan 8.8 with the current release of VSES for NetApp, NetApp VSCAN is configured as per NetApp best practice and the McAfee VSES is configured as 'we' beleve to be correct.
When we place eicar test pattern files in the CIFS shares only the files with a .exe extension are detected and deleted by the AV, we have tested with .txt .com and .vbs extension and they are not even scanned. It looks likes they are not even being passed to AV server by VSCAN despite VSCAN being configured to scan all extensions.
Our 7-mode filer / McAfee AV detects all the test virus files,
Has anyone else experienced problems with AV scanning on CDOT 8.3.x and only .exe files being scanned.
2016-07-25 11:31 PM
Can you share the vscan profile output for teh specific vserver?
vserver vscan on-access-policy show -vserver xx-xxx-xx -policy-name xxxx_xxxx
2016-07-26 01:27 AM
This is the output :
Policy Status: on
Policy Config Owner: vserver
File-Access Protocol: CIFS
Max File Size Allowed for Scanning: 2GB
File Paths Not to Scan: -
File Extensions Not to Scan: -
File Extensions to Scan: *
Scan Files with No Extension: true
NetApp support have verified our config, the McAfee side only reports .exe files being passed to it.
2016-07-26 06:32 AM
can you change the vscan on-access -policy to scan-mandatory
vscan on-access-policy modify -vserver xxxxx_xxxxx -policy-name template_test -filters scan-mandatory
you can control the vscan operation by modifying vscan-fileop-profile on the CIFS shares.
cifs share modify -vserver xxxxx_xxxx -share-name tst_share -vscan-fileop-profile no-scan standard strict writes-only
i use writes-only in my environment.
cifs share show -share-name share-name$ -fields vscan-fileop-profile
vserver share-name vscan-fileop-profile
------------- ------------------ --------------------
cluster share-name$ writes-only
let me know if this makes any difference.