McAfee - Implement Step

Technical Report
Antivirus Solution Guide for Clustered Data

ONTAP 8.2.1: McAfee
Saurabh Singh and Brahmanna Chowdary Kodavali, NetApp
June 2015 | TR-4286
Abstract
An antivirus solution is key for enterprises to be able to protect their data from viruses and
® ®
malware. Storage systems running the NetApp clustered Data ONTAP 8.2.1 operating
system can be protected through an off-box antivirus solution. This document covers
deployment procedures for the components of the solution, including the antivirus software,
along with best practices for the configuration of each component.
TABLE OF CONTENTS
1 Introduction ........................................................................................................................................... 4
1.1 Audience .........................................................................................................................................................4
1.2 Purpose and Scope ........................................................................................................................................4
2 Antivirus Solution Architecture .......................................................................................................... 4

2.1 Components of Vscan Server .........................................................................................................................5
2.2 Components of System Running Clustered Data ONTAP ..............................................................................5
2.3 Workflow for Configuring and Managing Virus Scanning ................................................................................6
3 Vscan Server Requirements ................................................................................................................ 6

3.1 Antivirus Software Requirements ....................................................................................................................7
3.2 Antivirus Connector Requirements .................................................................................................................7
4 Installing and Configuring Antivirus Engine ..................................................................................... 7

4.1 Download and Install VirusScan Enterprise for Storage 1.1.0.........................................................................8
4.2 Configure VirusScan Enterprise for Storage ...................................................................................................8
4.3 Create Storage System Policy from ePolicy Orchestrator ...............................................................................8
5 Installing and Configuring Antivirus Connector ............................................................................. 11

5.1 Install Antivirus Connector ............................................................................................................................12
5.2 Add SVMs to Antivirus Connector .................................................................................................................13
6 Configuring Vscan Options in Clustered Data ONTAP................................................................... 14

6.1 Create Scanner Pool .....................................................................................................................................14
6.2 Apply Scanner Policy to Scanner Pool ..........................................................................................................15
6.3 Create On-Access Policy ..............................................................................................................................16
6.4 Enable On-Access Policy ..............................................................................................................................16
6.5 Enable Virus Scanning on SVM ....................................................................................................................17
7 Managing Vscan Options in Clustered Data ONTAP ...................................................................... 17

7.1 Modify Vscan File-Operations Profile for CIFS Share ...................................................................................17
7.2 Manage Scanner Pools .................................................................................................................................18
7.3 Manage On-Access Policies .........................................................................................................................21
8 General Best Practices ...................................................................................................................... 22

8.1 Best Practices for Clustered Data ONTAP ....................................................................................................22
8.2 Best Practices for VirusScan Enterprise for Storage .....................................................................................23
9 Troubleshooting and Monitoring ...................................................................................................... 23

9.1 Troubleshooting Virus Scanning ...................................................................................................................23
2 Antivirus Solution Guide for Clustered Data ONTAP 8.2.1: McAfee © 2015 NetApp, Inc. All rights reserved.
9.2 Monitoring Status and Performance Activities...............................................................................................24
Version History ......................................................................................................................................... 27
LIST OF TABLES
Table 1) System requirements for VirusScan Enterprise for Storage 1.1.0. ...................................................................7
Table 2) Options in the Filers tab. ..................................................................................................................................9
Table 3) Options in the Scan Items tab. .........................................................................................................................9
Table 4) Options in the Exclusions tab. ........................................................................................................................10
Table 5) Options in the Performance tab. .....................................................................................................................10
Table 6) Options in the Actions tab. .............................................................................................................................10
Table 7) Options in the Reports tab. .............................................................................................................................11
Table 8) Prerequisites for installing Antivirus Connector. .............................................................................................12
Table 9) Prerequisites for adding an SVM to Antivirus Connector. ...............................................................................13
Table 10) Prerequisite for configuring a scanner pool for SVMs. .................................................................................14
Table 11) Prerequisites for enabling virus scanning on the SVM. ................................................................................17
Table 12) Prerequisite for modifying the Vscan file-operations profile..........................................................................17
Table 13) Types of file-operations profiles....................................................................................................................18
Table 14) Prerequisite for adding privileged users to a scanner pool. ..........................................................................19
Table 15) Prerequisite for adding Vscan servers to a scanner pool. ............................................................................20
Table 16) Common virus-scanning issues....................................................................................................................23
Table 17) Commands for viewing information about the connection status of Vscan servers. .....................................24
Table 18) offbox_vscan counters: Vscan server requests and latencies across Vscan servers. .............................25
Table 19) offbox_vscan_server counters: individual Vscan server requests and latencies. ..................................26
Table 20) offbox_vscan_server counters: Vscan server utilization statistics. ........................................................26
LIST OF FIGURES
Figure 1) Antivirus solution architecture. ........................................................................................................................5
Figure 2) Workflow for configuring and managing virus scanning. .................................................................................6
1 Introduction
The off-box antivirus feature provides virus-scanning support to the NetApp clustered Data ONTAP
operating system. In this architecture, virus scanning is performed by external servers that host antivirus
software from third-party vendors. The feature offers antivirus functionality that is similar to the
functionality currently available in Data ONTAP operating in 7-Mode.
The off-box antivirus feature provides virus-scanning support by triggering in-band notifications to the
external virus-scanning servers during various file operations, such as open, close, rename, and write
operations. Due to the in-band nature of these notifications, the client’s file operation is suspended until
®
the file scan status is reported back by the virus-scanning server, a Windows Server instance that is
referred to as Vscan server.
The Vscan server, upon receiving a notification for a scan, retrieves the file through a privileged CIFS
share and scans the file contents. If the antivirus software encounters an infected file, it attempts to
perform remedial operations on the file. The remedial operations are determined by the settings
configured in the antivirus software.
After completing all necessary operations, the Vscan server reports the scan status to clustered Data
ONTAP. Depending on the scan status, clustered Data ONTAP allows or denies the file operation
requested by the client. In clustered Data ONTAP 8.2.1, virus scanning is available only for CIFS-related
traffic.
The off-box antivirus feature for clustered Data ONTAP is similar to the antivirus feature in the 7-Mode
implementation, but some key enhancements have been added:
 Granular scan exclusion. Clustered Data ONTAP gives you the ability to exclude files from virus
scanning based on file size and location (path) or to scan only the files that are opened with execute
permissions.
 Support for updates to the antivirus software. Clustered Data ONTAP supports rolling updates of
the antivirus software and maintains information about the software running version along with the
scan status of files. If the antivirus software running in a single server in a scanner pool is updated to
a later version, the scan status of all files that have already been scanned is not discarded.
 Security enhancements. Clustered Data ONTAP validates incoming connection requests sent by
the Vscan server. Before the server is allowed to connect, the connection request is compared to the
privileged users and IP addresses defined in the scanner pools to verify that it is originating from a
valid Vscan server.
1.1 Audience
The target audience for this document is customers who want to implement virus scanning for clustered
Data ONTAP storage systems that use the CIFS protocol.
1.2 Purpose and Scope

The purpose of this document is to provide an overview of the antivirus solution on clustered Data
ONTAP, with deployment steps and best practices.
2 Antivirus Solution Architecture

The antivirus solution consists of the following components: the third-party antivirus software, clustered
Data ONTAP Antivirus Connector, and the clustered Data ONTAP virus-scanning settings. You must
install both the antivirus software and Antivirus Connector on the Vscan server. Figure 1 shows the
architecture of the antivirus solution.
Figure 1) Antivirus solution architecture.
2.1 Components of Vscan Server
Antivirus Software
The antivirus software is installed and configured on the Vscan server to scan files for viruses or other
malicious data. The antivirus software must be compliant with clustered Data ONTAP. You must specify
the remedial actions to be taken on infected files in the configuration of the antivirus software.
Antivirus Connector
Antivirus Connector is installed on the Vscan server to process scan requests and provide communication
between the antivirus software and the storage virtual machines (SVMs; formerly called Vservers) in the
storage system running clustered Data ONTAP.
2.2 Components of System Running Clustered Data ONTAP
Scanner Pool
A scanner pool is used to validate and manage the connection between the Vscan servers and the SVMs.
You can create a scanner pool for an SVM to define the list of Vscan servers and privileged users that
can access and connect to that SVM and to specify a timeout period for scan requests. If the response to
a scan request is not received within the timeout period, file access is denied in mandatory scan cases.
Scanner Policy
A scanner policy defines when the scanner pool is active. A Vscan server is allowed to connect to an
SVM only if its IP address and privileged user are part of the active scanner pool list for that SVM.
Note: All scanner policies are system defined; you cannot create a customized scanner policy.
A scanner policy can have one of the following values:
 Primary. Makes the scanner pool always active.
 Secondary. Makes the scanner pool active only when none of the primary Vscan servers is
connected.
 Idle. Makes the scanner pool always inactive.
On-Access Policy
An on-access policy defines the scope for scanning files when they are accessed by a client. You can
specify the maximum file size for files to be considered for virus scanning and file extensions and file
paths to be excluded from scanning. You can also choose a filter from the available set of filters to define
the scope of scanning.
Vscan File-Operations Profile

The Vscan file-operations profile parameter (-vscan-fileop-profile) defines which file operations
on the CIFS share can trigger virus scanning. You must configure this parameter when you create or
modify a CIFS share.
2.3 Workflow for Configuring and Managing Virus Scanning

Figure 2 shows a workflow with the high-level steps that you must perform to configure and manage virus-
scanning activities.
Figure 2) Workflow for configuring and managing virus scanning.
3 Vscan Server Requirements

You must set up one or more Vscan servers for files on your system to be scanned for viruses and
malware. To set up a Vscan server, you must install and configure the antivirus software provided by the
vendor and Antivirus Connector.
3.1 Antivirus Software Requirements
The antivirus engine featured in this document is McAfee VirusScan Enterprise for Storage. VirusScan
Enterprise for Storage detects and removes viruses, malware, and other potentially unwanted programs
from your network-attached storage (NAS) devices.
VirusScan Enterprise for Storage is added to McAfee VirusScan Enterprise and expands its capabilities.
The software performs remote scanning on NAS devices such as NetApp storage systems and Internet
Content Adaptation Protocol (ICAP) storage appliances. It uses the McAfee virus-scanning engine that is
common to all McAfee antivirus products.
The VirusScan Enterprise for Storage 1.1.0 release supports the scanning of files stored in systems
running either clustered Data ONTAP 8.2.1 or Data ONTAP 7-Mode. For clustered Data ONTAP
scanning, it requires the Antivirus Connector application. VirusScan Enterprise for Storage 1.1.0 has the
system requirements listed in Table 1.
Table 1) System requirements for VirusScan Enterprise for Storage 1.1.0.
Component Requirement
Hardware An Intel dual-core processor or compatible architecture
CPU speed 2.6GHz (or greater)
Memory Minimum 4GB RAM
Disk space Minimum 70MB to install the software

Additional 5GB for ICAP scanner files and temporary files
Operating system  Windows Server 2008 32-bit and 64-bit

 Windows Server 2008 R2
 Windows Server 2012
3.2 Antivirus Connector Requirements

Antivirus Connector has the following system requirements:
 It must be installed on one of the following Windows platforms:
 Windows Server 2012 R2
 Windows Server 2012
 Windows Server 2008 R2
 Windows Server 2008
Note: You can install different versions of the Window platform on different Vscan servers scanning
the same SVM.
Note: You must enable SMB 2.0 on the Windows Server instance (Vscan server) on which you
install and run Antivirus Connector.
 .NET 3.0 or later must be enabled on Windows Server.
4 Installing and Configuring Antivirus Engine

You must install and configure McAfee VirusScan Enterprise for Storage on the Vscan servers so that
files stored on the system running clustered Data ONTAP can be scanned and cleaned.
4.1 Download and Install VirusScan Enterprise for Storage 1.1.0
To download and install VirusScan Enterprise for Storage, complete the following steps:
1. Navigate to the McAfee Downloads page and enter your grant number.
2. Locate VirusScan for Storage in the list of products for your grant number.
3. Select VirusScan for Storage 1.1.0 from the products list.
4. Download the product builds, documentation, and ePolicy Orchestrator extensions.
4.2 Configure VirusScan Enterprise for Storage

To configure VirusScan Enterprise for Storage to scan NetApp storage systems, complete the following
steps:
1. On the Vscan server, log in to the system as an administrator.
2. On the Windows taskbar, right-click the McAfee menulet and select VirusScan Console.
3. On the VirusScan console, double-click Network Appliance Filer AV Scanner.
4. On the Network Appliance Filers tab, configure these options:
a. Specify which storage system this server protects. For clustered Data ONTAP, click Add, type the
loop-back IP address (127.0.0.1), and click OK.
b. Apply the settings to all storage systems.
c. Enter the administrator credentials that are common to all storage systems.
5. On the Scan Items tab, define the types of files, options, and heuristics for a scan.
6. On the Exclusions tab, define the files to be excluded from virus scanning.
7. On the Performance tab, define the scan time and antivirus scan threads for a scan.
8. On the Actions tab, define the primary and secondary actions for VirusScan to take when it finds a
threat or unwanted program.
9. On the Reports tab, configure these options:
a. Enable activity logging and either accept the default location for the log file or specify a new
location.
b. Select the Limit the Size of Log File checkbox and specify a maximum size for the log file.
c. From the Log File Format list, select a format for the log file.
10. Click OK to save the configuration.
Note: You can view the storage system connection status from the Scan Statistics page.
4.3 Create Storage System Policy from ePolicy Orchestrator

You can create storage system policies to define parameters for scanning file types and manage the list
of storage systems that are connected to VirusScan Enterprise for Storage. To create a policy by using
ePolicy Orchestrator, complete the following steps:
Note: For option definitions, click ? in the interface.
1. Log in to the ePolicy Orchestrator server as an administrator.
2. From Policy Catalog, select VirusScan Enterprise for Storage 1.1.0 as the product, then select
NetApp Policies as the category.
3. Click New Policy, type a name for the policy, and click OK to open the Policy page.
4. In the Filers tab, add the storage systems that the Vscan server protects and create a user account
with permissions for operations such as read, write, and backup for all storage systems. Table 2 lists
the options to configure in the Filer tab.
Table 2) Options in the Filers tab.
Pane Name Option, Description, and/or Selection to Make

Filers List  Overwrite Client Filer List. Processes scan requests only for storage
systems defined in the policy.
 Filers. In this list, click the plus and minus signs to add and remove
storage systems.
These Settings Apply to All  Enable Keep-Alive Probes. Checks if the storage system and the
Filers Vscan server are in communication.
 Reset Filer’s Clean File Cache After Each DAT or Engine Update.
Clears the cache of files that have been already scanned after the
Vscan server sends a DAT or engine update. Cleaning the cache makes
all files available for scanning with the latest DAT and engine files.
Note: McAfee recommends that you enable these two options for all
storage systems.
Administrator Account Common In this pane, specify a user account with proper permissions (read, write,
to All Filers and backup) to all storage systems. If this option is not selected, you must
set up an individual account for each locally installed VirusScan Enterprise
for Storage connection.
5. In the Scan Items tab, define the file types to scan for malware threats and the unwanted programs to
detect. Table 3 lists the options to configure in the Scan Items tab.
Table 3) Options in the Scan Items tab.

Scanning Enable Scanning. Enables or disables scanning.
File Types to Scan  All Files. Scans all files regardless of the file extension.
 Default + Specified File Types. Scans files with extensions in the
default list of extensions and files with the additional extensions that you
specify (the default list is defined in the current DAT file).
 Include Files with no Extension. Scans files that do not contain an
extension.
 Also Scan for Macros in All Files. Scans for macro threats added to
the files.
 Specified File Types Only. Scans only the files with the extensions that
you specify. You can also remove any extensions that you added
previously. If you select this option, type the file extensions and
separate them with spaces.
 Include Files with No Extension. Scans files that do not contain an
extension.
Options  Detect Unwanted Programs. Scans for unwanted programs installed

on the server.
 Decode MIME Encoded Files. Decodes MIME encoded files.
 Scan Inside Archives (e.g., .zip) and Compressed Executables.
Scans compressed and archived executable files for threats.
Heuristics  Find Unknown Unwanted Programs and Trojans. Scans for

unwanted programs and Trojans on the server.
 Find Unknown Macro Threats. Scans for unknown macro threats.
6. In the Exclusions tab, specify the files and folders to exclude from scanning. Table 4 lists the options
to configure in the Exclusions tab.
Table 4) Options in the Exclusions tab.

What Not to Scan Select the type of exclusion from the drop-down list and then specify the
details for the exclusion:
 Exclude by Pattern. Type the pattern in the text box. Separate multiple
entries with a space. Select Include Subfolders as needed.
 Exclude by File Type. Type the file type in the text box. Separate
multiple entries with a space.
 Exclude by File Age. Select the access type (modified, created, or
accessed) and specify a minimum age in days.
How to Handle Client  Overwrite Client Exclusions. Excludes the items specified in this
Exclusions policy. If you do not select this option, the antivirus engine uses the list
of excluded items that is defined in the local system.
7. In the Performance tab, configure the scanning duration options to improve performance. Table 5 lists
the options to configure in the Performance tab.
Table 5) Options in the Performance tab.

Maximum Scan Time  Maximum Scan Time (seconds). Specifies the maximum scan time for
(seconds) files in seconds. The default is 60 seconds. If a scan exceeds the time
limit, the scan stops and logs a message.
Number of Antivirus Scan  Number of Antivirus Scan Threads. Specifies the number of antivirus
Threads scan threads. The default is 100 threads.
8. In the Actions tab, define the primary and secondary actions for the antivirus engine to perform when
a threat is detected. Table 6 lists the options to configure in the Action tab.
Table 6) Options in the Actions tab.

When a Threat Is Found Perform this Action First. In this list, select the first action that you want
the scanner to take when a threat is detected:
 Clean Files Automatically. The scanner tries to remove the detected
threat from the file.
 Continue Scanning. A clean or delete action is not attempted on the
infected file. The storage system is notified of the threat and the action
is logged.
 Delete Files Automatically. The scanner deletes files with potential
threats as soon as it detects them.
If the First Action Fails, then Perform this Action. In this list, select the
next action that you want the scanner to take if the first action fails:
threatened file. The storage system is notified of the threat and the
action is logged.
When an Unwanted Program Is Perform this Action First. In this list, select the first action that you want
Found the scanner to take when an unwanted program is detected:
 Clean Files Automatically. The scanner tries to remove the detected
threat from the file.
infected file. The storage system is notified of the threat and the action
is logged.
If the First Action Fails, then Perform this Action. In this list, select the
next action that you want the scanner to take if the first action fails:
threatened file. The storage system is notified of the threat and the
action is logged.
9. On the Reports tab, set your log file preferences. Table 7 lists the options to configure in the Reports
tab.
Table 7) Options in the Reports tab.

Log File Format Select the format of the log file (the default is Unicode [UTF8]):
 Unicode (UTF8). Recommended if you store eastern text (every
character is one or two bytes) or share information within a multinational
organization.
 Unicode (UTF16). Recommended if you store eastern text (every
character is one or two bytes) or share information within a multinational
organization.
 ANSI. Recommended if you store western text (every character is one
byte).
Note: McAfee recommends using the ANSI format.
What to Log in Addition to  Session Settings. Records the properties for each scanning session in
Scanning Activity the log file.
 Session Summary. Records a summary of the scanning actions for
each session in the log file. Summary information includes the number
of files scanned, the number and type of detections, the number of files
cleaned or deleted, and other information.
 Failure to Scan Encrypted Files. Records the name of encrypted files
that the scanner failed to scan.
10. After you configure all options for the new policy, click Save.
5 Installing and Configuring Antivirus Connector

To enable the antivirus engine to communicate with one or more SVMs, you must install Antivirus
Connector and configure it to connect to the SVMs.
5.1 Install Antivirus Connector
Before you can install Antivirus Connector, the prerequisites in Table 8 must be in place.
Table 8) Prerequisites for installing Antivirus Connector.
Description
You have downloaded the Antivirus Connector setup file from the NetApp Support site and saved it to a
directory on your hard drive.
You have verified that the requirements to install Antivirus Connector are met.
You have administrator privileges to install Antivirus Connector.
To install Antivirus Connector, complete the following steps:

1. Run the setup file for Antivirus Connector to start the installation wizard.
2. On the Welcome page of the wizard, click Next.
3. On the Destination Folder page, either keep the Antivirus Connector installation in the suggested
folder or click Change to install to a different folder. Click Next.
4. On the Data ONTAP AV Connector Windows Service Credentials page, enter your Windows service
credentials or click Add to select a user. Click Next.
Note: This user must be a valid domain user and must exist in the SVM’s scanner pool.
Best Practices
 You must add the credentials used as service accounts to run the Antivirus Connector service as
privileged users in the scanner pool.
 The same service account must be used to run the antivirus engine service.
5. On the Ready to Install the Program page, click Back to make any changes to the settings or click
Install to begin the installation. A status box opens and charts the installation progress.
6. On the InstallShield Wizard Completed page, select the Configure ONTAP Management LIFs
checkbox if you want to continue with the configuration of the Data ONTAP management LIFs.
Best Practices
 Credentials used for polling must have at least read access to the network interface.
 For security purposes, consider using a separate user to poll the Data ONTAP management LIFs.
The preferred accounts are cluster admin and vsadmin.
7. Select the Show the Windows Installer Log checkbox if you want to view the installation logs.
8. Click Finish to end the installation and close the wizard. The Configure ONTAP Management LIFs for
Polling icon is saved on your desktop for you to configure the Data ONTAP management LIFs.
Important
By default, the ONTAP AV Connector service does not have logging enabled. To enable logging, add
the following two values to the Vscan server registry:
 The TracePath string value (gives the local path to the logging file; for example,
c:\folder\avshim.log)
 The TraceLevel DWORD value (controls the logging level; level 2 is verbose and 3 is debug)
You must add the registry values to one of the following locations:
 HKLM\SOFTWARE\Wow6432Node\Data ONTAP\Clustered Data ONTAP Antivirus
Connector\v1.0
 HKLM \SOFTWARE\Data ONTAP\Clustered Data ONTAP Antivirus Connector\v1.0
For more details, see the NetApp KB 2018449 article: Troubleshooting Workflow: Clustered Data
ONTAP Antivirus Connector (Offbox\Offboard AV).
5.2 Add SVMs to Antivirus Connector

To send files for virus scanning, you must configure Antivirus Connector to connect to one or more SVMs
by entering the Data ONTAP management LIF, the poll information, and the account credentials. The
management LIF is polled to retrieve the list of data LIFs. Before you can add SVMs to Antivirus
Connector, the prerequisites in Table 9 must be in place.
Table 9) Prerequisites for adding an SVM to Antivirus Connector.
Description
You have verified that the cluster management LIF or the IP address of the SVM is enabled for ontapi.
You have created a user with at least read-only access to the network interface command directory for
ontapi. For more information about creating a user, see the security login role create and
security login create man pages.
Note: You can also use the domain user as an account by adding an authentication tunnel SVM for an
administrative SVM. For more information, see the security login domain tunnel man page.
To add an SVM to Antivirus Connector, complete the following steps:

1. Right-click the Configure ONTAP Management LIFs for Polling icon, which was saved on your
desktop when you completed the Antivirus Connector installation. Select Run as Administrator.
2. On the Configure Data ONTAP Management LIFs for Polling dialog box, configure the following
settings:
a. Specify the management LIF of the SVM:
 If you have an existing management LIF or IP address, enter the management LIF or IP address
of the SVM that you want to add.
 If you want to create a management LIF, create one with the role set to data, the data protocol
set to none, and the firewall policy set to mgmt. For more information about creating a LIF, see
the Clustered Data ONTAP 8.2 Network Management Guide.
Note: You can also enter the cluster management LIF. If you specify the cluster management LIF,
all SVMs that are serving CIFS within that cluster can use the Vscan server.
b. Enter the poll duration, in seconds.
Note: The poll duration is the frequency with which Antivirus Connector checks for changes to the
SVMs or to the cluster’s LIF configuration. The default poll interval is 60 seconds.
c. Enter the account name and password.
d. Click Test to verify connectivity and authenticate the connection.
e. Click Update to add the management LIF to the list of management LIFs to poll.
f. Click Save to save the connection to the registry.
g. Click Export if you want to export the list of connections to a registry import/export file.
Note: Exporting the list of connections to a file is useful if multiple Vscan servers use the same set
of management LIFs.
6 Configuring Vscan Options in Clustered Data ONTAP

After you set up the Vscan servers, you must configure scanner pools and on-access policies on the
storage system running clustered Data ONTAP. You must also configure the Vscan file-operations profile
parameter (-vscan-fileop-profile) before you enable virus scanning on an SVM.
Note: You must have completed the CIFS configuration before you begin to configure virus scanning.
6.1 Create Scanner Pool

You must create a scanner pool for an SVM or a cluster to define the list of Vscan servers and privileged
users that are allowed to access and connect to that SVM or cluster. Before you can configure a scanner
pool, the prerequisite in Table 10 must be in place.
Table 10) Prerequisite for configuring a scanner pool for SVMs.
Description
SVMs and Vscan servers must be in the same domain or in trusted domains.
Scanner pools have the following characteristics and limits:

 You can create a scanner pool for an individual SVM or for a cluster.
 A scanner pool for a cluster is available to all SVMs within that cluster. However, you must apply the
scanner policy individually to each SVM within the cluster.
 You can create a maximum of 20 scanner pools per SVM.
 You can include a maximum of 100 Vscan servers and privileged users in a scanner pool.
Best Practices
 Ensure that you have added all Vscan servers for serving the SVM to the scanner pool. NetApp
recommends having at least two servers per scanner pool. Having more than one Vscan server
improves fault tolerance and allows regular maintenance.
 The number of Vscan servers to be connected per SVM depends on the size of the environment.
 To enable multi-tenancy compliance in a secure multi-tenancy architecture, you must use different
privileged users for different SVMs.
Configure Scanner Pool for SVM

To configure a scanner pool for an SVM, complete the following step:
1. Run the vserver vscan scanner-pool create command.
This example shows how to create a scanner pool named SP1 on the SVM named vs1:
vserver vscan scanner-pool create -vserver vs1 -scanner-pool SP1 -servers 1.1.1.1,2.2.2.2 -
privileged-users cifs\u1,cifs\u2
Note: For information about the parameters that you can use with this command, see the Vserver
vscan scanner-pool create man page.
Configure One Scanner Pool for Use with Multiple SVMs
You can configure virus scanning to leverage the same pool of Vscan servers for all SVMs instead of
using a separate pool for each SVM.
NetApp recommends that you use the domain account for the Vscan servers as the privileged access
credentials in the scanner pool configuration. Using this account makes the configuration less complex
and easier to troubleshoot for authentication issues.
Cluster-Scoped Configuration
In a cluster-scoped configuration, the pool of Vscan servers is used for scanning all SVMs in the cluster.
To configure a cluster-scoped scanner pool, complete the following steps:
1. Create a scanner pool with the cluster scope.
vserver vscan scanner-pool create -vserver <cserver name> -scanner-pool <scanner pool name> -
servers <vscan server ip> -privileged-users <domain\username>
2. Configure Antivirus Connector with the cluster management LIF.

3. Apply a scanner policy to the scanner pool, enable the on-access policy, and enable virus scanning
for each SVM.
SVM-Scoped Configuration
In an SVM-scoped configuration, the pool of Vscan servers is used for scanning specific SVMs in the
cluster. To configure an SVM-scoped scanner pool, complete the following steps:
1. Create a scanner pool with the SVM scope. Create the same configuration on all SVMs.
vserver vscan scanner-pool create -vserver <vserver name> -scanner-pool <scanner pool name> -
servers <vscan server ip> -privileged-users <domain\username>
2. Configure Antivirus Connector with the SVM management LIF or the data LIF.
3. Apply a scanner policy to the scanner pool, enable the on-access policy, and enable virus scanning
for each SVM.
Note: Due to the trust relationship between domains, the authentication request is sent to the
corresponding domain.
6.2 Apply Scanner Policy to Scanner Pool

You must apply a scanner policy to every scanner pool defined on an SVM. The scanner policy defines
when the scanner pool is active. A Vscan server is allowed to connect to the SVM only if the IP address
and privileged user of the Vscan server are part of the active scanner pool list for that SVM.
You can apply only one scanner policy per scanner pool at a time. By default, the scanner policy has the
value idle. Scanner policies can have two other values, primary and secondary. The primary policy
always takes effect, whereas the secondary policy takes effect only if the primary policy fails.
Best Practice
Verify that you applied a primary policy to a primary scanner pool and a secondary policy to the backup
scanner pool.
To apply a scanner policy to a scanner pool, complete the following step:

1. Run the vserver vscan scanner-pool apply-policy command.
This example shows how to apply the scanner policy named primary to a scanner pool named SP1
on the SVM named vs1:
vserver vscan scanner-pool apply-policy -vserver vs1 -scanner-pool SP1 -scanner-policy primary
Note: For information about the parameters that you can use with this command, see the vserver
vscan scanner-pool apply-policy man page.
6.3 Create On-Access Policy

You must create an on-access policy for an SVM or for a cluster to define the scope of virus scanning. In
the policy, you can specify the maximum file size for files to be considered for scanning and the file
extensions and file paths to exclude from scanning:
 By default, clustered Data ONTAP creates an on-access policy named default_CIFS and enables
it for all existing SVMs. You can use the default_CIFS on-access policy or create a customized on-
access policy.
 You can create an on-access policy for an individual SVM or for a cluster. The on-access policy for
the cluster is available to all SVMs within that cluster. However, you must enable the on-access policy
individually on each SVM within the cluster.
 You can create a maximum of 10 on-access policies per SVM. However, you can enable only one on-
access policy at a time.
 You can exclude a maximum of 100 paths and file extensions from virus scanning in one on-access
policy.
Best Practices
 Consider excluding large files (file size can be specified) from virus scanning because they might
result in a slow response or a scan request timeout for CIFS users. The default file size for
exclusion is 2GB.
 Consider excluding file extensions such as .vhd and .tmp because files with these extensions
might not be appropriate for scanning.
 Consider excluding file paths such as the quarantine directory or paths in which only virtual hard
drives or databases are stored.
 Verify that all exclusions are specified in the same policy, because only one policy can be enabled
at a time. NetApp highly recommends that you specify the same set of exclusions on the antivirus
engine. For more information about supported exclusions, contact McAfee.
To create an on-access policy, complete the following step:

1. Run the vserver vscan on-access-policy create command.
This example shows how to create an on-access policy named Policy1 on the SVM named vs1:
vserver vscan on-access-policy create -vserver vs1 -policy-name Policy1 -protocol CIFS -filters
scan-ro-volume -max-file-size 3GB -file-ext-to-exclude "mp3","txt" -paths-to-exclude "\vol\a
b\","\vol\a,b\"
vscan on-access-policy create man page.
6.4 Enable On-Access Policy

After you create an on-access scan policy, you must enable it for an SVM. You can enable only one on-
access policy of a specified protocol for each SVM at a time.
To enable an on-access policy for the SVM, complete the following step:
1. Run the vserver vscan on-access-policy enable command.
This example shows how to enable an on-access policy named Policy1 on the SVM named vs1:
vserver vscan on-access-policy enable -vserver vs1 -policy-name Policy1
Note: By default, the scan-mandatory filter is enabled if other filters are not specified. Use double
quotes ("" or "-") to disable filters. For information about the parameters that you can use with
the vserver vscan on-access-policy create command, see the command’s man
page.
6.5 Enable Virus Scanning on SVM

After you configure the scanner pool, the on-access policy, and the Vscan file-operations profile
parameter, you must enable virus scanning on the SVM to protect the data. When virus scanning is
enabled on the SVM, the SVM connects to the Vscan servers that are listed in the active scanner pool for
that SVM. Before you can enable virus scanning on the SVM, the prerequisites in Table 11 must be in
place.
Table 11) Prerequisites for enabling virus scanning on the SVM.
Description
You have created one or more scanner pools and applied a scanner policy to them.
You have created an on-access policy and enabled it on the SVM.
You have configured the Vscan file-operations profile parameter.
You have verified that the Vscan servers are available.
To enable virus scanning on the SVM, complete the following step:

1. Run the vserver vscan enable command.
This example shows how to enable virus scanning on the SVM named vs1:
vserver vscan enable -vserver vs1
vscan enable man page.
7 Managing Vscan Options in Clustered Data ONTAP
7.1 Modify Vscan File-Operations Profile for CIFS Share

When you create a CIFS share, you must configure the -vscan-fileop-profile parameter to specify
which operations performed on the CIFS share can trigger virus scanning. By default, the parameter is
set to standard. You can use the default value or change it by running the vserver cifs share
modify command.
Before you can modify the Vscan file-operations profile for a CIFS share, the prerequisite in Table 12
must be in place.
Table 12) Prerequisite for modifying the Vscan file-operations profile.
Description
You have created a CIFS share.
Note: Virus scanning is not performed on CIFS shares for which the -continuously-available
parameter is set to Yes.
Table 13 lists the file-operations profile types and the file operations that they monitor.
Table 13) Types of file-operations profiles.
Profile Type File Operations That Trigger Scanning

no_scan None
standard Open, close, and rename
strict Open, read, close, and rename
writes_only Close (only for newly created or modified files)
Best Practices
 Use the default, standard profile.
 To further restrict scanning options, use the strict profile. However, using this profile generates
more scan requests and affects performance.
 To maximize performance with liberal scanning, use the writes_only profile. This profile scans
only the files that have been modified and closed.
To modify the value of the -vscan-fileop-profile parameter, complete the following step:
1. Run the vserver cifs share modify command.
Note: For more information about modifying the CIFS shares, see the Clustered Data ONTAP 8.2
File Access Management Guide for CIFS.
7.2 Manage Scanner Pools

You can manage scanner pools to view the scanner pool information and modify the Vscan servers and
privileged users that are associated with the scanner pool. You can also modify the request and response
timeout period and delete a scanner pool if it is no longer required.
View Scanner Pools of SVMs

To view information about all scanner pools belonging to all SVMs or about one scanner pool that
belongs to a specific SVM, complete the following step:
1. Run the vserver vscan scanner-pool show command.
These examples show how to view the list of scanner pools of all SVMs and a scanner pool of a
specific SVM:
Cluster::> vserver vscan scanner-pool show
Scanner Pool Privileged Scanner
Vserver Pool Owner Servers Users Policy
-------------------------------------------------------------
vs1 new vserver 1.1.1.1, 2.2.2.2 cifs\u5 idle
vs1 p1 vserver 3.3.3.3 cifs\u1 primary
cifs\u2
2 entries were displayed.
Cluster::> vserver vscan scanner-pool show -vserver vs1 -scannerpool
new
Vserver: vs1
Scanner Pool: new
Applied Policy: idle
Current Status: off
Scanner Pool Config Owner: vserver
List of IPs of Allowed Vscan Servers: 1.1.1.1, 2.2.2.2
List of Privileged Users: cifs\u5
vscan scanner-pool show man page.
View Active Scanner Pools of SVMs

You can view the list of active scanner pools belonging to all SVMs. The list of active scanner pools is
derived by merging the information about the active scanner pools on all SVMs.
To view the list of active scanner pools of all SVMs, complete the following step:
1. Run the vserver vscan scanner-pool show-active command.
vscan scanner-pool show-active man page.
Modify Scanner Pool

You can update the scanner pool information to modify the list of Vscan servers and privileged users that
can connect to the SVM and the request and response timeout period.
To modify the scanner pool information, complete the following step:
1. Run the vserver vscan scanner-pool modify command.
vscan scanner-pool modify man page.
Delete Scanner Pool

If you no longer need an unused scanner pool, you can delete it. To delete a scanner pool, complete the
following step:
1. Run the vserver vscan scanner-pool delete command.
vscan scanner-pool delete man page.
Add Privileged Users to Scanner Pool

You can add one or more privileged users to a scanner pool to define the privileged users who can
connect to an SVM. Before you can add privileged users to the scanner pool, the prerequisite in Table 14
must be in place.
Table 14) Prerequisite for adding privileged users to a scanner pool.
Description
You have created a scanner pool for the SVM.
To add one or more privileged users to a scanner pool, complete the following step:
1. Run the vserver vscan scanner-pool privileged-users add command.
This example shows how to add the privileged users named cifs\u2 and cifs\u3 to a scanner
pool named SP1 on the SVM named vs1:
vserver vscan scanner-pool privileged-users add -vserver vs1 -scannerpoolSP1 -privileged-users
cifs\u2,cifs\u3
vscan scanner-pool privileged-users add man page.
Remove Privileged Users from Scanner Pool
If you no longer require privileged users, you can remove them from the scanner pool. To remove one or
more privileged users from a scanner pool, complete the following step:
1. Run the vserver vscan scanner-pool privileged-users remove command.
vscan scanner-pool privileged-users remove man page.
View Privileged Users of All Scanner Pools

To view the list of privileged users of all scanner pools, complete the following step:
1. Run the vserver vscan scanner-pool privileged-users show command.
vscan scanner-pool privileged-users show man page.
Add Vscan Servers to Scanner Pool

You can add one or more Vscan servers to a scanner pool to define the Vscan servers that can connect
to an SVM. Before you can add Vscan servers to the scanner pool, the prerequisite in Table 15 must be
in place.
Table 15) Prerequisite for adding Vscan servers to a scanner pool.
Description
You have created a scanner pool for the SVM.
To add one or more Vscan servers to a scanner pool, complete the following step:
1. Run the vserver vscan scanner-pool servers add command.
This example shows how to add a list of Vscan servers to a scanner pool named SP1 on the SVM
named vs1:
vserver vscan scanner-pool servers add -vserver vs1 -scanner-pool SP1 -servers
10.10.10.10,11.11.11.11
vscan scanner-pool servers add man page.
Remove Vscan Servers from Scanner Pool

If you no longer require a Vscan server, you can remove it from the scanner pool. To remove one or more
Vscan servers from a scanner pool, complete the following step:
1. Run the vserver vscan scanner-pool servers remove command.
vscan scanner-pool servers remove man page.
View Vscan Servers of All Scanner Pools

You can view the list of Vscan servers of all scanner pools to manage the Vscan server connections. To
view the Vscan servers of all scanner pools, complete the following step:
1. Run the vserver vscan scanner-pool servers show command.
vscan scanner-pool servers show man page.
7.3 Manage On-Access Policies
You can manage on-access policies to define the scope of scanning when files are accessed by a client.
You can modify the maximum file size that is allowed for virus scanning and the file extensions and file
paths to be excluded from scanning. You can also delete and disable an on-access policy if it is no longer
required.
View On-Access Policies of SVMs

You can view information about all on-access policies belonging to all SVMs or one on-access policy
belonging to one SVM to manage on-access policies. To view on-access policies, complete the following
step:
1. Run the vserver vscan on-access-policy show command.
These examples show how to view the list of on-access policies of all SVMs and the on-access policy
of one SVM:
Cluster::> vserver vscan on-access-policy show
Policy Policy File-Ext Policy
Vserver Name Owner Protocol Paths Excluded Excluded Status
-------------------------------------------------------------------
Cluster default_ cluster CIFS - - off
CIFS
vs1 default_ cluster CIFS - - on
CIFS
vs1 new vserver CIFS \vol\temp txt off
vs2 default_ cluster CIFS - - on
CIFS
4 entries were displayed.
Cluster::> vserver vscan on-access-policy show -instance -vserver
vs1 -policyname new
Vserver: vs1
Policy: new
Policy Status: off
Policy Config Owner: vserver
File-Access Protocol: CIFS
Filters: scan-ro-volume
Max File Size Allowed for Scanning: 4GB
File-Paths Not to Scan: \vol\temp
File-Extensions Not to Scan: txt
vscan on-access-policy show man page.
Modify On-Access Policy

You can modify an on-access policy to redefine the scope of scanning when files are accessed by a
client. You can also modify the maximum file size for files to be considered for virus scanning and the file
extensions and paths to be excluded from scanning.
To modify an on-access policy, complete the following step:
1. Run the vserver vscan on-access-policy modify command.
vscan on-access-policy modify man page.
Disable On-Access Policy

To disable an on-access policy for an SVM, complete the following step:
1. Run the vserver vscan on-access-policy disable command.
vscan on-access-policy disable man page.
Delete On-Access Policy

If you no longer require an on-access policy, you can delete it. To delete an on-access policy, complete
the following step:
1. Run the vserver vscan on-access-policy delete command.
vscan on-access-policy delete man page.
8 General Best Practices
8.1 Best Practices for Clustered Data ONTAP

Consider the following recommendations for configuring the off-box antivirus functionality in clustered
Data ONTAP:
 Restrict privileged users to virus-scanning operations. Normal users should be discouraged from
using privileged user credentials. This restriction can be achieved by turning off login rights for
privileged users on Active Directory.
 Privileged users are not required to be part of any user group that has a large number of rights in the
domain, such as the administrators group or the backup operators group. Privileged users must be
validated only by the storage system so that they are allowed to create Vscan server connections and
access files for virus scanning.
 Use the computers running Vscan servers only for virus-scanning purposes. To discourage general
use, disable the Windows terminal services and other remote access provisions on these machines
and grant the right to install new software on these machines only to administrators.
 Dedicate Vscan servers to virus scanning and do not use them for other operations, such as backups.
You might decide to run the Vscan server as a virtual machine (VM). If this is the case, ensure that
the resources allocated to the VM are not shared and are enough to perform virus scanning. Consult
McAfee for guidance on antivirus engine requirements.
 Provide adequate CPU, memory, and disk capacity to the Vscan server to avoid resource
bottlenecks. Most Vscan servers are designed to use multiple CPU core servers and to distribute the
load across the CPUs. Consult McAfee for guidance on antivirus engine requirements.
 NetApp recommends using a dedicated network with a private VLAN for the connection from the SVM
to the Vscan server so that the scan traffic is not affected by other client network traffic. Create a
separate NIC that is dedicated to the antivirus VLAN on the Vscan server and to the data LIF on the
SVM. This step simplifies administration and troubleshooting if network issues arise.
Important
If the LIF for Vscan traffic is configured on a different port than the LIF for client traffic, the Vscan LIF might
fail over to another node in case of a port failure. The change will make the Vscan server not reachable from
the new node and the scan notifications for file operations on the node will fail.
Ensure that the Vscan server is reachable through at least one LIF on a node so that it can process scan
requests for file operations performed on that node.
 Connect the NetApp storage system and the Vscan server by using at least a 1GbE network.
 For an environment with multiple Vscan servers, connect all servers that have similar high-performing
network connections. Connecting the Vscan servers improves performance by allowing load sharing.
 For remote sites and branch offices, NetApp recommends using a local Vscan server rather than a
remote Vscan server because the former is a perfect candidate for high latency. If cost is a factor, use
a laptop or PC for moderate virus protection. You can schedule periodic complete file system scans
by sharing the volumes or qtrees and scanning them from any system in the remote site.
 Use multiple Vscan servers to scan the data on the SVM for load-balancing and redundancy
purposes. The amount of CIFS workload and resulting antivirus traffic vary per SVM. Monitor CIFS
and virus-scanning latencies on the storage controller. Trend the results over time. If CIFS latencies
and virus-scanning latencies increase due to CPU or application bottlenecks on the Vscan servers
beyond trend thresholds, CIFS clients might experience long wait times. Add additional Vscan servers
to distribute the load.
 Install the latest version of Antivirus Connector. For detailed information about supportability, see the
NetApp Interoperability Matrix Tool (IMT).
 Always keep antivirus engines and definitions up to date. Consult McAfee for recommendations on
update frequency.
 In a multi-tenancy environment, a scanner pool (pool of Vscan servers) can be shared with multiple
SVMs provided that the Vscan servers and the SVMs are part of the same domain or of a trusted
domain.
8.2 Best Practices for VirusScan Enterprise for Storage

Consider the following recommendations for configuring VirusScan Enterprise for Storage:
 Scan timeout value. The default timeout value for scanning files is 60 seconds. Adjust this value to
40 seconds so that scan requests can be completed before the CIFS timeout.
 DAT definitions. McAfee recommends scheduling a daily automatic update task to receive the daily
DAT (signature) file release.
 Scan exclusions. McAfee recommends excluding the following common file types from virus
scanning:
 Database files: .ldb .pst .tmp .mdb .nsf .pst
 Archives and large files: .7z .tar .cab .tgz .iso .vhd .jar .vmdk .rar .zip
Note: Depending on the needs of your environment, you can add other file types to the exclusion
list.
9 Troubleshooting and Monitoring
9.1 Troubleshooting Virus Scanning

Table 16 lists common virus-scanning issues, their possible causes, and ways to resolve them.
Table 16) Common virus-scanning issues.
Issue How to Resolve It
The Vscan servers are not able to connect to Check whether the scanner pool configuration specifies the
the clustered Data ONTAP storage system. Vscan server IP address. Check also if the allowed
privileged users in the scanner pool list are active. To
check the scanner pool, run the vserver vscan
scanner-pool show command on the storage system
command prompt.
If the Vscan servers still cannot connect, there might be an

issue with the network.
Issue How to Resolve It
Clients observe high latency. It is probably time to add more Vscan servers to the
scanner pool.
Too many scans are triggered. Modify the value of the vscan-fileop-profile
parameter to restrict the number of file operations
monitored for virus scanning.
Some files are not being scanned. Check the on-access policy. It is possible that the path for
these files has been added to the path-exclusion list or that
their size exceeds the configured value for exclusions. To
check the on-access policy, run the vserver vscan
on-access-policy show command on the storage
system command prompt.
File access is denied. Check whether the scan-mandatory setting is specified

in the policy configuration. This setting denies data access
if no Vscan servers are connected. Modify the setting as
appropriate.
9.2 Monitoring Status and Performance Activities

You can monitor the critical aspects of the Vscan module, such as the Vscan server connection status,
the health of the Vscan servers, and the number of files that have been scanned. This information helps
you diagnose issues related to the Vscan server.
View Vscan Server Connection Information

You can view the connection status of Vscan servers to manage the connections that are already in use
and the connections that are available for use. Table 17 lists the commands that display information
about the connection status of Vscan servers.
Table 17) Commands for viewing information about the connection status of Vscan servers.
Command Information Displayed

vserver vscan connection-status Summary of the connection status
show
vserver vscan connection-status Detailed information about the connection status

show-all
vserver vscan connection-status Status of the connections that are available but not
show-not-connected connected
vserver vscan connection-status Information about the connected Vscan server

show-connected
Note: For more information about these commands, see their respective man pages.
View VirusScan Enterprise for Storage Scan Statistics

To view statistics for Vscan server threads, scanning data, performance data, and update interval
settings, complete the following steps:
1. Log in to the system as an administrator.
2. On the Windows taskbar, right-click the McAfee menulet and select VirusScan Console.
3. On the VirusScan console, right-click Network Appliance Filer AV Scanner and select Statistics.
View Vscan Server Statistics

You can view Vscan server–specific statistics to monitor performance and diagnose issues related to
virus scanning. You must collect a data sample before you can use the statistics show command to
display the Vscan server statistics.
To collect a data sample, complete the following step:
1. Run the statistics start command and the optional statistics stop command.
Note: For more information about these commands, see the Clustered Data ONTAP 8.2 System
Administration Guide for Cluster Administrators.
View Statistics for Vscan Server Requests and Latencies

You can use Data ONTAP offbox_vscan counters on a per-SVM basis to monitor the rate of Vscan
server requests that are dispatched and received per second and the server latencies across all Vscan
servers. To collect this information, complete the following step:
1. Run the statistics show –object offbox_vscan –instance SVM command with the
counters listed in Table 18.
Table 18) offbox_vscan counters: Vscan server requests and latencies across Vscan servers.
Counter Information Displayed

scan_request_dispatched_rate Number of virus-scanning requests sent from Data ONTAP
to the Vscan servers per second
scan_noti_received_rate Number of virus-scanning requests received back by Data

ONTAP from the Vscan servers per second
dispatch_latency Latency within Data ONTAP to identify an available Vscan

server and send the request to that Vscan server
scan_latency Round-trip latency from Data ONTAP to the Vscan server,

including the time for the scan to run
Example:
Object: offbox_vscan
Instance: SVM
Start-time: 10/16/2013 10:13:25
End-time: 10/16/2013 10:25:11
Cluster: cluster01
Number of Constituents: 2 (complete_aggregation)
Counter Value
-------------------------------- --------------------------------
scan_request_dispatched_rate 291
scan_noti_received_rate 292
dispatch_latency 43986us
scan_latency 3433501us
-----------------------------------------------------------------
View Statistics for Individual Vscan Server Requests and Latencies

You can use Data ONTAP offbox_vscan_server counters on a per-SVM, per–off-box Vscan server,
and per-node basis to monitor the rate of dispatched Vscan server requests and the server latency on
each Vscan server individually. To collect this information, complete the following step:
1. Run the statistics show –object offbox_vscan –instance
SVM:servername:nodename command with the counters listed in Table 19.
Table 19) offbox_vscan_server counters: individual Vscan server requests and latencies.

scan_request_dispatched_rate Number of virus-scanning requests sent from Data ONTAP
to the Vscan servers per second
scan_latency Round-trip latency from Data ONTAP to the Vscan server,

including the time for the scan to run
Example:
Object: offbox_vscan_server
Instance: SVM:vscan_server:node
Start-time: 10/16/2013 10:13:25
End-time: 10/16/2013 10:25:11
Cluster: cluster01
Counter Value
-------------------------------- --------------------------------
scan_request_dispatched_rate 291
scan_latency 3433830us
-----------------------------------------------------------------
View Statistics for Vscan Server Utilization

You can also use Data ONTAP offbox_vscan_server counters to collect Vscan server–side utilization
statistics. These statistics are tracked on a per-SVM, per–off-box Vscan server, and per-node basis. They
include CPU utilization on the Vscan server; queue depth for scanning operations on the Vscan server,
both current and maximum; used memory; and used network.
These statistics are forwarded by Antivirus Connector to the statistics counters within Data ONTAP. They
are based on data that is polled every 20 seconds and must be collected multiple times for accuracy;
otherwise, the values seen in the statistics reflect only the last polling. CPU utilization and queues are
particularly important to monitor and analyze. A high value for an average queue can indicate that the
Vscan server has a bottleneck.
To collect utilization statistics for the Vscan server on a per-SVM, per–off-box Vscan server, and per-node
basis, complete the following step:
1. Run the statistics show –object offbox_vscan_server –instance
SVM:servername:nodename command with the counters listed in Table 20.
Table 20) offbox_vscan_server counters: Vscan server utilization statistics.

scanner_stats_pct_cpu_used CPU utilization on the Vscan server
scanner_stats_pct_input_queue_avg Average queue of scan requests on the Vscan server
scanner_stats_pct_input_queue_hiw Peak queue of scan requests on the Vscan server

atermark
scanner_stats_pct_mem_used Memory used on the Vscan server
scanner_stats_pct_network_used Network used on the Vscan server
Example:
Object: offbox_vscan_server
Instance: SVM:vscan_server:node
Start-time: 10/16/2013 10:13:25
End-time: 10/16/2013 10:25:11
Cluster: cluster01
Counter Value
-------------------------------- --------------------------------
scanner_stats_pct_cpu_used 51
scanner_stats_pct_dropped_requests 0
scanner_stats_pct_input_queue_avg 91
scanner_stats_pct_input_queue_hiwatermark 100
scanner_stats_pct_mem_used 95
scanner_stats_pct_network_used 4
-----------------------------------------------------------------
Version History
Version Date Document Version History
Version 1.2 June 2015 Updated information about Antivirus Connector logging, scanner
pools for SVMs, trusted domains, and LIFs for Vscan traffic.
Version 1.1 July 2014 General updates
Version 1.0 April 2014 Initial release
Refer to the Interoperability Matrix Tool (IMT) on the NetApp Support site to validate that the exact
product and feature versions described in this document are supported for your specific environment.
The NetApp IMT defines the product components and versions that can be used to construct
configurations that are supported by NetApp. Specific results depend on each customer's installation in
accordance with published specifications.
Copyright Information
Copyright © 1994–2015 NetApp, Inc. All rights reserved. Printed in the U.S. No part of this document
covered by copyright may be reproduced in any form or by any means—graphic, electronic, or
mechanical, including photocopying, recording, taping, or storage in an electronic retrieval system—
without prior written permission of the copyright owner.
Software derived from copyrighted NetApp material is subject to the following license and disclaimer:
THIS SOFTWARE IS PROVIDED BY NETAPP "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE HEREBY
DISCLAIMED. IN NO EVENT SHALL NETAPP BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
NetApp reserves the right to change any products described herein at any time, and without notice.
NetApp assumes no responsibility or liability arising from the use of products described herein, except as
expressly agreed to in writing by NetApp. The use or purchase of this product does not convey a license
under any patent rights, trademark rights, or any other intellectual property rights of NetApp.
The product described in this manual may be protected by one or more U.S. patents, foreign patents, or
pending applications.
RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software
clause at DFARS 252.277-7103 (October 1988) and FAR 52-227-19 (June 1987).
Trademark Information
NetApp, the NetApp logo, Go Further, Faster, AltaVault, ASUP, AutoSupport, Campaign Express, Cloud
ONTAP, Clustered Data ONTAP, Customer Fitness, Data ONTAP, DataMotion, Fitness, Flash Accel,
Flash Cache, Flash Pool, FlashRay, FlexArray, FlexCache, FlexClone, FlexPod, FlexScale, FlexShare,
FlexVol, FPolicy, GetSuccessful, LockVault, Manage ONTAP, Mars, MetroCluster, MultiStore, NetApp
Insight, OnCommand, ONTAP, ONTAPI, RAID DP, RAID-TEC, SANtricity, SecureShare, Simplicity,
Simulate ONTAP, SnapCenter, Snap Creator, SnapCopy, SnapDrive, SnapIntegrator, SnapLock,
SnapManager, SnapMirror, SnapMover, SnapProtect, SnapRestore, Snapshot, SnapValidator,
SnapVault, StorageGRID, Tech OnTap, Unbound Cloud, WAFL and other names are trademarks or
registered trademarks of NetApp Inc., in the United States and/or other countries. All other brands or
products are trademarks or registered trademarks of their respective holders and should be treated as
such. A current list of NetApp trademarks is available on the web at
http://www.netapp.com/us/legal/netapptmlist.aspx. TR-4286-0615

McAfee - Implement Step

Uploaded by

Copyright:

Available Formats

McAfee - Implement Step

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

McAfee - Implement Step

Uploaded by

Copyright:

Available Formats

Technical Report

Antivirus Solution Guide for Clustered Data

1.2 Purpose and Scope ........................................................................................................................................4

2 Antivirus Solution Architecture .......................................................................................................... 4

2.2 Components of System Running Clustered Data ONTAP ..............................................................................5

2.3 Workflow for Configuring and Managing Virus Scanning ................................................................................6

3 Vscan Server Requirements ................................................................................................................ 6

3.2 Antivirus Connector Requirements .................................................................................................................7

4 Installing and Configuring Antivirus Engine ..................................................................................... 7

4.2 Configure VirusScan Enterprise for Storage ...................................................................................................8

4.3 Create Storage System Policy from ePolicy Orchestrator ...............................................................................8

5 Installing and Configuring Antivirus Connector ............................................................................. 11

5.2 Add SVMs to Antivirus Connector .................................................................................................................13

6 Configuring Vscan Options in Clustered Data ONTAP................................................................... 14

6.2 Apply Scanner Policy to Scanner Pool ..........................................................................................................15

6.3 Create On-Access Policy ..............................................................................................................................16

6.4 Enable On-Access Policy ..............................................................................................................................16

6.5 Enable Virus Scanning on SVM ....................................................................................................................17

7 Managing Vscan Options in Clustered Data ONTAP ...................................................................... 17

7.2 Manage Scanner Pools .................................................................................................................................18

7.3 Manage On-Access Policies .........................................................................................................................21

8 General Best Practices ...................................................................................................................... 22

8.2 Best Practices for VirusScan Enterprise for Storage .....................................................................................23

9 Troubleshooting and Monitoring ...................................................................................................... 23

Version History ......................................................................................................................................... 27

1.2 Purpose and Scope

2 Antivirus Solution Architecture

2.1 Components of Vscan Server

2.2 Components of System Running Clustered Data ONTAP

Vscan File-Operations Profile

2.3 Workflow for Configuring and Managing Virus Scanning

Figure 2) Workflow for configuring and managing virus scanning.

3 Vscan Server Requirements

Table 1) System requirements for VirusScan Enterprise for Storage 1.1.0.

CPU speed 2.6GHz (or greater)

Memory Minimum 4GB RAM

Disk space Minimum 70MB to install the software

Operating system  Windows Server 2008 32-bit and 64-bit

3.2 Antivirus Connector Requirements

4 Installing and Configuring Antivirus Engine

4.2 Configure VirusScan Enterprise for Storage

4.3 Create Storage System Policy from ePolicy Orchestrator

Pane Name Option, Description, and/or Selection to Make

Table 3) Options in the Scan Items tab.

Pane Name Option, Description, and/or Selection to Make

Options  Detect Unwanted Programs. Scans for unwanted programs installed

Heuristics  Find Unknown Unwanted Programs and Trojans. Scans for

Table 4) Options in the Exclusions tab.

Pane Name Option, Description, and/or Selection to Make

Table 5) Options in the Performance tab.

Pane Name Option, Description, and/or Selection to Make

Table 6) Options in the Actions tab.

Pane Name Option, Description, and/or Selection to Make

Table 7) Options in the Reports tab.

Pane Name Option, Description, and/or Selection to Make

5 Installing and Configuring Antivirus Connector

Table 8) Prerequisites for installing Antivirus Connector.

You have administrator privileges to install Antivirus Connector.

To install Antivirus Connector, complete the following steps: