I know I’ve used Mcaffee’s plug in that works by sitting on the Mcaffee server and talks to the filer via the AV API’s in OnTap…

That works a treat!

CA, Trend, Sophos, McAfee and Symantec all have AV servers... the best practice is a separate vlan or network and 2 AV servers for redundancy...  Some customers don't use it if they have client protection... others have a site license and it is no extra charge... and others decide to use a different vendor than their desktop/server then if one AV vendor catches a virus another doesn't there is some redundancy.

It is really simple to enable in ONTAP with vscan on, then usually people turn mandatory_scan off...the default is on.  When on, data isn't served over cifs when the scanner is not available.

"Are they really needed..."  This is an important question, but you need to look at it from all angles. 

How likely is it to get a file onto the storage without the host scanning catching it first?

If something gets by the host scanner, how likely are hosts to be re-infected time and again?

We had this problem at a previous employer...corporate security kept complaining the filer had a "virus".  It has an infected file from someone whose Anti-Virus had been disabled, and others hit that file regularly, thus pushing the myth the filer was infecting them.  We finally told them to pull the file completely, clean it and put it back, the scan all of the hosts and clean them, issue solved. 

However, certain people kept perpetuating it was the filer that was at fault...as with everything YMMV!  The storage team did not see the need for scanning as all the hosts were supposed to be protected, and the compute platforms were already taking a performance hit, why add that to the filer now too?

- Scott

Thanks for your replies

I've seen some of the AV offerings from various companies but to be honest I'm struggling to convince myself of whether it is actually required. The only time I could see it being absolutly necessary is if a virus was created which targetted the filer itself but seeing as the data isn't executed on the filer, I can't see this being the case.    

Hello,

I have been asked to look into virus scanning for our NetApp simply because we recently (2 years ago) implemented CIFs on the filer and our vendor said we really should have AV running on the CIFs shares for sure.  We don't have a huge CIFs share presence, we implemented it basically because we wanted to share files between our Linux/Unix hosts and Windows servers.  It has spawned somewhat and users are indirectly connecting to these CIFs shares from their Windows desktops (typically through an application they don't know points there, but we do have some users scanning files to a CIFs share to be picked up by Unix).  Anyway, due to the increase in Windows end users connecting to these shares, our management is still concerned that we don't have AV on the NetApp filer.  We do have it on our local Windows desktops and all the Windows servers.  I don't believe our Unix hosts have it, but I have to verify that with that supporting team.  We did not implement it 2 years ago because our security manager at the time said it was redundant to be scanning the same files on multiple systems, we didn't need to add another AV scan to it (Windows servers and desktops).

In my research I came across this thread from a couple years ago, and it sounds like the same questions I was wondering about.  Would you mind sharing what you ended up doing?  I cannot seem to find much out there other than how to set it up... but I'm still struggling with the question if it is even necessary?

I also read this in NetApp's whitepaper, which also makes me wonder if having another scan engine for AV just overkill?

Impervious to virus attacks

Unlike Windows- or UNIX-based systems, Data ONTAP is a microkernel

storage OS that is not based on a Windows or UNIX OS. Data ONTAP cannot

run third-party applications including OS viruses or worms. Since there are

no “hooks” into the OS, Data ONTAP is impervious to harmful software that

could corrupt or destroy data on Windows or UNIX systems.