ONTAP Discussions

vscan questions

FelixZhou
2,894 Views

We have vscan servers in production for multiple SVMs.

1. how can we find out the statistics of VSCAN such as how many scans completed, how many virus detected and cleaned, how many scan processes queued?

2.  how can we find out if vscan servers too busy and more servers need to be added?

3. if any VSCAN servers or connections issues, will we get alerts or notitcations?

4. is there any VSCAN information integrated with active IQ?

5. happened a few times already, we had cifs share access issues, had to stop vscan services to regain the access.

    we plan to set -vscan-fileop to writes-only, and add excluvise list, are they good ideas?

6. what is the regular vscan daily monitoring?

thanks advance. 

1 ACCEPTED SOLUTION

GidonMarcus
2,837 Views

Hi.

 

1. I don't think ONTAP hold previous information on virus detections as stats. But you can get stats about the associated EMS messages with the ONTAP command:

event status -message-name Nblade.vscanVirusDetected -last-week-histogram

And events on vscan itself with:

vserver vscan show-events -event-type file-infected

You can start an active stats collection as per the following KB

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A_Understanding_Clustered_Data_ONTAP_Offbox_Vscan_Server_Extended...

 

2-3. You probably want to consider installing AIUM (Active IQ Unified manager) local server (for free) to monitor the cluster. It already includes VSCAN events that you can see here:

https://docs.netapp.com/ocum-97/topic/com.netapp.doc.onc-um-sysconfig/GUID-2AB93F75-B435-46E5-813D-15B84B0BD9C7.html?cp=1_3_0_5

and you can find more EMS based events from:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Common_EMS_messages_for_Vscan

or with the ONTAP command "event catalog show" and subscribe to these in AIUM using:

https://docs.netapp.com/ocum-97/topic/com.netapp.doc.onc-um-sysconfig/GUID-B4565396-580F-433A-A9D8-74BBABDAE893.html

 

4. Mentioned above the local AIUM (Active IQ Unified manager). I'm not sure if the online Active IQ (used to be known as MyASUP) give much on vSCAN these days (Currently I don't have access to it).  Active IQ does get events using AutoSupport. Which you can configure to send out upon events using the ONTAP command "event destination ... " (that will also send you an email - but don't add ones that likely to happen frequently, as generating austsupport takes system resources).

 

5. I'd actually prefer scanning on reads - as it will be with the more up-to-date signatures DB than when the file been written. Having said that - write is important too as it can help stop file encryption/weaponizing/corruption  in some cases.

 

6. not familiar with this term. you can schedule a vSCAN full scan to cover files that missed in the inline scan (due to timeout) or ones that not been detected with the old signature DB.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fvserver__vscan__on-demand-task__schedule.html

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

View solution in original post

2 REPLIES 2

GidonMarcus
2,838 Views

Hi.

 

1. I don't think ONTAP hold previous information on virus detections as stats. But you can get stats about the associated EMS messages with the ONTAP command:

event status -message-name Nblade.vscanVirusDetected -last-week-histogram

And events on vscan itself with:

vserver vscan show-events -event-type file-infected

You can start an active stats collection as per the following KB

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/FAQ%3A_Understanding_Clustered_Data_ONTAP_Offbox_Vscan_Server_Extended...

 

2-3. You probably want to consider installing AIUM (Active IQ Unified manager) local server (for free) to monitor the cluster. It already includes VSCAN events that you can see here:

https://docs.netapp.com/ocum-97/topic/com.netapp.doc.onc-um-sysconfig/GUID-2AB93F75-B435-46E5-813D-15B84B0BD9C7.html?cp=1_3_0_5

and you can find more EMS based events from:

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Common_EMS_messages_for_Vscan

or with the ONTAP command "event catalog show" and subscribe to these in AIUM using:

https://docs.netapp.com/ocum-97/topic/com.netapp.doc.onc-um-sysconfig/GUID-B4565396-580F-433A-A9D8-74BBABDAE893.html

 

4. Mentioned above the local AIUM (Active IQ Unified manager). I'm not sure if the online Active IQ (used to be known as MyASUP) give much on vSCAN these days (Currently I don't have access to it).  Active IQ does get events using AutoSupport. Which you can configure to send out upon events using the ONTAP command "event destination ... " (that will also send you an email - but don't add ones that likely to happen frequently, as generating austsupport takes system resources).

 

5. I'd actually prefer scanning on reads - as it will be with the more up-to-date signatures DB than when the file been written. Having said that - write is important too as it can help stop file encryption/weaponizing/corruption  in some cases.

 

6. not familiar with this term. you can schedule a vSCAN full scan to cover files that missed in the inline scan (due to timeout) or ones that not been detected with the old signature DB.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-900%2Fvserver__vscan__on-demand-task__schedule.html

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK
Public