ONTAP Discussions

vscan notify end user

chinchillaking
2,236 Views

Hello,

 

Windows10 user1 CIFS access NetApp, Symantec SPE vscan NetApp cmode, NetApp event log display when file infected, could any method notify to end user Windows user1 file infected?

 

 

Best regards,

 

Chung

1 ACCEPTED SOLUTION

akiendl
2,213 Views
there have been windows notification services before but they have been used for attacks rather frequently so they are usually disabled these days.
So there is not a lot the storage system can let the user know.
However the antivirus server gets the infos and can trigger notifications much more intelligent as it knows the virus and what to do with it as well as the thread to the customer/user.

ak.

View solution in original post

2 REPLIES 2

akiendl
2,214 Views
there have been windows notification services before but they have been used for attacks rather frequently so they are usually disabled these days.
So there is not a lot the storage system can let the user know.
However the antivirus server gets the infos and can trigger notifications much more intelligent as it knows the virus and what to do with it as well as the thread to the customer/user.

ak.

GidonMarcus
2,169 Views

Hi.

 

A few years back I wanted to create such a script to lock the user (similar functionality can be used to alert) following the EMS message triggered in ONTAP by vSCAN which looks like that (and as you can see, include the user SID) :

Nblade.vscanVirusDetected: Possible virus detected. Vserver: XXXXX, vscan server IP: 10.1.x.x, file path: \XXXX_POC_01\tst01\New folder\New folder\ddd.txt, client IP: 10.1.X.X, SID: S-1-5-X-XXX-XXXX-XXX-XXXXX, vscan engine status: 222200001, vscan engine result string: "An object of type 'EICAR-Test-File' has been detected". This message occurs when a vscan server reports an error to the storage system. Normally this indicates that a virus has been found by the vscan server; however, other error conditions on the vscan server can result in this event. Client access to the file is denied. The vscan server might, depending on its settings and configuration, clean the file, quarantine it, or delete it.

 

The idea was to subscribe OCUM (today AIUM) to that event and from that trigger a PowerShell script to lock the user based on the following  PS OCUM parameter consumption script: 

https://github.com/MGidi/Consume_parameters_from_OCUM_on_a_PowerShell_script_And_Create_Custom_Emails

 

The problem I had at the time - is that the semicolon char in that specific VSCAN message prevented OCUM from triggering the script. For that I opened a NetApp ticket which raised the following bug https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=1137572 , but as we didn't continue with the vSCAN POC I never actually got into testing it, but I assume that if it has actually been resolved, it now can be done..

 

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public