We are wanting to understand the virus scanning settings, for all file accesses and when files are opened for reading. When we have both of them enabled file access from the filers is slow (opening a mapped drive letter takes long and we see high CPU utilization, Protocol Latency ), on turning off “When files are opened for reading” the access is quick. Please can you provide us some guidance to these settings, what’s recommended.
We have both the settings enabled on all our shares. If we were to disable “When files are opened for reading” how does it impact our security posture? We are using McAfee Virus Scan for Storage and have four scanners serving one filer.
Using 8.x OnTap 7-Mode in case its needed. VSCAN options are already configured on the filer per the best practices guidance.
That will actually scan the file before opening. If you disable it, it won't actually scan the file when a user opens it. Which...you can leave disabled as long as the background scanning is there. Iv'e always saw it as an extra precaution.
In 7 Mode: There are 2 options: 1) If speed of access is more important than safety: We can turn scanning off for read-only access on the cifs share by setting "novscanread" on the share. Virus scanning will not occur when clients open files on this share for read access.
In C mode : Vscan File-Operations Profile for CIFS Share parameter specifies which operations performed on the CIFS share can trigger virus scanning Profile: Type File Operations That Trigger Scanning 1) no_scan : None 2) standard : Open, close, and rename 3) strict: Open, read, close, and rename 4) writes_only : Close (only for newly created or modified files)
Best Practices Use the default, standard profile. To further restrict scanning options, use the strict profile. However, using this profile generates more scan requests and affects performance. To maximize performance with liberal scanning, use the writes_only profile. This profile scans only the files that have been modified and closed. Reference : https://www.netapp.com/us/media/tr-4286.pdf
When you said turning off “When files are opened for reading” does this mean you are using "novscanread" as the CIFS share property ?