Subscribe

Several VScan questions...

NetApp Gurus,

We have been running virus scanning for about a year now and recently have had quite a few failures of the av scanning service on the Windows host.  We initially kind of threw the solution in - and now are paying the price for not being experts and doing it right the first time.  The scanner is definitely overloaded and I know that there are other tweaks that we can make to lessen the load by making exclusions etc.  I have some questions that I hope to get answer to before putting in the new solution...

FYI - I am a AV guy venturing into the wild world of NetApp - so be gentle...

Currently:

Filer: pair of FAS3070.

OS Version: 7.3.2

Scanner OS: Windows 2003 SP2 - this guy also runs CIFS backups so at least part of the problem is due to that dual use.  The new server(s) will be scan only.

Scanner: McAfee VirusScan Enterprise for Storage V 1.0 Patch 1

Questions:

There are file extensions to be scanned defined on the NetApp.  This list is pre-populated with 50 or 180 extensions depending on the version of Data OnTap that we have/had.  This list can be have entries added or removed as required.

There is a list of files to exclude on the NetApp.  This list is currently empty.  This list can be have entries added or removed as required.

There is a list of default files to scan in the McAfee AV Scanner GUI.  The default is defined by the DAT files provided daily by McAfee.  Additional extensions can be added as required.

There is a list of files, folders and drives to exclude from scanning in the McAfee AV Scanner GUI.  This is a custom list defined by the AV Admin.

1) How are the two lists of inclusions/exclusions related?  Does the list on the AV scanner update the NetApp list or vice versa?  My initial thought is they are not related and do not update each other.  What I think is happening is the Filer looks at it's list and if the extension is listed (as well as passes the other requirements needed) then it passes it to the McAfee scanner.  When the scanner gets the file it looks at its own list and determines whether to scan or not.  If this is the case - synching of the two lists - specifically from McAfee back to NetApp would be beneficial because NetApp would never send a file to the scanner that the scanner did not need to scan.

2) I see that I can exclude an entire CIFS from being scanned - or I can set it to not scan on read only, etc...  I want to be able to exclude subdirectories under a share as well.  The scan log shows a path like this -> File to scan : \\?\UNC\NETSAA\ONTAP_ADMIN$\vol\CIFS_3\SPECIAL\Common\Dir\Dir\Dir\AbcFile.xml  This is UNC "like" but not a valid path.  How would I exclude the Common directory and all subfolders form being scanned?  Is there any way to get such an exclusion to run on the filer or would it have to make the request for scan and then have McAfee NOT scan it because it is excluded.

3) What is the overhead in using the client_msgbox option?  Is there an example available what the alert looks like or data it contains?  Poorly worded messages cause more trouble than they are worth.

4) If the cifs shares - change <share_name> novscanread command was run - would TSM backups still cause the file to be considered for scanning?

That is all that I have for now.  Looking forward to answers that you all may provide.

Thanks,

Tim

Re: Several VScan questions...

Hi Tim,

Recalling my rusty knowledge of AV configuration in Ontap, filer sends scan request looking at the criteria defined in inclusion and exclusion list in ontap and not on AV scanner. When you use  novscanread while creating shares it will not send any scan request, no matter if extensions match or not.

When you see the log do you refer to AV server log or filer log, and to my knowledge there isn't  any option but it may be only me as I never had any need for this.

Being  client_msgbox options turned on doesn't helps anything as this feature depends on 'net send' family of commands in windows, which means you must have winpopup enabled and running on your system to get notifications of infected file and in today's environments we don't have winpopup enabled on our systems due to some security reasons.