ONTAP Discussions

Random access denied using Sophos


Windows-based clients are having issues with some CIFS shares, the only change reported was the addition of 1 more Vscan servers to the Scanner-pool and activating it at the beginning of this week.


Basically the users get access denied/ group policy error when attempting to open certain files.
The NTFS ACL looks to be ok, if they restore the files from the day before snapshots, then, the restored file works with no issue.


They also compared the NTFS ACL of Original file and restored file and its completely the same. Netapp ACL has not been touched at all.


It looks like this issue is spreading across the Netapp system. More and more users seem to report this issue.

After disabling the VSCAN on the vservers that are done off-box by Sophos servers the issue was completely resolved.



The behavior mentioned is not expected on this system configuration, as it is usually caused by the option: "scan-mandatory on" for the on-access vscan policy, as explained on this NetApp article, (edit) but that option was never set as ON in this system (edit).

https://kb.netapp.com/app/answers/answer_view/a_id/1071177 (Symptom 2)



Anyone on this community that could help us to confirm the below:


If the configuration of VSCAN servers had turned off the "On-access scanning" mentioned, could that be the cause of users getting access denied.


Any idea of why this could be happening and what could be changed or check on the Sophos or NetApp configuration will be really appreciated.



Do you see any entries in the EMS log that might indicate that one or both Vscan servers are disconnected for a given SVM (or all SVMs) when mandatory scanning is turned on? You can also see the connection status of the Vscan servers using the "vscan connection status show-all", which will show a disconnect reason if there is a disconnected Vscan server.


I'd be interested to see if the Vscan servers report connected when an "access denied" message is generated. 


Thanks for your reply @donny_lang.


It was my fault while redacting this post, the option "scan-mandatory on" was never "on".


It was always off.


Thanks for the clarification. Knowing that, I wouldn't expect CIFS access to be impacted if the Vscan servers aren't available. Is there anything helpful on the Sophos side in terms of event correlation? I'm familiar with Trend ServerProtect as a AV scanning solution, but not Sophos as much.


Have you opened a ticket with Sophos yet for troubleshooting assistance? That might be a good option as well if you haven't yet. 


Yup, contacting Sophos support was suggested too. I was just doing the consultation here as an extra effort. 


Thanks a lot for your time @donny_lang