ONTAP Discussions

AV Scanner on ONTAP

not_a_Lone_wolf
3,907 Views

Hi,. We have a AV server (hosting Trend micro) setup on our Prod clusters that has mandatory scan option set to ON in default_CIFS Policy. The clients have vscan-fileop-profile set to writes only. My question is

If I disable the mandatory scan to OFF since AV servers would be disconnected due to maintenance,

1> Would it deny file access to this client (separate SVM)

2> Would it deny file access t other clients since the same default_CIFS Policy is used for all the clients, but the AV server is different.

 

 

1 ACCEPTED SOLUTION

Mjizzini
3,861 Views

[-scan-mandatory {on|off}] - Mandatory ScanThis parameter specifies whether access to a file is allowed if there are no external virus-scanning servers available for virus scanning.

Therefore, file access will be granted even if the AV_scanners are disconnected.

View solution in original post

7 REPLIES 7

not_a_Lone_wolf
3,907 Views

There are 2 AV servers for this client and both the servers would be undergoing maintenance

PS: This is a NAS environment 

Mjizzini
3,862 Views

[-scan-mandatory {on|off}] - Mandatory ScanThis parameter specifies whether access to a file is allowed if there are no external virus-scanning servers available for virus scanning.

Therefore, file access will be granted even if the AV_scanners are disconnected.

not_a_Lone_wolf
3,846 Views

Thanks @Mjizzini for the response.

So I would turn off the mandatory scan during the activity. 

not_a_Lone_wolf
3,843 Views

By default, the scan-mandatory option for on-access scanning denies file access when a Vscan server connection is not available for scanning. Although this option offers important safety features, it can lead to problems in a few situations.

  • Before enabling client access, you must ensure that at least one Vscan server is connected to an SVM on each node that has a LIF. If you need to connect servers to SVMs after enabling client access, you must turn off the scan-mandatory option on the SVM to ensure that file access is not denied because a Vscan server connection is not available. You can turn the option back on after the server has been connected.
  • If a target LIF hosts all the Vscan server connections for an SVM, the connection between the server and the SVM will be lost if the LIF is migrated. To ensure that file access is not denied because a Vscan server connection is not available, you must turn off the scan-mandatory option before migrating the LIF. You can turn the option back on after the LIF has been migrated.

Each SVM should have at least two Vscan servers assigned to it. It is a best practice to connect Vscan servers to the storage system over a different network from the one used for client access.

paul_stejskal
3,810 Views

I will add, there is still a posibility slow vscan could compromise your performance. Mandatory scan set to off works assuming the vscan server is responsive and you don't queue up on the filer with requests waiting to go to go vscan. Make sure you size it for your workload accordingly.

 

The TRs kind of talk about it, but generally we lean on the vscan vendor for help with sizing the AV solution. It may not hurt to have spare vscan servers available should you hit vscan latency so you can just easily upgrade the AV infrastructure if you're not sure if it's beefy enough or not (or maybe have a dynamic pool that grows and shrinks if you think you'll have a job say once a month that you know is more i/o intensive).

not_a_Lone_wolf
3,805 Views

Hi @paul_stejskal  Thanks for sharing the wonderful and detailed insights.  Unfortunately, there is no backup servers in the Infra. Would it be a problem if I disable the on-access policy completely on this SVM during the time of the activity? Would it cause any risk?

 

Also, the machine account accessing this SVM for AV, is it authenticated through AD?

paul_stejskal
3,754 Views

1) Should be fine. You may have to disable on the AV side depending on the vendor. Some vendors of vscan and fpolicy (Varonis I know for sure does for fpolicy) love to send API calls back to ONTAP to turn on fpolicy/vscan if you disable from the CLI. I can't confirm vscan will do this, but that's simple enough to test.

2) I'm not sure. I believe so, but unfortunately vscan is a secondary area for me so I cannot confirm 100%. AFAIK it is common for vscan to use an AD account, but possibly a local account can be used too.

 

Hopefully someone else can answer that second question. @Mjizzini ?

Public