Network and Storage Protocols

McAfee Vscan - Virus Scanning Options

52DevOps

We are wanting to understand the virus scanning settings, for all file accesses and when files are opened for reading. When we have both of them enabled file access from the filers is slow (opening a mapped drive letter takes long and we see high CPU utilization, Protocol Latency ), on turning off “When files are opened for reading” the access is quick. Please can you provide us some guidance to these settings, what’s recommended.

 

We have both the settings enabled on all our shares. If we were to disable “When files are opened for reading” how does it impact our security posture? We are using McAfee Virus Scan for Storage and have four scanners serving one filer.

 

Using 8.x OnTap 7-Mode in case its needed. VSCAN options are already configured on the filer per the best practices guidance.

1 ACCEPTED SOLUTION

Vijay_ramamurthy

Hi,

In 7 Mode:
There are 2 options:
1) If speed of access is more important than safety:
We can turn scanning off for read-only access on the cifs share by setting "novscanread" on the share.
Virus scanning will not occur when clients open files on this share for read access.

(OR)

2) If safety is more important than speed of access then we can keep the scanning on for read-only access.
Reference :https://www.netapp.com/us/media/tr-3107.pdf
https://library.netapp.com/ecmdocs/ECMM1278400/html/filesag/GUID-4EE5B286-649D-4FD1-8C1E-F9AF27D378FC.html


In C mode :
Vscan File-Operations Profile for CIFS Share parameter specifies which operations performed on the CIFS share can trigger virus scanning
Profile: Type File Operations That Trigger Scanning
1) no_scan : None
2) standard : Open, close, and rename
3) strict: Open, read, close, and rename
4) writes_only : Close (only for newly created or modified files)

 

Best Practices
 Use the default, standard profile.
 To further restrict scanning options, use the strict profile. However, using this profile generates more scan requests and affects performance.
 To maximize performance with liberal scanning, use the writes_only profile. This profile scans only the files that have been modified and closed.
Reference : https://www.netapp.com/us/media/tr-4286.pdf

When you said turning off “When files are opened for reading” does this mean you are using "novscanread" as the CIFS share property ?

View solution in original post

2 REPLIES 2

Vijay_ramamurthy

Hi,

In 7 Mode:
There are 2 options:
1) If speed of access is more important than safety:
We can turn scanning off for read-only access on the cifs share by setting "novscanread" on the share.
Virus scanning will not occur when clients open files on this share for read access.

(OR)

2) If safety is more important than speed of access then we can keep the scanning on for read-only access.
Reference :https://www.netapp.com/us/media/tr-3107.pdf
https://library.netapp.com/ecmdocs/ECMM1278400/html/filesag/GUID-4EE5B286-649D-4FD1-8C1E-F9AF27D378FC.html


In C mode :
Vscan File-Operations Profile for CIFS Share parameter specifies which operations performed on the CIFS share can trigger virus scanning
Profile: Type File Operations That Trigger Scanning
1) no_scan : None
2) standard : Open, close, and rename
3) strict: Open, read, close, and rename
4) writes_only : Close (only for newly created or modified files)

 

Best Practices
 Use the default, standard profile.
 To further restrict scanning options, use the strict profile. However, using this profile generates more scan requests and affects performance.
 To maximize performance with liberal scanning, use the writes_only profile. This profile scans only the files that have been modified and closed.
Reference : https://www.netapp.com/us/media/tr-4286.pdf

When you said turning off “When files are opened for reading” does this mean you are using "novscanread" as the CIFS share property ?

View solution in original post

SpindleNinja

That will actually scan the file before opening.   If you disable it,  it won't actually scan the file when a user opens it.   Which...you can leave disabled as long as the background scanning is there.  Iv'e always saw it as an extra precaution.  

 

Do you notice highter times with larger files?   

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public