Antivirus Protection for NetApp Clustered Data ONTAP

By Saurabh Singh, Technical Marketing Engineer, NetApp

 

The off-box antivirus feature provides virus-scanning support for the NetApp® clustered Data ONTAP® operating system. In this architecture, virus scanning is performed by external servers that host antivirus software from third-party vendors. The feature offers antivirus functionality that is similar to the functionality available in Data ONTAP operating in 7-Mode.

 

Prior to ONTAP 9.0 only On-access scanning was supported by ONTAP. Starting from ONTAP 9.0, the off-box antivirus feature provides virus-scanning support in two modes:

 

On-Access Scanning

This type of scanning is triggered by in-band notifications to the external virus-scanning servers during various file operations, such as open, close, rename, and write. Because of the in-band nature of these notifications, the client’s file operation is suspended until the file scan status is reported back by the virus-scanning server. This server is a Windows Server instance that is referred to as the Vscan server.

 

On-Demand Scanning

On-demand scanning was introduced in NetApp ONTAP 9.0 for performing an on-demand AV scanning job on files or folders on a specific path through a scheduled job. On-demand scanning leverages the existing AV servers configured for on-access AV scanning to run the scanning job. The on-demand job updates the “scan status” of the files and reduces an additional scan on the same files when accessed the next time unless the file is modified. You can use on-demand scanning to scan the volumes that cannot be configured for on-access scanning, for example, NFS exports.

 

The Vscan server, after receiving notification for a scan, retrieves the file through a privileged CIFS share and scans the file contents. If the antivirus software encounters an infected file, it attempts to perform remedial operations on the file. The remedial operations are determined by the settings configured in the antivirus software.

 

After completing all necessary operations, the Vscan server reports the scan status to clustered Data ONTAP. For on-access scanning, depending on the scan status, clustered Data ONTAP allows or denies the file operation requested by the client.

 

Currently, on-access scanning for clustered Data ONTAP is available only for CIFS-related traffic.

 

The antivirus solution consists of the following components: the third-party antivirus software, the clustered Data ONTAP Antivirus Connector, and the clustered Data ONTAP virus-scanning settings. You must install both the antivirus software and the Antivirus Connector on the AV server.

 

Figure 1 shows the architecture of the antivirus solution.

 

 Figure 1) Antivirus solution architecture

 

Components of a Vscan Server

 

Antivirus Software

The antivirus software is installed and configured on the Vscan server to scan files for viruses or other malicious data. The antivirus software must comply with clustered Data ONTAP. You must specify the remedial actions to be taken on infected files in the configuration of the antivirus software.

 

Antivirus Connector

The Antivirus Connector is installed on the Vscan server to process scan requests. It also provides communication between the antivirus software and the storage virtual machines (SVMs; formerly called Vservers) in the storage system running clustered Data ONTAP.

 

Components of a System Running Clustered Data ONTAP

 

Scanner Pool

A scanner pool validates and manages the connection between the Vscan servers and the SVMs. You can create a scanner pool for an SVM to define the list of Vscan servers and privileged users that can access and connect to that SVM and to specify a time-out period for scan requests. If the response to a scan request is not received within the time-out period, file access is denied in mandatory scan cases.

 

Scanner Policy

A scanner policy defines when the scanner pool is active. A Vscan server is allowed to connect to an SVM only if its IP address and privileged user are part of the active scanner pool list for that SVM.

 

Note: All scanner policies are system defined; you cannot create a customized scanner policy.

 

A scanner policy can have one of the following values:

  • Primary. Makes the scanner pool always active.
  • Secondary. Makes the scanner pool active only when none of the primary Vscan servers is connected.
  • Idle. Makes the scanner pool always inactive.

On-access Policy

An on-access policy defines the scope for scanning files when they are accessed by a client. You can specify the maximum file size for files to be considered for virus scanning and file extensions and file paths to be excluded from scanning. You can also choose a filter from the available set of filters to define the scope of scanning.

 

On-demand Task

On-demand scanning was introduced in ONTAP 9.0 for performing an on-demand AV scanning job on files or folders under a specific path through a scheduled job. This type of scanning leverages the existing AV servers configured for on-access AV scanning to run the scanning job.

 

Vscan File-Operations Profile

The Vscan file-operations profile parameter (-vscan-fileop-profile) defines which file operations on the CIFS share can trigger virus scanning. You must configure this parameter when you create or modify a CIFS share.

 

Workflow for Configuring and Managing Virus Scanning

Figure 2 shows a workflow with the high-level steps that you must perform to configure and manage virus-scanning activities.

  

Figure 2) Workflow for configuring and managing virus scanning

 

Antivirus Partners

Our list of elite AV partners is composed of industry leaders in virus-scanning technology. Below are their names and a link to the joint solution deployment guides. Refer to the IMT for supportability information.

 

Partner

Joint Solution Guide

 Symantec Protection Engine

http://www.netapp.com/us/media/tr-4304.pdf

Intel (McAfee) Virus Scan for Enterprise

http://www.netapp.com/us/media/tr-4286.pdf

Sophos Antivirus for NetApp

http://www.netapp.com/us/media/tr-4309.pdf

Trend Micro Server Protect

http://www.netapp.com/us/media/tr-4312.pdf

Kaspersky WSEE

http://www.netapp.com/us/media/tr-4445.pdf