SAV For NAS 528

Symantec AntiVirus for Network Attached Storage Integration Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 5.2.8
Legal Notice
Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This Symantec product may contain third party software for which Symantec is required to provide attribution to the third party (Third Party Programs). Some of the Third Party Programs are available under open source or free software licenses. The License Agreement accompanying the Software does not alter any rights or obligations you may have under those open source or free software licenses. Please see the Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec product for more information on the Third Party Programs. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1
Technical Support
Symantec Technical Support maintains support centers globally. Technical Supports primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantecs support offerings include the following:
A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services
For information about Symantecs support offerings, you can visit our Web site at the following URL: www.symantec.com/business/support/ All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current support agreement may access Technical Support information at the following URL: www.symantec.com/business/support/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available:
Product release level
Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description:

Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/business/support/
Customer service
Customer service information is available at the following URL: www.symantec.com/business/support/ Customer Service is available to assist with non-technical questions, such as the following types of issues:

Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Support agreement resources

If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows:
Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America customercare_apac@symantec.com semea@symantec.com supportsolutions@symantec.com
Contents
Technical Support ............................................................................................... 4 Chapter 1 Introducing Symantec AntiVirus for Network Attached Storage ........................................................... 13
About Symantec AntiVirus for Network Attached Storage ................... About software components ..................................................... About Symantec Scan Engine ................................................... About the connector ............................................................... Supported storage devices ............................................................. How to use the Symantec AntiVirus for Network Attached Storage documentation ...................................................................... About the Symantec Scan Engine Implementation Guide ............... About the Symantec AntiVirus for Network Attached Storage Integration Guide ............................................................. Why you need virus protection in a network attached storage environment ......................................................................... How the scan engine protects against viruses .............................. About Symantec Security Response ........................................... About preparing for installation ..................................................... Windows system requirements ................................................. Solaris system requirements .................................................... Linux system requirements ...................................................... Post-installation tasks .................................................................. 13 14 14 15 15 16 17 17 18 19 20 20 20 21 22 24
Chapter 2
Configuring Symantec AntiVirus for NetApp Filer ................................................................................ 27

About software components ........................................................... How Symantec Scan Engine works with the NetApp Filer client ............ What happens when a file is scanned ......................................... About connecting to Symantec Scan Engine ................................ About limiting scanning by file type .......................................... About handling infected files ................................................... About user identification and notification when a virus is found ............................................................................. About preparing for installation ..................................................... 27 28 28 29 29 29 30 31
Contents
About configuring Symantec Scan Engine ......................................... Editing the service startup properties ........................................ Configuring RPC protocol options ............................................. Notifying the NetApp Filer when virus definitions are updated .......................................................................... Notifying a requesting user that a virus was found ....................... About quarantining unrepairable infected files ............................ Specifying which embedded files to scan .................................... Scheduling LiveUpdate to update virus definitions automatically .................................................................. Configuring Rapid Release updates to occur automatically ............. About configuring the client NetApp Filer ........................................ About verifying that the scan engine is registered with the filer ............................................................................... About activating virus scanning ................................................ About specifying the file extensions to be scanned on the NetApp Filer .............................................................................. About working with unresponsive scan engines ........................... How virus scanning affects backups on NetApp Filer .................... About clearing the scanned files cache ....................................... About notifying a requesting user that a virus was found ..............
31 31 32 35 36 38 39 42 43 44 45 45 45 46 46 47 47
Chapter 3
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance ............................ 49
About software components ........................................................... How Symantec Scan Engine works with the Sun StorageTek 5000 NAS Appliance ...................................................................... How are files scanned ............................................................. How caching works ................................................................ About specifying which file types are scanned ............................. About specifying the scan policy ............................................... About handling infected files on the NAS device .......................... About preparing for installation ..................................................... About configuring Symantec Scan Engine ......................................... Configuring ICAP-specific options ............................................. Specifying which file types to scan on the scan engine .................. Specifying container handling limits ......................................... Scheduling LiveUpdate to update virus definitions automatically .................................................................. Configuring Rapid Release updates to occur automatically ............. About configuring the Sun StorageTek 5000 NAS Appliance ................ Registering Symantec Scan Engine ............................................ 49 50 50 51 51 52 52 53 53 53 56 59 60 61 62 63
Contents
About configuring virus scanning on the Sun StorageTek 5000 NAS Appliance ................................................................ 63 Recommendations while integrating multiple scan engines ................. 65
Chapter 4
Configuring Symantec AntiVirus for Sun Storage 7000 Series .................................................................... 67

About software components ........................................................... How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device ........................................................................... How are files scanned ............................................................. How caching works ................................................................ About specifying which file types are scanned ............................. About specifying the scan policy ............................................... About handling infected files on the NAS device .......................... About preparing for installation ..................................................... About configuring Symantec Scan Engine ......................................... Configuring ICAP-specific options ............................................. Specifying which file types to scan on the scan engine .................. Specifying container handling limits ......................................... Scheduling LiveUpdate to update virus definitions automatically .................................................................. Configuring Rapid Release updates to occur automatically ............. About configuring the Sun Storage 7000 Series NAS device ................. Registering Symantec Scan Engine ............................................ About configuring virus scanning on the Sun Storage 7000 Series NAS device ..................................................................... Recommendations while integrating multiple scan engines ................. 67 68 68 68 69 70 70 70 71 71 74 77 78 79 81 81 81 83
Chapter 5
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc ...................... 85
About software components ........................................................... How Symantec Scan Engine works with BlueArc Storage System and Hitachi High-performance NAS Platform ................................... What happens when a file is scanned ......................................... About connecting to Symantec Scan Engine ................................ About limiting scanning by file type .......................................... About handling infected files ................................................... About user identification and notification when a virus is found ............................................................................. About preparing for installation ..................................................... 86 86 87 87 87 88 88 89
10
Contents
About configuring Symantec Scan Engine ......................................... 90 Editing the service startup properties ........................................ 90 About configuring RPC protocol options ..................................... 91 Notifying a requesting user that a virus was found ....................... 94 About quarantining unrepairable infected files ............................ 95 Specifying which embedded files to scan .................................... 97 Scheduling LiveUpdate to update virus definitions automatically .................................................................. 99 Configuring Rapid Release updates to occur automatically ........... 100 About configuring BlueArc Storage System or Hitachi High-performance NAS Platform ............................................ 102 About verifying that the scan engine is registered with the NAS Server .......................................................................... 102 About activating virus scanning .............................................. 103 About specifying the file extensions to be scanned on the NAS Server .......................................................................... 103 About executing a full file system scan ..................................... 103 About working with unavailable scan engines ............................ 103 About working with unresponsive scan engines ......................... 104
Chapter 6
Configuring Symantec AntiVirus for Hitachi Essential NAS Platform ............................................ 105
About software components ......................................................... How Symantec Scan Engine works with the Hitachi Essential NAS Platform ............................................................................. What happens when a file is scanned ....................................... About handling infected files .................................................. About configuring Symantec Scan Engine ....................................... Configuring ICAP-specific options ........................................... Specifying which file types to scan on the scan engine ................ About specifying container handling limits ............................... Scheduling LiveUpdate to update virus definitions automatically ................................................................ 105 106 106 106 107 107 110 113 113
Chapter 7
Configuring Symantec AntiVirus for ONStor EverON ........................................................................... 115

About software components ......................................................... How Symantec Scan Engine works with the ONStor EverON ............... What happens when a file is scanned ....................................... About handling infected files .................................................. About user identification and notification when a virus is found ........................................................................... 115 116 116 117 117
Contents
11
About preparing for installation .................................................... About configuring Symantec Scan Engine ....................................... Configuring ICAP-specific options ........................................... Specifying which file types to scan on the scan engine ................ About specifying container handling limits ............................... Scheduling LiveUpdate to update virus definitions automatically ................................................................ About configuring the ONStor VirusScan Applet .............................. Virus-Scan Server Recommendations for the VirusScan Applet .......................................................................... Installing the VirusScan Applet for the Symantec AntiVirus Scan Engine .......................................................................... Configuring the VirusScan Applet for the Symantec AntiVirus Scan Engine ..................................................................
118 118 118 121 123 124 125 126 126 127
Chapter 8
Configuring Symantec AntiVirus for EMC Celerra Network Server ........................................... 131
About software components ......................................................... How Symantec Scan Engine works with EMC Celerra Network Server ................................................................................ How are files scanned ............................................................ About scanning on read ......................................................... About specifying which file types are scanned ........................... About specifying the scan policy ............................................. About preparing for installation .................................................... About configuring Symantec Scan Engine ....................................... Configuring ICAP-specific options ........................................... Specifying which file types to scan on the scan engine ................ Specifying container handling limits ........................................ Scheduling LiveUpdate to update virus definitions automatically ................................................................ Configuring Rapid Release updates to occur automatically ........... About configuring EMC Celerra Network Server ............................... About installing the Celerra Anti Virus Agent ............................ About registering Symantec Scan Engine .................................. About configuring virus scanning on EMC Celerra Network Server .......................................................................... About starting the Virus-checking client ................................... About executing a full file system scan ..................................... Known issue with EMC Celerra Network Server ................................ Recommendations while integrating multiple scan engines ................ 131 132 133 133 134 135 135 136 136 139 142 143 144 145 145 146 146 149 149 149 149
12
Contents
Index ................................................................................................................... 151
Chapter
Introducing Symantec AntiVirus for Network Attached Storage

This chapter includes the following topics:

About Symantec AntiVirus for Network Attached Storage Supported storage devices How to use the Symantec AntiVirus for Network Attached Storage documentation Why you need virus protection in a network attached storage environment About preparing for installation Post-installation tasks
About Symantec AntiVirus for Network Attached Storage

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair services for a number of network-attached storage (NAS) devices. You can scan files for viruses automatically as they are accessed from storage before the requesting user gains access to it. Based on a configurable virus scan policy, when a virus is found in a file, the file is repaired. The clean file is stored on the NAS device and only then is the requesting user granted access.
14
Introducing Symantec AntiVirus for Network Attached Storage About Symantec AntiVirus for Network Attached Storage
About software components

In most cases, adding virus scanning to a supported NAS device requires installation and configuration of the following components:
Symantec Scan Engine, which provides the virus scanning and repair services See About Symantec Scan Engine on page 14. Connector, which lets the NAS device communicate with Symantec Scan Engine See About the connector on page 15.
Figure 1-1 shows a typical integration of a network attached storage device with Symantec Scan Engine. Figure 1-1 Integration of a network attached storage device with the Symantec Scan Engine
1 2 3 4
The client tries to access a file on the network attached storage device. The network attached storage device, by means of a connector, sends the file to the Symantec Scan Engine for scanning. Symantec Scan Engine scans the file, repairs it if it is infected, and returns the clean file to the network attached storage device. The network attached storage device writes the cleaned file to disk, caches the fact that the file has been cleaned, and sends the file to the client.
About Symantec Scan Engine

Symantec Scan Engine, formerly marketed as Symantec AntiVirus Scan Engine, is a carrier-class content scanning engine. Symantec Scan Engine provides content
Introducing Symantec AntiVirus for Network Attached Storage Supported storage devices
15
scanning capabilities to any application on an IP network, regardless of platform. Any application can pass files to Symantec Scan Engine for scanning. Symantec Scan Engine accepts scan requests from client applications that use the following protocols:
The Internet Content Adaptation Protocol (ICAP), version 1.0, as presented in RFC 3507 (April 2003) A proprietary implementation of remote procedure call (RPC) Symantec Scan Engine native protocol
Symantec Scan Engine is included in the Symantec AntiVirus for Network Attached Storage distribution package. For more information about the scan engine, see the Symantec Scan Engine Implementation Guide on the product CD.
About the connector

The connector handles the communication between the scan engine and the NAS device and interprets the results that are returned from the scan engine after scanning. The manufacturer of the NAS device develops and provides support for the connector. The connector typically is installed and configured on the NAS device. (In some cases, the manufacturer pre-installs the connector.) In some cases, no connector is necessary. The NAS device handles the communication with the scan engine, and any configuration options are available directly on the device.
Supported storage devices

Symantec AntiVirus for Network Attached Storage supports the following storage devices:

Network Appliance (NetApp) Filer Sun StorageTek 5000 NAS Appliance Sun Storage 7000 Series BlueArc Storage System Hitachi High-performance NAS Platform Hitachi Essential NAS Platform ONStor EverON EMC Celerra Network Server
16
Introducing Symantec AntiVirus for Network Attached Storage How to use the Symantec AntiVirus for Network Attached Storage documentation
Table 1-1gives the list of storage devices, its supported versions, and the protocol that Symantec Scan Engine uses to interface with these storage devices. Table 1-1 Storage device
Network Appliance (NetApp) Filer
Supported storage devices and protocols Protocol used

RPC
Supported version
Data ONTAP version 6.1.3R2 or later Sun NAS Firmware 4.21 M1 or later Sun Storage 7xxx version 2008.10 4.0 or later 4.0 or later
Sun StorageTek 5000 NAS ICAP Appliance Sun Storage 7000 Series ICAP
BlueArc Storage System Hitachi High-performance NAS Platform Hitachi Essential NAS Platform ONStor EverON EMC Celerra Network Server
RPC RPC
ICAP
6.2 or later
ICAP ICAP
4.0 or later CAVA 4.5 or later
Note: If the scan engine uses RPC protocol to interface with your network attached storage device, Symantec Scan Engine must be installed on Windows 2000 Server/Windows 2003 Server/Windows 2008 Server platforms only.
How to use the Symantec AntiVirus for Network Attached Storage documentation
To configure Symantec AntiVirus for Network Attached Storage to work with one of the supported NAS devices, you need the documentation that is included in the Symantec AntiVirus for Network Attached Storage distribution package. You need the documentation that is provided by the manufacturer of the NAS device as well. The Symantec AntiVirus for Network Attached Storage distribution package includes the following documents:
Symantec Scan Engine Implementation Guide
Introducing Symantec AntiVirus for Network Attached Storage How to use the Symantec AntiVirus for Network Attached Storage documentation
17
The manufacturer of the NAS device develops the connector to integrate Symantec Scan Engine. The manufacturer of the NAS device also prepares and distributes supporting documentation for the connector. Obtain the connector and any supporting documentation from the manufacturer if you do not receive it with the NAS device.
About the Symantec Scan Engine Implementation Guide

Use the Symantec Scan Engine Implementation Guide as the primary guide for installing and configuring Symantec Scan Engine. This guide contains the information that you need to consider about the scan engine configuration options. Refer to the Symantec AntiVirus for Network Attached Storage Integration Guide for instructions on configuring Symantec Scan Engine to work with a specific NAS device.
About the Symantec AntiVirus for Network Attached Storage Integration Guide
The Symantec AntiVirus for Network Attached Storage Integration Guide includes a chapter for each supported NAS device. Use the guidance and recommendations that are in the appropriate chapter of this guide with the manufacturer-prepared documentation to implement virus scanning. Each chapter in the Symantec AntiVirus for Network Attached Storage Integration Guide includes the following information:
General information on how antivirus scanning works with the NAS device Virus scanning functionality can differ depending on the capabilities of the NAS device and the complexity of the connector. Some of the virus scanning functions include handling of infected files, timing of file scanning, and logging of infections found. This section provides an overview of how Symantec Scan Engine and the NAS device interact during virus scanning.
18
Introducing Symantec AntiVirus for Network Attached Storage Why you need virus protection in a network attached storage environment
Information for configuring the scan engine This section discusses the configuration to work with the NAS device options on the scan engine that must be configured to work with the NAS device. It may highlight other options that are important in setting up comprehensive virus protection as well. This information does not replace the Symantec Scan Engine Implementation Guide. Consult the implementation guide for installation information and for additional information on configuring Symantec Scan Engine to meet your needs. Information on configuring the NAS device This section discusses any configuration to work with the scan engine options on the NAS device that must be configured to work with Symantec Scan Engine. It may make recommendations for configuring the NAS device to ensure comprehensive virus protection. This information does not replace the documentation that is provided by the manufacturer of the NAS device. Consult the product documentation for additional information on configuring the NAS device for virus scanning. Known issues This section describes the issues that can affect operation between Symantec Scan Engine and the NAS device.
Why you need virus protection in a network attached storage environment

Network attached storage provides many benefits, such as increased performance, heterogeneous data access, data redundancy, ease of storage management, and real-time backup recovery. However, the implementation of a NAS system introduces security risks that should be addressed. Data can be accessed and compromised more quickly when it is consolidated into a centralized NAS system. This occurs because NAS systems are typically connected directly to the local network. Installing virus protection software at key locations in the corporate network is not sufficient to protect data on NAS servers. Examples of such key locations are firewalls, email gateways, and desktops.
Introducing Symantec AntiVirus for Network Attached Storage Why you need virus protection in a network attached storage environment
19
Dedicated antivirus protection for a NAS system should be part of a comprehensive security policy for the following reasons:
Storage servers are susceptible to attacks from viruses, worms, Trojan horses, and other malicious code because large number of users access them and they contain large amounts of data. Malicious code can result in lost, stolen, or corrupted files, which can result in costly downtime to the enterprise. The NAS system can become a vector for the malicious code when a threat is stored on the NAS system. It can compromise the computers and the data of the users who access the NAS system. Malicious code can be replicated multiple times in multiple locations through NAS backup, mirroring of data, and archiving. The malicious code can be re-introduced to the NAS system when NAS data that contains malicious code is restored from one of these locations. This re-introduction can potentially reinfect the network. Malicious code could replicate on the NAS system in multiple locations and infect other parts of the network. The effort to remove a threat becomes a time-consuming task that involves significant downtime as well as time and money for data recovery. The NAS system can be used as an access point to the rest of the network or as a launch point for an attack. For example, a denial-of-service attack can be launched in a NAS system. Industry regulations and laws now require that organizations that maintain financial, medical, personal, and email data should protect the data from being stolen, altered, or destroyed. Organizations are legally responsible for providing comprehensive protection for stored data.
How the scan engine protects against viruses

Symantec Scan Engine detects viruses, worms, and Trojan horses in all major file types (for example, Windows files, DOS files, and Microsoft Word and Excel files). Symantec Scan Engine includes a decomposer that handles most compressed and archive file formats and nested levels of files. You can configure the scan engine to limit scanning to certain file types by a file extension and file type exclusion list. Symantec Scan Engine provides protection against those container files that can cause denial-of-service attacks. Examples are those container files that are overly large, that contain large numbers of embedded compressed files, or that have been designed to use resources maliciously and degrade performance. You can specify the maximum amount of time that the scan engine devotes to extracting
20
Introducing Symantec AntiVirus for Network Attached Storage About preparing for installation
a file and its contents, the maximum file size for container files, and the maximum number of nested levels to be decomposed for scanning. Symantec Scan Engine also detects mobile code such as Java, ActiveX, and standalone script-based threats. Symantec Scan Engine uses Symantec antivirus technologies, including Bloodhound, for heuristic detection of new or unknown viruses; NAVEX, which provides protection from new classes of viruses automatically through LiveUpdate; and Striker, for the detection of polymorphic viruses. The scan engine can also be configured to send alerts when specific thresholds are met or exceeded. For example, if the same type of virus has been detected ten times in a 20-minute interval, the scan engine can be configured to send an alert to any of the scan engine logging or alerting destinations.
About Symantec Security Response

Symantec Scan Engine is supported by the Symantec Security Response team. These Symantec engineers work 24 hours per day, 7 days per week, tracking new virus outbreaks and identifying new virus threats. For more information about protection against a specific virus, visit the Symantec Security Response Web site at: http://securityresponse.symantec.com For more information, see the Symantec Scan Engine Implementation Guide.
About preparing for installation

Before you install Symantec Antivirus for Network Attached Storage, you should ensure that your computer meets the system requirements for installing the scan engine. The scan engine is included on the Symantec AntiVirus for Network Attached Storage CD. If the scan engine uses RPC protocol to interface with your network attached storage device, Symantec Scan Engine must be installed on Windows 2000 Server/Windows 2003 Server/Windows 2008 Server platforms only. For more information about installing the scan engine, see the Symantec Scan Engine Implementation Guide on the product CD.
Windows system requirements

The following are the system requirements for installing Symantec AntiVirus for Network Attached Storage on a Windows 2000 Server/Windows 2003 Server/Windows 2008 Server:
21
Operating system
Windows 2000 Server with the latest service pack Windows Server 2003 (32-bit) Windows Server 2003 R2 (32-bit) Windows Server 2003 R2 (64-bit) Windows Server 2008 (32-bit) Windows Server 2008 (64-bit) Windows Server 2008 R2 (64-bit)
Processor Memory Disk space Hardware
Pentium 4 processor 1 GHz or higher 1 GB of RAM or higher 500 MB of hard disk space 1 network interface card (NIC) running TCP/IP with a static IP address Internet connection to update definitions

100 Mbits/s Ethernet link (1 Gbit/s recommended)
Software
J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or JRE 6.0 The most current version of JRE 5.0 and JRE 6.0 at the time of product ship is provided on the product CD in the following folder: Tools\Java\Win2K One of the following Web browsers to access the Symantec Scan Engine console Microsoft Internet Explorer 6 (SP1) or later Use Microsoft Internet Explorer to access the Symantec Scan Engine console from a Windows client computer. Mozilla Firefox 1.5 or later Use Mozilla Firefox to access the Symantec Scan Engine console from a Solaris or Linux client computer. The Web browser is only required for Web-based administration. You must install the Web browser on a computer from which you want to access the Symantec Scan Engine console. The computer must have access to the server on which Symantec Scan Engine runs.
Solaris system requirements

The following are the system requirements for installing Symantec AntiVirus for Network Attached Storage on a Sun Solaris system:
22
Operating system
Solaris 9 and 10 Ensure that your operating system has the latest patches that are available.
SPARC 1 GB of RAM or higher 500 MB of hard disk space 1 network interface card (NIC) running TCP/IP with a static IP address Internet connection to update definitions

Software
J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or JRE 6.0 The most current version of JRE 5.0 and JRE 6.0 at the time of product ship is provided on the product CD in the following folder: Tools\Java\Solaris If you install the self-extracting JRE, ensure that you note the installation location. You must provide the location of the JRE if the installer is unable to detect it. One of the following Web browsers to access the Symantec Scan Engine console Mozilla Firefox 1.5 or later Use Mozilla Firefox to access the Symantec Scan Engine console from a Solaris or Linux client computer. Microsoft Internet Explorer 6 (SP1) or later Use Microsoft Internet Explorer to access the Symantec Scan Engine console from a Windows client computer. The Web browser is only required for Web-based administration. You must install the Web browser on a computer from which you want to access the Symantec Scan Engine console. The computer must have access to the server on which Symantec Scan Engine runs.
Linux system requirements

The following are the system requirements for installing Symantec AntiVirus for Network Attached Storage on a Linux system:
23
Operating system
Red Hat Linux Enterprise Server 3 and 4 Red Hat Linux Advanced Server 3 and 4 Red Hat Enterprise Linux 5 SuSE Linux Enterprise Server 9 and 10 Red Hat Enterprise Linux 5 (64-bit)
Pentium 4 processor 1 GHZ or higher 1 GB of RAM or higher 500 MB of hard disk space 1 network interface card (NIC) running TCP/IP with a static IP address Internet connection to update definitions

24
Introducing Symantec AntiVirus for Network Attached Storage Post-installation tasks
Software
Ensure that the following packages are installed: GNU sharutils-4.6.1-2 or later Use this package to expand the Rapid Release packages.
ncompress-4.2.4-44 or later Use this package to expand the Rapid Release packages. initscripts This package is required for Red Hat Linux only. aaa_base package This package is required for SuSE only. J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or JRE 6.0 The most current version of JRE 5.0 and JRE 6.0 at the time of product ship is provided on the product CD in the following folder: Tools\Java\Red Hat Install the JRE using Red Hat Package Manager (RPM). Ensure that you note the installation location. You must provide the location of the JRE if the installer is unable to detect it. One of the following Web browsers to access the Symantec Scan Engine console Mozilla Firefox 1.5 or later Use Mozilla Firefox to access the Symantec Scan Engine console from a Solaris or Linux client computer. Microsoft Internet Explorer 6 (SP1) or later Use Microsoft Internet Explorer to access the Symantec Scan Engine console from a Windows client computer. The Web browser is only required for Web-based administration. You must install the Web browser on a computer from which you want to access the Symantec Scan Engine console. The computer must have access to the server on which Symantec Scan Engine runs.
Post-installation tasks
The Symantec AntiVirus for Network Attached Storage connectors do not require licensing from Symantec. However, you must install the appropriate licenses for Symantec Scan Engine. These licenses are required to activate antivirus scanning functionality for the scan engine and to receive updated virus definitions.
25
For more information about licensing, see the Symantec Scan Engine Implementation Guide. After you install and configure the scan engine, you must configure the connector for your network attached storage device to send files to the scan engine. For more information about integrating a specific connector with the scan engine, see the appropriate chapter in this guide.
26
Chapter
Configuring Symantec AntiVirus for NetApp Filer


About software components How Symantec Scan Engine works with the NetApp Filer client About preparing for installation About configuring Symantec Scan Engine About configuring the client NetApp Filer

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for Network Appliance (NetApp) Filer storage appliances. Configure the following components to add antivirus scanning to the NetApp Filer:
Symantec Scan Engine, which provides the virus scanning and repair services For more information, see the Symantec Scan Engine Implementation Guide. The NetApp Filer Some options are configured directly on the NetApp Filer. No additional code is necessary to connect Symantec Scan Engine to the NetApp Filer.See About configuring the client NetApp Filer on page 44.
28
Configuring Symantec AntiVirus for NetApp Filer How Symantec Scan Engine works with the NetApp Filer client
How Symantec Scan Engine works with the NetApp Filer client
Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the NetApp Filer storage appliances that support Data ONTAP version 6.1.3 or later. Each Filer must be running Data ONTAP 6.1.3 or later if you plan to use a single Symantec Scan Engine to support multiple Filer storage appliances. Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be located in the same domain as the NetApp Filer for which it provides scanning and repair services. Symantec Scan Engine uses the proprietary Network Appliance adaptation of the RPC protocol to interface with NetApp Filer storage appliances. A single Symantec Scan Engine can support multiple NetApp Filers. You can use multiple scan engines to support one or more filers for sites with larger scan volumes. Load balancing is handled through the NetApp Filer interface. Virus scanning on the NetApp Filer is available only for those files that are requested through the Common Internet File System (CIFS). Files that are requested through the Network File System (NFS) are not scanned for viruses.
What happens when a file is scanned

The NetApp Filer submits files to Symantec Scan Engine for scanning on both read and write. That is, files are scanned when they are accessed from storage (read), renamed (write) and when submitted for storage, if modified (write). When a user tries to access a file, the filer passes the file to Symantec Scan Engine for scanning. After a file is scanned, Symantec Scan Engine indicates the scanning results to the filer. If a file is infected and can be repaired, the scan engine returns the repaired file based on a configurable virus scan policy. Clean files are passed to the requesting user after the filer receives the scanning results. The repaired file is passed to the requesting user if the file is infected and can be repaired. The stored version of the infected file is then replaced with the repaired file. The user is denied access to the file if the file is infected and cannot be repaired, and the infected file is deleted from storage. Symantec Scan Engine can be configured to quarantine these unrepairable files. See About quarantining unrepairable infected files on page 38. The filer caches scanning results for each clean file to avoid redundant scans of those files that have already been scanned. The cache is purged when the virus definitions on Symantec Scan Engine are updated, the vscan reset command is
29
run on the filer, or when the scan engine is restarted. If the cache is full and a file that is not in the cache is accessed, the oldest information in the cache is purged. This ensures that the scanning results for the newly scanned file can be stored.
About connecting to Symantec Scan Engine

A connection is maintained between each NetApp Filer and Symantec Scan Engine. Symantec Scan Engine monitors the connection with each NetApp Filer by checking the connection at a configured time interval. The scan engine tries to reconnect if it determines that the connection is not active. (The number of times that the scan engine tries to re-establish the connection can also be configured.)
About limiting scanning by file type

Viruses are found only in the file types that contain executable code. Only those file types that can contain viruses need be scanned. Limiting scanning by file type saves bandwidth and time. You have the following levels of control over which files are scanned:
You can control the files that are initially submitted to the scan engine by the NetApp Filer for scanning The NetApp Filer lets you specify by file extension the files that are to be passed to Symantec Scan Engine for scanning. You configure the file types that you want to submit for scanning through the NetApp Filer interface in accordance with the product documentation. See About specifying the file extensions to be scanned on the NetApp Filer on page 45. You can control the files that are embedded in archival file formats (for example, .zip or .lzh files) that are to be scanned by Symantec Scan Engine The scan engine lets you specify the file types and the file extensions that you do not want to scan. The file extensions exclusion list and the file type exclusion list achieve this purpose. You can also scan all file types regardless of extension. You configure which embedded files are scanned through the Symantec Scan Engine administrative interface. See Specify which embedded files to scan on page 40.
About handling infected files

You can configure Symantec Scan Engine to do any of the following when an infected file is found:
30
Scan Only
Deny access to the infected file, but do nothing to the infected file. Try to repair the infected file, and deny access to any unrepairable file. Try to repair the infected file, and delete any unrepairable file.
Scan and repair files
Scan and repair or delete
You can also configure the scan engine to quarantine unrepairable files. See About quarantining unrepairable infected files on page 38.
About user identification and notification when a virus is found

When a virus is found in a file that is requested from the NetApp Filer, Symantec Scan Engine automatically obtains (for logging purposes) identification information about the user who requested the infected file. This information includes the security identifier of the user and the IP address and host name of the requesting computer. The identification information supplements the information that is contained in Infection Found log messages that are logged to the local logs, the Windows Event Log, and SMTP. This information does not appear in the Infection Found messages that are logged to SNMP or SESA. Note: Symantec Scan Engine can obtain only the information that is made available by the NetApp Filer. In some cases, all or some of this information is not available. The information that is obtained is reported in the related log entries. Any identification information that is not obtained from the NetApp Filer is omitted from the log messages and from the user notification window. You also can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found.The notification message includes the following:

Date and time of the event File name of the infected file Virus name and ID Virus definition date and revision number Manner in which the infected file was handled (for example, the file was repaired or deleted) Scan policy
Configuring Symantec AntiVirus for NetApp Filer About preparing for installation
31
Disposition of the file Duration of scan time and connection time
To use the user notification feature, the Windows Messenger service must be running on the computer that is running Symantec Scan Engine, and on the users computer. See Notifying a requesting user that a virus was found on page 36.

The Network Appliance Filer storage appliance must support Data ONTAP version 6.1.3 or later to interface with Symantec Scan Engine. If you plan to use a single Symantec Scan Engine to support multiple filer storage appliances, each filer must support Data ONTAP version 6.1.3 or later. As a prerequisite, ensure that each NetApp Filer for which the scan engine is to provide scanning and repair services meets this requirement. To use RPC, Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in the Symantec Scan Engine Implementation Guide. After you install Symantec Scan Engine, configure the NetApp Filer to work with the scan engine. See About configuring the client NetApp Filer on page 44.
About configuring Symantec Scan Engine

Configure Symantec Scan Engine to use RPC as the communication protocol. The Internet Content Adaptation Protocol (ICAP) is the default protocol at installation, but you can change the protocol to RPC through the administrative interface. Then you can configure the RPC-specific options. See Configuring RPC protocol options on page 32. You must also change the Windows service startup properties to identify an account that has the appropriate permissions. See Editing the service startup properties on page 31.
Editing the service startup properties

If you change the protocol setting to RPC, you need to change the service startup properties to identify an account that has the following appropriate permissions:
32
Configuring Symantec AntiVirus for NetApp Filer About configuring Symantec Scan Engine
The user account must have local administrator permissions on the computer that has the scan engine. The user account must have Backup Operator privileges or above on the NetApp Filer.
You must change the service startup properties if the list of NetApp Filers is edited as well. To edit the service startup properties
1 2 3 4 5
In the Windows 2000/2003/2008 Control Panel, click Administrative Tools. Click Services. In the list of services, right-click Symantec Scan Engine, and then click Properties. In the Properties dialog box, on the Log On tab, click This Account. Type the account name and password for the user account that has local administrator rights on the computer that has the scan engine. This account should also have domain backup operator privileges or above. Use the following format for the account name: domain\username
6 7
Click OK. Stop and start the Symantec Scan Engine service. For more information on stopping and starting the Symantec Scan Engine service, see the Symantec Scan Engine Implementation Guide.
Configuring RPC protocol options

After you install Symantec Scan Engine, you can configure settings that are specific to the RPC protocol. You must manually stop and start the scan engine service when you change to the RPC protocol. A proper connection to the NetApp Filer is ensured. Table 2-1 describes the protocol-specific options for RPC.
33
Table 2-1 Option

RPC client list
Protocol-specific options for RPC Description

A single Symantec Scan Engine can support one or more NetApp Filers. NetApp Filers must be located in the same domain as the scan engine. You must provide the IP address of each NetApp Filer.
Note: Multiple scan engines can support a single NetApp

Filer. Configure the multiple scan engines through the NetApp Filer interface. Check RPC connection every Symantec Scan Engine maintains a connection with the __ seconds NetApp Filer. Symantec Scan Engine can be configured to check the connection with the NetApp Filer at a prescribed interval to ensure that the connection is active. The default value is 20 seconds. Maximum number of reconnect attempts You can configure the scan engine to make a specified number of tries to re-establish a lost connection with the NetApp Filer. By default, Symantec Scan Engine is configured to try to reconnect with the NetApp Filer indefinitely.
Note: Do not set a maximum number of reconnect attempts

if the scan engine provides scanning for multiple NetApp Filers. Use the default setting. Antivirus scan policy You can configure Symantec Scan Engine to do one of the following when an infected file is found: Scan only: Deny access to the infected file, but do nothing to the infected file. Scan and repair files: Try to repair the infected file, and deny access to any unrepairable file. Scan and repair or delete: Try to repair the infected file, and delete any unrepairable file from archive files.
Note: You must select Scan and repair or delete if you plan
to quarantine the infected files that cannot be repaired. For more information, see the Symantec Scan Engine Implementation Guide. Automatically send antivirus You can configure Symantec Scan Engine to automatically update notifications notify the NetApp Filer when new virus definitions are used. This notification causes the NetApp filer to clear its cache of scanned files.
34
Configure RPC protocol options

To configure RPC, do the following:
Provide an IP address for each NetApp Filer for which Symantec Scan Engine should provide scanning services. You can add or delete filers from this list at any time. Configure the additional RPC-specific options.
To edit the list of NetApp Filers
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click RPC. The configuration settings are displayed for the selected protocol.
In the Manual Restart Required dialog box, click OK. Whenever you switch protocols, you must restart the server. You can continue to make and apply changes in the administrative interface. However, the changes do not take effect until you restart the Symantec Scan Engine service.
To add a NetApp Filer to the list of RPC clients, type the IP address of the NetApp Filer for which Symantec Scan Engine should provide scanning services. Type one entry per line. To delete a NetApp Filer from the list of RPC clients, select and delete the IP address of the NetApp Filer. On the toolbar, select one of the following:
Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place and for a proper connection to the NetApp Filer.
6 7
35
To configure additional RPC-specific options
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. Under RPC Configuration, in the Check RPC connection every box, type how frequently Symantec Scan Engine checks the RPC connection with the NetApp Filer to ensure that the connection is active. The default interval is 20 seconds.
In the Maximum number of reconnect attempts box, type the maximum number of tries that the Symantec Scan Engine should undertake to reestablish a lost connection with the NetApp Filer. The default setting is 0. Symantec Scan Engine tries indefinitely to reestablish a connection. Use the default setting if the scan engine provides scanning for multiple NetApp Filers.
In the Antivirus scan policy list, select how you want Symantec Scan Engine to handle infected files. The default setting is Scan and repair or delete.
On the toolbar, select one of the following:

Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place and for a proper connection to the NetApp Filer.
Notifying the NetApp Filer when virus definitions are updated

When Symantec Scan Engine scans a file, it is stored in the NetApp Filers cache. This cached file is sent to any user who subsequently requests the same file thus conserving scanning resources. You can configure the scan engine to automatically notify the NetApp Filer when the scan engine begins using new virus definitions. This notification prompts the
36
NetApp Filer to clear its cache of scanned files. Any new requests for files causes the file to be sent to the scan engine again for scanning. The scanned clean files are cached, and these cached files are sent to the requesting user. You can manually clear the cache of scanned files at the command line interface of the NetApp Filer as well. See About clearing the scanned files cache on page 47. The process of automatically notifying the NetApp Filer about virus definitions updates could affect system performance, depending on how frequently you schedule LiveUpdate. You can send the notification manually to minimize the impact on scanning resources. To automatically notify the NetApp Filer when virus definitions are updated
1 2 3
On the administrative interface, in the left pane, click Configuration. Under Views, click Protocol. Under RPC Configuration, check Automatically send AntiVirus update notifications. This option is disabled by default.

Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place.
To manually notify the NetApp Filer when virus definitions are updated
1 2 3
On the administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the left pane, under Tasks, click Send AntiVirus Update Notification.
Notifying a requesting user that a virus was found

You can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message is
37
displayed only if the user uses a Windows computer. In addition, the requesting users computer must be in the same domain as the scan engine. Both the users computer and the scan engine must have the Windows Messenger service running to use this feature. The notification message includes the following information:

The date and time of the event The event security level (for example, Warning) The scan policy (for example, scan and repair or delete) The file name of the infected file The virus name and ID The manner in which the infected file was handled (for example, the file was repaired or deleted) The disposition of the file (for example, infected) The IP address and name of the requesting users computer The date and revision number of the virus definitions used The duration (in seconds) of scan and connection time
You can enable the NetApp Filer to display warning messages to the requestinguser as well. See About notifying a requesting user that a virus was found on page 47. To notify a requesting user that a virus was found
1 2
On the Symantec Scan Engine administrative interface, in the left pane, click Monitors. Under Views, click Alerting.
38
In the right pane, under Log Windows Messenger, check Enable Windows Messenger Logging. User notification is disabled by default.

About quarantining unrepairable infected files

You can quarantine unrepairable infected files when you use the RPC protocol. To achieve the quarantine feature, Symantec Central Quarantine must be installed separately on a computer that runs Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. Symantec Central Quarantine is included on the Symantec Scan Engine distribution CD along with supporting documentation. Symantec Scan Engine forwards the infected files that cannot be repaired to Symantec Central Quarantine. Typically, the heuristically-detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the quarantine. They are isolated so that the viruses cannot spread. The infected items can be submitted to Symantec Security Response for analysis from the quarantine. New virus definitions are posted if a new virus is identified. Note: You must select Scan and repair or delete as the RPC scan policy to forward files to the quarantine. The original infected file is deleted when a copy of an infected file is forwarded to the quarantine. If submission to the quarantine is not successful, the original file is not deleted, and an error message is returned to the NetApp Filer. Access to the infected file is denied. For more information about installing and configuring Symantec Central Quarantine, see the Symantec Central Quarantine Administrators Guide.
39
To quarantine unrepairable infected files
1 2 3 4 5
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Quarantine, check Quarantine files. In the Central server quarantine host or IP box, type the host name or the IP address for the computer on which Symantec Central Quarantine is installed. In the Port box, type the TCP/IP port number to be used by the Symantec Scan Engine to pass files to the Symantec Central Quarantine. This setting must match the port number that is selected at installation for Symantec Central Quarantine.

Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them.
Specifying which embedded files to scan

The NetApp Filer submits files to Symantec Scan Engine for scanning based on the file extension of the top-level file. You can configure the file types that are submitted for scanning through the filer administrative interface. The top-level files that are sent to Symantec Scan Engine are scanned regardless of file extension. When the scan engine receives an archive file (for example, a .zip or .lzh file) that contains embedded files, it must break down the archive file and scan each embedded file. You can control, through the scan engine administrative interface, which embedded files are scanned by using a file extension and file type exclusion list. You can also scan all files regardless of extension. Symantec Scan Engine is configured by default to scan all files. The file type and file extension exclusion list is prepopulated with the file types that are unlikely to contain viruses, but you can edit this list.
40
Note: During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the file type or file extension exclusion list.
Specify which embedded files to scan

You can scan all files regardless of extension, or you can control which files are scanned by specifying the extensions or the file types that you want to exclude. Symantec Scan Engine is configured by default to scan all files. To scan all files regardless of extension or type
1 2 3 4
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files. On the toolbar, select one of the following:
To scan all files except for those that are in the file extension exclusion list
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. On activating this option, both the file extension exclude list and the file type exclude list gets activated automatically.
Type each file extension that you want to add to the list on a separate line. Use a period with each extension in the list.
To remove a file extension from the list, select it and delete it from the File extension exclude list.
41
To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

To scan all file types except those in the file type exclusion list
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you activate this option, both the file type exclude list and the file extension exclude list are activated automatically.
Type each file type you want to add to the list on a separate line. To include all subtypes for a file type, use the wildcard character /*.
To remove a file type from the list, select it and delete it from the File type exclude list.
42
To restore the default file type exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

Scheduling LiveUpdate to update virus definitions automatically

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec Scan Engine always has the most current virus definitions. If you use multiple scan engines to support virus scanning, schedule LiveUpdate to occur at the same time for each scan engine. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on the NetApp Filer. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. For more information on changing the base time, see the Symantec Scan Engine Implementation Guide. To schedule LiveUpdate to update virus definitions automatically
1 2
On the Symantec Scan Engine administrative interface, in the left pane, click System. Under Views, click LiveUpdate Content.
43
In the right pane, under LiveUpdate Content, check Enable scheduled LiveUpdate. This option is enabled by default.
In the LiveUpdate interval drop-down list, choose an interval. You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default LiveUpdate interval is 2 hours.

Configuring Rapid Release updates to occur automatically

You can configure Symantec Scan Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Scan Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response. However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network. If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed.
44
Configuring Symantec AntiVirus for NetApp Filer About configuring the client NetApp Filer
You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Scan Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. Configuring Rapid Release updates to occur automatically
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click System. Under Views, click Rapid Release Content. In the content area under Rapid Release Content, check Enable scheduled Rapid Release to enable automatic downloads of Rapid Release definitions. This option is disabled by default.
In the Rapid Release interval box, to specify the interval between which you want Symantec Scan Engine to download Rapid Release definitions, do any of the following steps:

Type the interval. Click the up arrow or down arrow to select the interval.
You can select any number between 5 minutes and 120 minutes. The default value is 30 minutes.

About configuring the client NetApp Filer

After you configure Symantec Scan Engine to use RPC as the communication protocol, you configure the client NetApp Filers to work with Symantec Scan Engine. NetApp Filer clients must be running Data ONTAP version 6.1.3 or later to interface with Symantec Scan Engine. If you plan to support more than one filer with a single scan engine, each filer must be running Data ONTAP 6.1.3 or later.
45
Each NetApp Filer should be installed and configured in accordance with the accompanying product documentation. Each filer should be functional before you initiate virus scanning using Symantec Scan Engine.
About verifying that the scan engine is registered with the filer
You can verify that the scan engine is registered with the filer after you install Symantec Scan Engine. Registration is automatic if you have provided the correct information to Symantec Scan Engine for contacting the filer. Registration occurs when the scan engine connects to the Filer. Use the vscan command at the command line interface to check the list of registered scan engines. Note: The service startup properties for Symantec Scan Engine must be changed to identify an account that has the appropriate permissions on the filer. If the change has not been done, the scan engine cannot register with the filer because it does not have sufficient permission. See Editing the service startup properties on page 31.
About activating virus scanning

You can activate and deactivate virus scanning. Use the vscan on command at the command line to activate virus scanning. Use the vscan off command to deactivate virus scanning.
About specifying the file extensions to be scanned on the NetApp Filer

Configure the list of extensions on the NetApp Filer to contain only the file extensions that you want to scan. This lets you control the file types that are passed to Symantec Scan Engine for scanning. You can configure file extensions using the extensions include and exclude list. The extensions that are configured on the NetApp Filer have preference over the file types and the extensions configured on Symantec Scan Engine. For example, if .doc is included in the extensions include list for the NetApp Filer but is excluded on Symantec Scan Engine, .doc files are still scanned. A default list of extensions to be submitted for virus scanning is included with the NetApp Filer. To modify the extensions include list, at the command line interface, use the vscan extensions include add command to add additional extensions and the vscan extensions include remove command to remove extensions from the list. Similarly, for the extensions exclude list, the vscan extensions exclude add command would add extensions to the exclude list while the vscan extensions
46
exclude remove would successfully remove extensions from the exclude list on the NetApp Filer. To rollback to the default include list, use the vscan extensions include reset command at the command line interface. The wildcard extension (???), which scans all files regardless of file extension, might negatively impact performance. The highest level of protection is achieved by scanning all file types; however, viruses are found only in those file types that contain executable code. So, every file type need not be scanned. You can save bandwidth and time by limiting the files to be scanned to only those file types that can contain viruses. For more information, see the NetApp Filer documentation.
About working with unresponsive scan engines

The NetApp Filer can be configured to let the connection time out while waiting for a reply from Symantec Scan Engine. Connections mostly time out when large or complex files are scanned (for example, container files with multiple embedded files or files that contain polymorphic or macro viruses). The time out option can be configured by using the vscan options time-out command. The default value is 10 seconds. When the scan request times out, the NetApp Filer checks to see if the scan engine is currently at work on its request. If there is still no response, it sends the scan request to another scan engine. If none of the scan engines respond, then the NetApp Filer can either allow file access without virus scanning or deny file access altogether. Configure this option by using the vscan options mandatory_scan command. You can end a virus scanning session by the vscan scanners stop command. For more information, see the NetApp Filer documentation.
How virus scanning affects backups on NetApp Filer

The service startup properties for Symantec Scan Engine must be edited to identify an account with Backup Operator privileges on the NetApp Filer. Otherwise, backups on the filer might not finish successfully when virus scanning is active. The NetApp Filer can time out while waiting for a reply from the Symantec Scan Engine when large files are scanned. Virus scanning also increases the length of time that is needed for a backup to finish.
47
Note: Ensure that you have edited the service startup privileges appropriately, or disable virus scanning before you initiate a backup of the NetApp Filer. See Editing the service startup properties on page 30. See Editing the service startup properties on page 31.
About clearing the scanned files cache

When Symantec Scan Engine scans a file, it is stored in the NetApp Filers cache. This cached file is sent to any user who subsequently requests the same file thus conserving scanning resources. Symantec Scan Engine can automatically notify the NetApp Filer when the scan engine begins using new virus definitions. This notification prompts the NetApp Filer to clear its cache of scanned files. Any new requests for files causes the file to be sent to the scan engine again for scanning. See Notifying the NetApp Filer when virus definitions are updated on page 35. You can manually clear the cache of scanned files by using the vscan reset command at the command line interface.
About notifying a requesting user that a virus was found

You can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. See Notifying a requesting user that a virus was found on page 36. You can also enable Data ONTAP on the NetApp Filer to display warning messages by the vscan options client_msgbox {on|off} command.
48
Chapter
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance


About software components How Symantec Scan Engine works with the Sun StorageTek 5000 NAS Appliance About preparing for installation About configuring Symantec Scan Engine About configuring the Sun StorageTek 5000 NAS Appliance Recommendations while integrating multiple scan engines

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the Sun StorageTek 5000 series of network-attached storage (NAS) devices. To add antivirus scanning to the Sun StorageTek 5000 NAS Appliance, configure the following components:
Symantec Scan Engine, which provides the virus scanning and repair services
50
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance How Symantec Scan Engine works with the Sun StorageTek 5000 NAS Appliance
For more information, see the Symantec Scan Engine Implementation Guide.
The NAS Anti Virus Agent, which provides the virus scanning functionalityand ensures the seamless integration of Symantec Scan Engine with the Sun StorageTek 5000 NAS Appliance. The NAS Anti Virus Agent is an integral part of the Sun StorageTek 5000 NAS Appliance. No separate license is required. See About configuring the Sun StorageTek 5000 NAS Appliance on page 62.
How Symantec Scan Engine works with the Sun StorageTek 5000 NAS Appliance
Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the Sun StorageTek 5000 series of network-attached storage devices that support the Sun NAS firmware version 4.21 M1 and later. Virus scanning and repair is provided for files on the Common Internet File System (CIFS). The Internet Content Adaptation Protocol (ICAP) is used to communicate with Symantec Scan Engine. In a typical Sun StorageTek 5000 NAS environment, a minimum of two scan engines is required to handle scan volume. A maximum of four scan engines can be supported per Sun StorageTek 5000 NAS Appliance. The NAS Anti Virus Agent handles load balancing across multiple scan engines automatically.
How are files scanned

The NAS Anti Virus Agent is configured to scan a file in real-time (that is, when a file is opened and when it is closed, if it has been modified). When a user tries to access a file from storage, the NAS Anti Virus Agent opens a connection with Symantec Scan Engine. The NAS Anti Virus Agent then passes the file to the scan engine for scanning. When scanning is complete, the NAS Anti Virus Agent closes the connection with the scan engine. The Symantec Scan Engine indicates the scanning results to the NAS Anti Virus Agent after a file is scanned. The scan engine also returns the repaired file if a file is infected and can be repaired. After the NAS Anti Virus Agent receives the scanning results, the file is handled in the following way: Only clean files are passed to the requesting user. The repaired file is passed to the requesting user if the file is infected and can be repaired. The stored version of the infected file is then replaced with the repaired file. If the file is infected and cannot be repaired, the user is denied access to the file, and the infected file is quarantined. The user can also configure the Symantec Scan Engine to quarantine an unrepairable file.
51
See About quarantining unrepairable files on Symantec Scan Engine on page 53.
How caching works

The NAS Anti Virus Agent caches scanning results for each clean file. The cached information includes the date and revision number of the virus definitions that were used to perform the scan. So, if a second user requests access to a file that has already been scanned and if the virus definitions have not changed, a redundant scan is avoided. The cache is purged when the virus definitions on Symantec Scan Engine are updated and when the Sun StorageTek 5000 NAS Appliance is restarted. Individual cache entries are updated whenever a stored file is changed.
About specifying which file types are scanned

To specify the file types to be scanned for viruses, configure settings on both the NAS Anti Virus Agent and Symantec Scan Engine.
About specifying file types on the NAS Anti Virus Agent

Based on file extensions, the NAS Anti Virus Agent determines, initially, whether it should pass a file to Symantec Scan Engine for scanning. You configure which files are passed to Symantec Scan Engine for scanning when you set up the NAS Anti Virus Agent. You can control which files are scanned by using the exclusion or an inclusion list, or you can scan all files regardless of extension. Configure the NAS Anti Virus Agent to pass all file types to the scan engine except those that are contained in the exclusion list. The exclusion list can include extensions for those file types that are not likely to contain viruses and can be excluded from scanning. See About configuring virus scanning on the Sun StorageTek 5000 NAS Appliance on page 63.
About specifying file types on Symantec Scan Engine

You can configure Symantec Scan Engine so that selected file types and file extensions are excluded from scanning. The setting on Symantec Scan Engine is as important as the NAS Anti Virus Agent setting. This setting on the scan engine determines which files to scan upon receiving a file from the NAS Anti Virus Agent. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using the file type and extension exclusion list, or you can scan all files regardless of extension.
52
Note: Exclusion lists ensure that all file types are not scanned; therefore, new types of viruses might not be detected. Scanning all files regardless of extension and type is the most secure setting, but it imposes the heaviest demand on resources. During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the exclusion list. For more information, see the Symantec Scan Engine Implementation Guide. See Specifying which file types to scan on the scan engine on page 56.
About specifying the scan policy

You configure the scan policy through the Symantec Scan Engine administrative interface. When an infected file is found, the scan engine can do any of the following:
Scan only Scan files for viruses, but do nothing to infected files Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying to repair Try to repair infected files, but do nothing to unrepairable files (that is, do not delete the files from archive or container files). Try to repair infected files, and delete unrepairable files from archive or container files
Scan and delete
About handling infected files on the NAS device

When an unrepairable infected file is found, the NAS Anti Virus Agent does not delete the file, even though the scan engine tells it to. Instead, the NAS Anti Virus Agent quarantines the file and denies any access to the file. The quarantined files can be deleted or removed from quarantine by using the command-line interface in the Sun StorageTek 5000 NAS Appliance or through Windows Explorer on the requesting CIFS client. For more information, see the appropriate Sun StorageTek documentation.
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance About preparing for installation
53
About quarantining unrepairable files on Symantec Scan Engine

You can configure Symantec Scan Engine to quarantine files that are infected with viruses and are unrepairable. You must provide the host name or IP address of a Windows 2000 Server/Windows 2003 Server/Windows 2008 Server that has the Symantec Quarantine Server installed. For more information, see the Symantec Scan Engine Implementation Guide.

The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in the Symantec Scan Engine Implementation Guide. After you have installed the Symantec Scan Engine, configure the virus scanning functionality on the Sun StorageTek 5000 NAS device.

You must configure several settings on each Symantec Scan Engine that is used to support scanning for the Sun StorageTek 5000 NAS family. Note: The configuration settings on each scan engine must be identical if you use multiple scan engines to support scanning. LiveUpdate and Rapid Release should be scheduled to occur at the same time on all scan engines so that virus definitions are consistent at all times. The scan engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you can configure ICAP-specific options.
Configuring ICAP-specific options

After you install Symantec Scan Engine, you can configure several settings that are specific to the ICAP protocol through the Symantec Scan Engine administrative interface. If Symantec Scan Engine has already been configured to use another protocol, you also can change the protocol through the administrative interface. However, you must manually restart the Symantec Scan Engine. For more information about accessing the administrative interface, see the Symantec Scan Engine Implementation Guide. Table 3-1describes the protocol-specific options for ICAP.
54
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance About configuring Symantec Scan Engine
Table 3-1 Option

Bind address
Protocol-specific options for ICAP Description

Symantec Scan Engine detects all of the available IP addresses that are installed on the host. By default, Symantec Scan Engine accepts scanning requests on (binds to) all of the scanning IP addresses that it detects. You can configure up to 64 IP addresses as scanning IP addresses. You can specify whether you want Symantec Scan Engine to bind to all of the IP addresses that it detects, or you can restrict access to one or more interfaces. If you do not specify at least one IP address, Symantec Scan Engine binds to all of the scanning IP addresses that it detects. If Symantec Scan Engine fails to bind to any of the selected IP addresses, an event is written to the log as a critical error. Even if Symantec Scan Engine is unable to bind to any IP address, you can access the console. However, scanning functionality is unavailable.
Note: You can use 127.0.0.1 (the loopback

interface) to let only the clients that are running on the same computer connect to Symantec Scan Engine. Port number The port number must be exclusive to Symantec Scan Engine. For ICAP, the default port number is 1344. If you change the port number, use a number greater than 1024 that is not in use by any other program or service.
55
Table 3-1 Option

Scan policy
Protocol-specific options for ICAP (continued) Description

When an infected file is found, Symantec Scan Engine can do any of the following: Scan only: Scan files for viruses, but do nothing to infected files. Scan and delete: Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying to repair. Scan and repair files: Try to repair infected files, but do nothing to unrepairable files (that is, do not delete the files from archive or container files). Scan and repair or delete: Try to repair infected files, and delete unrepairable files from archive or container files.
Note: If you choose the data trickle feature,

the virus sca policy is automatically set to Scan only. Enable trickle This setting provides users with a quicker download response and avoids possible session time-out errors. Data trickling is disabled by default. You can specify how long the scan process should run before data trickling begins.
Time before trickle data starts
To configure ICAP-specific options
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol. If you change the protocol setting from RPC to ICAP through the Symantec Scan Engine administrative interface, you must manually stop and start the service.
56
Under ICAP Configuration, in the Bind address box, select the scanning IP addresses that you want to bind to Symantec Scan Engine. Check Select All to select every IP Address in the Bind address table. By default, Symantec Scan Engine binds to all interfaces.
In the Port number box, type the TCP/IP port number that the NAS Anti Virus Agent uses to pass files to Symantec Scan Engine for scanning. The default setting for ICAP is port 1344.
In the Scan policy list, select how you want Symantec Scan Engine to handle infected files. The default setting is Scan and repair or delete, which is the recommended setting.
Check Enable trickle to enable the data trickle feature. The scan policy is automatically set to Scan only. However, enabling data trickle can compromise antivirus integrity. The data that is trickled to the user might contain a virus. You also cannot use the Quarantine feature when you enable data trickling. For more information, see the Symantec Scan Engine Implementation Guide.
Type the number of seconds that the scan process should run before data trickling begins. The setting defaults to 5 seconds and can be up to a maximum of 86400 seconds.

Specifying which file types to scan on the scan engine

The settings on Symantec Scan Engine must be configured to specify the types of files to be scanned for viruses. This setting on the scan engine determines which files to scan on receiving a file from the NAS Anti Virus Agent. The scanned files are those contained in archive or container file formats.
57
You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. The Symantec Scan Engine is configured by default to scan all files. Note: Symantec Scan Engine examines the first few bytes of every file to determine whether the file could contain a virus. This action occurs even if the file extension is not one that was identified for scanning. Based on this examination, the scan engine may scan a file even though it has not been identified for scanning. For more information, see the Symantec Scan Engine Implementation Guide. See About configuring virus scanning on the Sun StorageTek 5000 NAS Appliance on page 63.
Specify which file types to scan

You can control which file types are scanned by specifying those extensions that you want to exclude from scanning, or you can scan all files regardless of extension. To scan all files except for those that are in the file extension exclusion list
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you enable this option, both the file extension exclude list and the file type exclude list are activated automatically.
58

1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you enable this option, both the file type exclude list and the file extension exclude list are activated automatically.
Type each file type you want to add to the list on a separate line. To include all subtypes for a file type, use the wildcard character /*. For more information on how to write the file types, see the Symantec Scan Engine Implementation Guide.
59

To scan all files regardless of extension or type
1 2 3 4
Specifying container handling limits

File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Scan Engine can be configured to impose limits on how container files are handled. This reduces the networks exposure to denial-of-service attacks.
60
You can specify the following limits for handling container files:
The maximum amount of time, in seconds, that is spent decomposing a container file and its contents This setting does not apply to .hqx or .amg files. The maximum file size, in megabytes, for the individual files that are in a container file The maximum number of nested levels to decompose for scanning The maximum number of bytes that are read when determining whether a file is MIME-encoded
You can specify whether to allow or deny access to the file if any of these specified limits is met or exceeded. Symantec Scan Engine blocks container files based on their type, because only certain file types contain virus or malicious code.You can configure Symantec Scan Engine to block partial container files, malformed container files, and encrypted container files as well. For more information on container handling limits, see the Symantec Scan Engine Implementation Guide.

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec Scan Engine always has the most current virus definitions. If you use multiple scan engines to support virus scanning, schedule LiveUpdate to occur at the same time for each scan engine. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virusscanning on the Sun StorageTek 5000 NAS Appliance. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. For more information on changing the base time, see the Symantec Scan Engine Implementation Guide.
61
To schedule LiveUpdate to update virus definitions automatically
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click System. Under Views, click LiveUpdate Content. In the right pane, under LiveUpdate Content, check Enable scheduled LiveUpdate. This option is enabled by default.


You can configure Symantec Scan Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Scan Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response. However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network.
62
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance About configuring the Sun StorageTek 5000 NAS Appliance
If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed. You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Scan Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. Configuring Rapid Release updates to occur automatically
1 2 3


About configuring the Sun StorageTek 5000 NAS Appliance

You must register at least one Symantec Scan Engine for each Sun StorageTek 5000 NAS Appliance for which you provide virus scanning. You also must configure
63
the virus scan functionality in accordance with the Sun StorageTek documentation. The Sun StorageTek 5000 NAS Appliance for which you provide virus scanning must be in the 5000 series of network-attached storage devices. For more information, see the appropriate Sun StorageTek documentation.
Registering Symantec Scan Engine

You must register at least one Symantec Scan Engine to provide the virus scanning for each Sun StorageTek 5000 NAS Appliance. In a typical environment, a minimum of two scan engines is required to handle scan volume. Having one scan engine can cause denial-of-file access, in case it does not respond. A maximum of four scan engines can be supported per Sun StorageTek 5000 NAS Appliance. The NAS Anti Virus Agent handles load balancing across multiple scan engines automatically. Note: You do not need to register the same scan engine with each Sun StorageTek 5000 NAS Appliance. You can register different scan engines to different Sun StorageTek 5000 NAS Appliances. However, all of the scan engines registered with a Sun StorageTek 5000 NAS Appliance must have identical configurations. You register Symantec Scan Engine through the Configure AntiVirus setup screen for the NAS AntiVirus Agent. You must provide the IP address, the port number, and the maximum number of simultaneous scan requests for each scan engine that is used for scanning. The port number must match the port number that was selected during the installation of Symantec Scan Engine.
About configuring virus scanning on the Sun StorageTek 5000 NAS Appliance
You must configure virus scanning (the NAS Anti Virus Agent) for each Sun StorageTek 5000 NAS Appliance. You configure the virus scan functionality through the Configure AntiVirus setup screen for each NAS Appliance. Note: The virus scan functionality for each Sun StorageTek 5000 NAS Appliance accessing a scan engine must be configured identically to avoid inconsistency. The scan results and repair results for infected files will be inconsistent if the settings differ for each appliance. Table 3-2 describes the settings that you should configure for virus scan functionality.
64
Table 3-2 Setting

Enable Anti Virus
NAS Anti Virus Agent settings Description

Activate the NAS AntiVirus Agent by enabling this option. Type the IP address and the port number of each scan engine to be used for scanning. Ensure that the entered port number matches the one used while installing the scan engine. Each Sun StorageTek 5000 NAS appliance can support up to four scan engines.
Scan Engine IP address and port number
Maximum Connections
Specify the number of concurrent scan requests that can be handled by the scan engine. The default setting on the NAS Anti Virus Agent is 2. The similar configurable option on the Symantec Scan Engine defaults to 128. Select whether to specify an upper limit for the size of files to be scanned. Although you can choose a file size between 1 MB and 9999 MB, the Symantec Scan Engine can scan a maximum file size of 2047 MB (or 2GB). The default setting is 1GB. You can choose to allow or deny access to files that are larger than the limit that is specified in Maximum scan size.
Maximum scan size
Note: Allowing access to files that have not

been scanned can make your network vulnerable to virus attacks.
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance Recommendations while integrating multiple scan engines
65
Table 3-2 Setting
NAS Anti Virus Agent settings (continued) Description

Select the file types to be passed to Symantec Scan Engine for scanning. You can use either an exclusion or an inclusion list, or you can scan all files regardless of extension. This setting is similar to the Files to scan setting on Symantec Scan Engine. You must configure this setting on both the Sun StorageTek 5000 NAS Appliance and Symantec Scan Engine. The recommended setting is to pass all file types to the scan engine except those that are contained in the exclusion list.
Extensions for scanning (file types to be scanned)
If the Symantec Scan Engines scanning results indicate that the file is unrepairable and must be deleted, then the NAS AntiVirus Agent quarantines the file. All access to the file is denied. If the file is infected but repairable, the repaired file is passed to the requesting user. The stored version of the infected file is replaced with the repaired file. If one scan engine does not respond, the NAS AntiVirus Agent requests virus scanning for a given file from other registered scan engines. If none respond, then file access is denied.
Recommendations while integrating multiple scan engines

Do the following when multiple scan engines are used to support the Sun StorageTek 5000 NAS Appliance:

Configure the settings on each Symantec Scan Engine to be identical. Schedule LiveUpdate and Rapid Release to occur at the same time on all of the scan engines. This ensures that virus definitions are consistent. Configure the virus scan functionality to be identical for each Sun StorageTek 5000 NAS Appliance in a group to avoid inconsistency. The scan results and repair results for infected files will be inconsistent if the settings differ for each appliance in a group.
66
Configuring Symantec AntiVirus for Sun StorageTek 5000 NAS Appliance Recommendations while integrating multiple scan engines
Chapter
Configuring Symantec AntiVirus for Sun Storage 7000 Series


About software components How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device About preparing for installation About configuring Symantec Scan Engine About configuring the Sun Storage 7000 Series NAS device Recommendations while integrating multiple scan engines

Symantec AntiVirus for Network Attached Storage provides virus scanning capabilities for the Sun Storage 7000 Series of network-attached storage (NAS) devices. To add antivirus scanning to the Sun Storage 7000 Series NAS device, configure the following components:
Symantec Scan Engine, which provides the virus scanning and repair services For more information, see the Symantec Scan Engine Implementation Guide. The VSCAN service, which provides the virus scanning functionality and ensures the seamless integration of Symantec Scan Engine with the Sun Storage
68
Configuring Symantec AntiVirus for Sun Storage 7000 Series How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device
7000 Series NAS device. The VSCAN service is an integral part of the Sun Storage 7000 Series NAS device. No separate license is required. See About configuring the Sun Storage 7000 Series NAS device on page 81.
How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device
Symantec AntiVirus for Network Attached Storage provides virus scanning and capabilities for the Sun Storage 7000 Series of network-attached storage (NAS) devices. Symantec AntiVirus for Network Attached Storage is certified with Sun Storage 7000 Series NAS device that supports the Sun Storage 7xxx version 2008.10 firmware version. The Internet Content Adaptation Protocol (ICAP) is used to communicate with Symantec Scan Engine. In a typical Sun Storage 7000 Series NAS device environment, a minimum of two scan engines is required to handle scan volume. A maximum of four scan engines can be supported per Sun Storage 7000 Series NAS device. The VSCAN service handles load balancing across multiple scan engines automatically.

The VSCAN service is configured to scan a file in real-time (that is, when a file is opened and when it is closed, if it has been modified). When a user tries to access a file from storage, the VSCAN service opens a connection with Symantec Scan Engine. The VSCAN service then passes the file to the scan engine for scanning. When scanning is complete, the VSCAN service closes the connection with the scan engine. Based on the scan policy that you set on the Symantec Scan Engine, the Symantec Scan Engine indicates the scanning results to the VSCAN service after a file is scanned. After the VSCAN service receives the scanning results, the file is handled in the following way: Only clean files are passed to the requesting user. If the file is infected, the user is denied access to the file, and the infected file is quarantined.
How caching works

The VSCAN service caches scanning results for each clean file. The cached information includes the date and revision number of the virus definitions that were used to perform the scan. So, if a second user requests access to a file that has already been scanned and if the virus definitions have not changed, a redundant scan is avoided.
Configuring Symantec AntiVirus for Sun Storage 7000 Series How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device
69
The cache is purged when the virus definitions on Symantec Scan Engine are updated and when the Sun Storage 7000 Series NAS device is restarted. Individual cache entries are updated whenever a stored file is changed.

To specify the file types to be scanned for viruses, configure settings on both the VSCAN service and Symantec Scan Engine.
About specifying file types on the VSCAN service

Based on file extensions, the VSCAN service determines, initially, whether it should pass a file to Symantec Scan Engine for scanning. You configure which files are passed to Symantec Scan Engine for scanning when you set up the VSCAN service. You can control which files are scanned by using the File extensions scanned list. The exclusion list contains the extensions that you specify against the action Dont Scan. The exclusion list can include extensions for those file types that are not likely to contain viruses and can be excluded from scanning. The inclusion list contains the extensions that you specify against the action Scan. See About configuring virus scanning on the Sun Storage 7000 Series NAS device on page 81.

You can configure Symantec Scan Engine so that selected file types and file extensions are excluded from scanning. The setting on Symantec Scan Engine is as important as the VSCAN service setting. This setting on the scan engine determines which files to scan upon receiving a file from the VSCAN service. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using the file type and extension exclusion list, or you can scan all files regardless of extension. Note: Exclusion lists ensure that all file types are not scanned; therefore, new types of viruses might not be detected. Scanning all files regardless of extension and type is the most secure setting, but it imposes the heaviest demand on resources. During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the exclusion list. For more information, see the Symantec Scan Engine Implementation Guide. See Specifying which file types to scan on the scan engine on page 74.
70
Configuring Symantec AntiVirus for Sun Storage 7000 Series About preparing for installation

Scan only Scan files for viruses, but do nothing to infected file Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying to repair Try to repair infected files, but do nothing to unrepairable files (that is, do not delete the files from archive or container files). Try to repair infected files, and delete unrepairable files from archive or container files
Scan and delete
The Sun Storage 7000 Series NAS device does not support the repair of infected files. Hence, it is recommended that you select the Scan only scan policy on the Symantec Scan Engine administrative interface. See Configuring ICAP-specific options on page 71.
About handling infected files on the NAS device

When an infected file is found, the VSCAN service does not delete or repair the file, even though the scan engine tells it to. Instead, the VSCAN service quarantines the file and denies any access to the file. The quarantined files can be deleted or removed from quarantine by using the command-line interface in the Sun Storage 7000 Series NAS device or through Windows Explorer on the requesting CIFS client. For more information, see the appropriate Sun Storage documentation.

The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in the Symantec Scan Engine Implementation Guide. After you have installed the Symantec Scan Engine, configure the virus scanning functionality on the Sun Storage 7000 Series NAS device.
Configuring Symantec AntiVirus for Sun Storage 7000 Series About configuring Symantec Scan Engine
71

You must configure several settings on each Symantec Scan Engine that is used to support scanning of the Sun Storage 7000 Series NAS device. The configuration settings on each scan engine must be identical if you use multiple scan engines to support scanning. LiveUpdate should be scheduled to occur at the same time on all scan engines so that virus definitions are consistent at all times. The scan engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you can configure ICAP-specific options.

After you install Symantec Scan Engine, you can configure several settings that are specific to the ICAP protocol through the Symantec Scan Engine administrative interface. If Symantec Scan Engine has already been configured to use another protocol, you also can change the protocol through the administrative interface. However, you must manually restart the Symantec Scan Engine. For more information about accessing the administrative interface, see the Symantec Scan Engine Implementation Guide. Table 4-1 describes the protocol-specific options for ICAP.
72
Table 4-1 Option

Bind address


73
Table 4-1 Option

Scan policy

Note: If you choose the data trickle

feature, the virus sca policy is automatically set to Scan only. Enable trickle This setting provides users with a quicker download response and avoids possible session time-out errors. Data trickling is disabled by default. You can specify how long the scan process should run before data trickling begins.
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol.
Under ICAP Configuration, in the Bind address box, select the scanning IP addresses that you want to bind to Symantec Scan Engine. Check Select All to select every IP Address in the Bind address table. In the Port number box, type the TCP/IP port number that the NAS Anti Virus Agent uses to pass files to Symantec Scan Engine for scanning.
74
6 7
In the Scan policy list, select how you want Symantec Scan Engine to handle infected files. Check Enable trickle to enable the data trickle feature. The scan policy is automatically set to Scan only. However, enabling data trickle can compromise antivirus integrity. The data that is trickled to the user might contain a virus. You also cannot use the Quarantine feature when you enable data trickling. Note: Note: The Sun Storage 7000 Series does not support the trickle feature. For more information, see the Symantec Scan Engine Implementation Guide.


The settings on Symantec Scan Engine must be configured to specify the types of files to be scanned for viruses. This setting on the scan engine determines which files to scan on receiving a file from the NAS Anti Virus Agent. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. The Symantec Scan Engine is configured by default to scan all files.
75
Note: Symantec Scan Engine examines the first few bytes of every file to determine whether the file could contain a virus. This action occurs even if the file extension is not one that was identified for scanning. Based on this examination, the scan engine may scan a file even though it has not been identified for scanning. For more information, see the Symantec Scan Engine Implementation Guide See About configuring virus scanning on the Sun Storage 7000 Series NAS device on page 81.
Specify which file types to scan

1 2 3
76

1 2 3
77

1 2 3 4

File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Scan Engine can be configured to impose limits on how container files are handled. This reduces the networks exposure to denial-of-service attacks.
78
You can specify the following limits for handling container files:

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec Scan Engine always has the most current virus definitions. If you use multiple scan engines to support virus scanning, schedule LiveUpdate to occur at the same time for each scan engine. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on the Sun Storage 7000 Series NAS device. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. For more information on changing the base time, see the Symantec Scan Engine Implementation Guide.
79
1 2 3
In the LiveUpdate interval drop-down list, choose an interval. You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default LiveUpdate interval is 2 hours


You can configure Symantec Scan Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Scan Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. If you use multiple scan engines to support virus scanning, schedule Rapid Release to occur at the same time for each scan engine. This scheduling ensures that all scan engines have the same version of definition updates. Having the same version of virus definitions is necessary for proper functioning of virus scanning on the Sun Storage 7000 Series NAS device. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response. However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks.
80
Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network. If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed. You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Scan Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. Configuring Rapid Release updates to occur automatically
1 2 3

Type the interval. Click the up arrow or down arrow to select the interval. You can select any number between 5 minutes and 120 minutes. The default value is 30 minutes.

Configuring Symantec AntiVirus for Sun Storage 7000 Series About configuring the Sun Storage 7000 Series NAS device
81
About configuring the Sun Storage 7000 Series NAS device

You must register at least one Symantec Scan Engine for each Sun Storage 7000 Series NAS device for which you provide virus scanning. You also must configure the virus scan functionality in accordance with the Sun Storage documentation. The Sun Storage 7000 Series NAS device for which you provide virus scanning must be in the Sun Storage 7000 Series series of networkattached storage devices. For more information, see the appropriate Sun Storage documentation.
Registering Symantec Scan Engine

You must register at least one Symantec Scan Engine to provide the virus scanning for each Sun Storage 7000 Series NAS device. In a typical environment, a minimum of two scan engines is required to handle scan volume. Having one scan engine can cause denial-of-file access, in case it does not respond. A maximum of four scan engines can be supported per Sun Storage 7000 Series NAS device. The VSCAN service handles load balancing across multiple scan engines automatically. Note: You do not need to register the same scan engine with each Sun Storage 7000 Series NAS device. You can register different scan engines to different Sun Storage 7000 Series NAS devices. However, all of the scan engines registered with a Sun Storage 7000 Series NAS device must have identical configurations. You register Symantec Scan Engine through the Virus Scan setup screen for the VSCAN service. You must provide the IP address, the port number, and the maximum number of simultaneous scan requests for each scan engine that is used for scanning. The port number must match the port number that was selected during the installation of Symantec Scan Engine.
About configuring virus scanning on the Sun Storage 7000 Series NAS device
You must configure virus scanning (the VSCAN service) for each Sun Storage 7000 Series NAS device. You configure the virus scan functionality through the Virus Scan setup screen for each Sun Storage 7000 Series NAS device.
82
Configuring Symantec AntiVirus for Sun Storage 7000 Series About configuring the Sun Storage 7000 Series NAS device
Note: The virus scan functionality for each Sun Storage 7000 Series NAS device accessing a scan engine must be configured identically to avoid inconsistency. The scan results for infected files will be inconsistent if the settings differ for each appliance. Table 4-2 describes the settings that you should configure for virus scan functionality. Table 4-2 Setting
Maximum file size to scan
VSCAN service settings Description

Select an upper limit for the size of files to be scanned. The default setting is 1 GB. Symantec Scan Engine can scan a maximum file size of 2048 MB (or 2GB).
Allow access to files that exceed maximum file size
You can choose to allow or deny access to files that are larger than the limit that is specified in Maximum file size to scan. Allowing access to files that have not been scanned can make your network vulnerable to virus attacks.
Virus Scanning Engines
In the fields Host and Port, type the IP address and the port number of each scan engine to be used for scanning. Ensure that the entered port number matches the one used while installing the scan engine. In the field Maximum Connections, specify the number of concurrent scan requests that the scan engine can handle. The default setting on the VSCAN service is 32. The similar configurable option on the Symantec Scan Engine defaults to 128. Put a check mark against a Symantec Scan Engine under the Enable field to activate it for scanning. Each Sun Storage 7000 Series NAS device can support up to four scan engines.
Configuring Symantec AntiVirus for Sun Storage 7000 Series Recommendations while integrating multiple scan engines
83
Table 4-2 Setting
VSCAN service settings (continued) Description

Select the file types to be passed to Symantec Scan Engine for scanning. You can use either an exclusion or an inclusion list, or you can scan all files regardless of extension. This setting is similar to the Files to scan setting on Symantec Scan Engine. You must configure this setting on both the Sun Storage 7000 Series NAS device and Symantec Scan Engine. To add an extension to the exclusion list, select Dont Scan from the Action drop-down menu and specify the extension in the Pattern field. To add an extension to the inclusion list, select Scan from the Action drop-down menu and specify the extension in the Pattern field. The default setting * sends all file types regardless of extension to the Symantec Scan Engine for scanning.
File extensions scanned
If the Symantec Scan Engines scanning results indicate that the file is infected, then the VSCAN service quarantines the file. All access to the file is denied. You can only view and delete the quarantined file in a file browser. If one scan engine does not respond, the VSCAN service requests virus scanning for a given file from other registered scan engines. If none respond, then file access is denied.

Do the following when multiple scan engines are used to support the Sun Storage 7000 Series NAS device:

Configure the settings on each Symantec Scan Engine to be identical. Schedule LiveUpdate and Rapid Release to occur at the same time on all of the scan engines. This ensures that virus definitions are consistent.
84
Configuring Symantec AntiVirus for Sun Storage 7000 Series Recommendations while integrating multiple scan engines
Configure the virus scan functionality to be identical for each Sun Storage 7000 Series NAS device in a group to avoid inconsistency. The scan results for infected files will be inconsistent if the settings differ for each appliance in a group.
Chapter
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc

About software components How Symantec Scan Engine works with BlueArc Storage System and Hitachi High-performance NAS Platform About preparing for installation About configuring Symantec Scan Engine About configuring BlueArc Storage System or Hitachi High-performance NAS Platform
86
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc About software components

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for BlueArc Storage System and Hitachi High-performance NAS Platform, powered by BlueArc. Configure the following components to add antivirus scanning to BlueArc Storage System or Hitachi High-performance NAS Platform:
Symantec Scan Engine, which provides the virus scanning and repair services For more information, see the Symantec Scan Engine Implementation Guide. BlueArc Storage System or Hitachi High-performance NAS Platform Some options are configured directly on the NAS Server. No additional code is necessary to connect Symantec Scan Engine to the NAS Server. See About configuring BlueArc Storage System or Hitachi High-performance NAS Platform on page 102.
How Symantec Scan Engine works with BlueArc Storage System and Hitachi High-performance NAS Platform
Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for BlueArc Storage System and Hitachi High-performance NAS Platform storage appliances that have firmware version 4.0 or later. Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be located in the same domain as the NAS Server for which it provides scanning and repair services. Symantec Scan Engine uses the RPC protocol to interface with BlueArc Storage System and Hitachi High-performance NAS Platform storage appliances. On the NAS Server, you can enable virus scanning individually for each Enterprise Virtual Server (EVS). An EVS is a virtual NAS system that consists of CIFS shares with individual IP addresses. A single Symantec Scan Engine can support multiple EVSs. Hence, represent each EVS as an RPC client through the Symantec Scan Engine administrative interface, You can use multiple scan engines to support one or more EVSs for sites with larger scan volumes. Load balancing is handled through the NAS Servers administrative interface to achieve high availability and performance scaling. Virus scanning on BlueArc Storage System and Hitachi High-performance NAS Platform is available only for those files that are requested through the Common Internet File System (CIFS).
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc How Symantec Scan Engine works with BlueArc Storage System and Hitachi High-performance NAS Platform
87

The NAS Server submits files to Symantec Scan Engine for scanning on both read and write. That is, files are scanned when they are accessed from storage (read) and if they are changed on the NAS Server (write). When a user tries to access a file, the NAS Server passes the file path to Symantec Scan Engine for scanning. After the file is opened and scanned, Symantec Scan Engine indicates the scanning results to the NAS Server. The scan engine returns the repaired file based on a configurable virus scan policy if a file is infected and can be repaired. The NAS Server passes the clean files to the requesting user after it received the scanning results. The repaired file is passed to the requesting user if the file is infected and can be repaired. The stored version of the infected file is then replaced with the repaired file. The user is denied access to the file if the file is infected and cannot be repaired, and the infected file is deleted from storage. You can configure Symantec Scan Engine to quarantine these unrepairable files. After a file has been scanned and declared clean, the scanned state information is stored in its metadata on disk. It avoids redundant scans of those files that have already been scanned. These files will not be scanned again unless they are modified or the administrator requests a full scan of the files from the NAS Servers administrative interface. See About executing a full file system scan on page 103.
About connecting to Symantec Scan Engine

Symantec Scan Engine monitors the connection with each EVS by checking the connection at a configured time interval. The scan engine tries to reconnect if it determines that the connection is not active. (You can configure the number of times that the scan engine tries to re-establish the connection.)
About limiting scanning by file type

Viruses are found only in the file types that contain executable code. Only those file types that can contain viruses need be scanned. Limiting scanning by file type saves bandwidth and time. You have the following levels of control over which files are scanned:
88
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc How Symantec Scan Engine works with BlueArc Storage System and Hitachi High-performance NAS Platform
You can control the files that are initially submitted to the scan engine by BlueArc Storage System or Hitachi High-performance NAS Platform for scanning.
The NAS Server lets you specify by file extension the files that are to be passed to Symantec Scan Engine for scanning. You configure the file types that you want to submit for scanning through the NAS Server interface in accordance with the product documentation. See About specifying the file extensions to be scanned on the NAS Server on page 103.
You can control the files that are embedded in archival file formats (for example, .zip or .lzh files) that are to be scanned by Symantec Scan Engine.
The file extension exclusion list and the file type exclusion lists let you specify the file types and the file extensions that you do not want to scan. The file extensions exclusion list and the file type exclusion list achieve this purpose. You can also scan all file types regardless of extension. You configure which embedded files are scanned through the Symantec Scan Engine administrative interface. See Specify which embedded files to scan on page 97.

Scan Only Deny access to the infected file, but do nothing to the infected file. Try to repair the infected file, and deny access to any unrepairable file. Try to repair the infected file, and delete any unrepairable file.
You can also configure the scan engine to quarantine unrepairable files. See About quarantining unrepairable infected files on page 95.

When a virus is found in a file that is requested from the NAS Server, Symantec Scan Engine automatically obtains (for logging purposes) identification information
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc About preparing for installation
89
about the user who requested the infected file. This information includes the security identifier of the user and the IP address and host name of the requesting computer. The identification information supplements the information that is contained in Infection Found log messages that are logged to the local logs, the Windows Event Log, and SMTP. This information does not appear in the Infection Found messages that are logged to SNMP or SESA. Note: Symantec Scan Engine can obtain only the information that is made available by the NAS Server. In some cases, all or some of this information is not available. The information that is obtained is reported in the related log entries. Any identification information that is not obtained from the NAS Server is omitted from the log messages and from the user notification window. You also can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message only appears if the user uses a Windows computer. The notification message includes the following:

Date and time of the event File name of the infected file Virus name and ID Virus definition date and revision number Manner in which the infected file was handled (for example, the file was repaired or deleted) Scan policy Disposition of the file (for example, infected) Duration of scan time and connection time
The Windows Messenger service must be running on the computer that is running the Symantec Scan Engine and on the users computer to use the user notification feature. See Notifying a requesting user that a virus was found on page 94.

BlueArc Storage System and Hitachi High-performance NAS Platform storage appliance must support a firmware version of 4.0 or later to interface with
90
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc About configuring Symantec Scan Engine
Symantec Scan Engine. As a prerequisite, ensure that each NAS Server for which the scan engine is to provide scanning and repair services meets this requirement. To use RPC, Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in the Symantec Scan Engine Implementation Guide. After you install Symantec Scan Engine, configure the NAS Server to work with the scan engine. See About configuring BlueArc Storage System or Hitachi High-performance NAS Platform on page 102.

Configure Symantec Scan Engine to use RPC as the communication protocol. The Internet Content Adaptation Protocol (ICAP) is the default protocol at installation, but you can change the protocol to RPC through the administrative interface. Then you can configure the RPC-specific options. See About configuring RPC protocol options on page 91. You must also change the Windows service startup properties to identify an account that has the appropriate permissions. See Editing the service startup properties on page 90.
Editing the service startup properties

If you change the protocol setting to RPC through the Symantec Scan Engine administrative interface, you need to change the service startup properties to identify an account that has the following appropriate permissions:
The account must have local administrator permissions on the computer that has the scan engine. The user account must have Backup Operator privileges or above on the NAS Server. For more information on how to set up a shared account with local group backup operator privileges on the NAS Server, see the appropriate product documentation.
You must change the service startup properties if the list of NAS Servers is edited as well.
91
To edit the service startup properties
1 2 3 4 5
In the Windows 2000/2003/2008 Control Panel, click Administrative Tools. Click Services. In the list of services, right-click Symantec Scan Engine, and then click Properties. In the Properties dialog box, on the Log On tab, click This Account. Type the account name and password for the user account that has local administrator rights on the computer that has the scan engine. This account should also have Backup Operator privileges or above on the NAS Server. Use the following format for the account name: domain\username
6 7 8
Click OK. Stop and start the Symantec Scan Engine service. For more information on stopping and starting the Symantec Scan Engine service, see the Symantec Scan Engine Implementation Guide.
About configuring RPC protocol options

After you install Symantec Scan Engine, you can configure settings that are specific to the RPC protocol. You must manually stop and start the scan engine service when you change to the RPC protocol through the Symantec Scan Engine administrative interface. A proper connection to the NAS Server is ensured. Table 5-1 describes the protocol-specific options for RPC. Table 5-1 Option
RPC client list
Protocol-specific options for RPC Description

A single Symantec Scan Engine can support one or more EVSs. Each EVS must be located in the same domain as Symantec Scan Engine. You must provide the IP address of each EVS.
Note: Multiple scan engines can support a

single EVS. Configure the multiple scan engines through the BlueArc Storage System or Hitachi High-performance NAS Platform interface.
92
Table 5-1 Option
Protocol-specific options for RPC (continued) Description

Symantec Scan Engine maintains a connection with the EVS on the NAS Server. Symantec Scan Engine can be configured to check the connection with the EVS at a prescribed interval to ensure that the connection is active. The default value is 20 seconds. You can configure Symantec Scan Engine to make a specified number of tries to re-establish a lost connection with the EVS. By default, Symantec Scan Engine is configured to try to reconnect with the EVS indefinitely.
Check RPC connection every __ seconds
Maximum number of reconnect attempts
Note: Do not set a maximum number of

reconnect attempts if the scan engine provides scanning for multiple Enterprise Virtual Servers. Use the default setting. Antivirus scan policy You can configure Symantec Scan Engine to do one of the following when an infected file is found: Scan only: Deny access to the infected file, but do nothing to the infected file. Scan and repair files: Try to repair the infected file, and deny access to any unrepairable file. Scan and repair or delete: Try to repair the infected file, and delete any unrepairable file.
Note: You must select Scan and repair or

delete if you plan to quarantine the infected files that cannot be repaired. For more information, see the Symantec Scan Engine Implementation Guide. Automatically send antivirus update notifications You can configure Symantec Scan Engine to automatically notify BlueArc Storage System and Hitachi High-performance NAS Platform when new virus definitions are used.
93
How to configure RPC protocol options

To configure RPC, do the following:
Provide an IP address for each EVS for which Symantec Scan Engine should provide scanning services. You can add or delete Enterprise Virtual Servers from this list at any time. Configure the additional RPC-specific options.
To edit the list of NAS Servers
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click RPC. The configuration settings are displayed for the selected protocol.
4 5
In the Manual Restart Required dialog box, click OK. To add an EVS to the list of RPC clients, type the IP address of the EVS for which Symantec Scan Engine should provide scanning services. Type one entry per line.
6 7
To delete an EVS from the list of RPC clients, select and delete the IP address of the EVS. On the toolbar, select one of the following:
Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place and for a proper connection to the EVS.
To configure additional RPC-specific options
1 2
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol.
94
Under RPC Configuration, in the Check RPC connection every box, type how frequently Symantec Scan Engine checks the RPC connection with the EVS to ensure that the connection is active. The default interval is 20 seconds.
In the Maximum number of reconnect attempts box, type the maximum number of tries that the Symantec Scan Engine should undertake to reestablish a lost connection with the EVS. The default setting is 0. Symantec Scan Engine tries indefinitely to reestablish a connection. Use the default setting if the scan engine provides scanning for multiple enterprise virtual servers.
In the Antivirus scan policy list, select how you want Symantec Scan Engine to handle infected files. The default setting is Scan and repair or delete.

Save Saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them. Apply Applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place and for a proper connection to the EVS.
Notifying a requesting user that a virus was found

You can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message is displayed only if the user uses a Windows computer. In addition, the requesting users computer must be in the same domain as the scan engine. Both the users computer and the scan engine must have the Windows Messenger service running to use this feature. The notification message includes the following information:

The date and time of the event The event security level (for example, Warning)
95
The scan policy (for example, scan and repair or delete) The file name of the infected file The virus name and ID The manner in which the infected file was handled (for example, the file was repaired or deleted) The disposition of the file (for example, infected) The IP address and name of the requesting users computer The date and revision number of the virus definitions used The duration (in seconds) of scan and connection time
To notify a requesting user that a virus was found
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Monitors. Under Views, click Alerting. In the right pane, under Log Windows Messenger, check Enable Windows Messenger Logging. User notification is disabled by default.

About quarantining unrepairable infected files

You can quarantine unrepairable infected files when you use the RPC protocol. To use the quarantine feature, Symantec Central Quarantine must be installed separately on a computer that runs Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. Symantec Central Quarantine is included on the Symantec Scan Engine distribution CD along with supporting documentation.
96
Symantec Scan Engine forwards the infected files that cannot be repaired to Symantec Central Quarantine. Typically, the heuristically-detected viruses that cannot be eliminated by the current set of virus definitions are forwarded to the quarantine. They are isolated so that the viruses cannot spread. The infected items can be submitted to Symantec Security Response for analysis from the quarantine. New virus definitions are posted if a new virus is identified. You must select Scan and repair or delete as the RPC scan policy to forward files to the quarantine. The original infected file is deleted when a copy of an infected file is forwarded to the quarantine. If submission to the quarantine is not successful, the original file is not deleted, and an error message is returned to the NAS Server. Access to the infected file is denied. See About configuring RPC protocol options on page 91. For more information about installing and configuring Symantec Central Quarantine, see the Symantec Central Quarantine Administrators Guide. To quarantine unrepairable infected files
1 2 3 4 5
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Quarantine, check Quarantine files. In the Central server quarantine host or IP box, type the host name or the IP address for the computer on which Symantec Central Quarantine is installed. In the Port box, type the TCP/IP port number to be used by the Symantec Scan Engine to pass files to the Symantec Central Quarantine. This setting must match the port number that is selected at installation for Symantec Central Quarantine.

97
Specifying which embedded files to scan

The NAS Server submits files to Symantec Scan Engine for scanning based on the file extension of the top-level file. You can configure the file types that are submitted for scanning through the NAS Server administrative interface. The top-level files that are sent to Symantec Scan Engine are scanned regardless of file extension. When the scan engine receives an archive file (for example, a .zip or .lzh file) that contains embedded files, it must break down the archive file and scan each embedded file. You can control, through the scan engine administrative interface, which embedded files are scanned by using a file extension and file type exclusion list. You can also scan all files regardless of extension. Symantec Scan Engine is configured by default to scan all files. The file type and file extension exclusion lists are prepopulated with the file types that are unlikely to contain viruses, but you can edit this list. Note: During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the file type or file extension exclusion list.
Specify which embedded files to scan

You can scan all files regardless of extension, or you can control which files are scanned by specifying the extensions or the file types that you want to exclude. Symantec Scan Engine is configured by default to scan all files. To scan all files regardless of extension or type
1 2 3 4
98
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. On activating this option, both the file extension exclude list and the file type exclude list gets activated automatically.
5 6
To remove a file extension from the list, select it and delete it from the File extension exclude list. To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you activate this option, both the file type exclude list and the file extension exclude list are activated automatically.
99
Type each file type that you want to add to the list on a separate line. To include all subtypes for a file type, use the wildcard character /*. For more information on how to write the file types, see the Symantec Scan Engine Implementation Guide.
5 6
To remove a file type from the list, select it and delete it from the File type exclude list. To restore the default file type exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file type exclude list and the file extension exclude list.


Scheduling LiveUpdate to occur automatically at a specified time interval ensures that the Symantec Scan Engine always has the most current virus definitions. If you use multiple scan engines to support virus scanning, schedule LiveUpdate to occur at the same time for each scan engine. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on the NAS Server. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. For more information on changing the base time, see the Symantec Scan Engine Implementation Guide.
100
1 2 3


You can configure Symantec Scan Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Scan Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response. However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network.
101
If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed. You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Scan Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. To configure Rapid Release updates to occur automatically
1 2 3


102
Configuring Symantec AntiVirus for BlueArc Storage System and Hitachi Highperformance NAS Platform, powered by BlueArc About configuring BlueArc Storage System or Hitachi High-performance NAS Platform
About configuring BlueArc Storage System or Hitachi High-performance NAS Platform

After you configure Symantec Scan Engine to use RPC as the communication protocol, configure the client Enterprise Virtual Servers (EVSs) to work with Symantec Scan Engine. BlueArc Storage System or Hitachi High-performance EVS clients must be running a firmware version 4.0 or later to interface with the Symantec Scan Engine. Each EVS should be installed and configured in accordance with the accompanying product documentation. Each EVS should be functional before you initiate virus scanning using Symantec Scan Engine. You must set up a shared account with backup operator privileges on the NAS Server before you configure virus scanning on the NAS Server. Ensure that Symantec Scan Engine service runs with this shared account as well. See Editing the service startup properties on page 90. For more information on how to set up a shared account with local group backup operator privileges on the NAS Server, see the appropriate NAS Server documentation. The main virus scanning parameters that you should configure can be found in the Virus Scanning window under the Data Protection section in the Home page.
About verifying that the scan engine is registered with the NAS Server
You can verify that the scan engine is registered with the NAS Server after you install Symantec Scan Engine. Registration is automatic if you have provided the correct information to Symantec Scan Engine for contacting the EVS. Registration occurs when Symantec Scan Engine connects to the EVS. The Registered Virus Scanners field in the NAS Servers administrative interface contains the names of the registered scan engines. Ensure that at least one registered scan engine is present to be assured of virus protection for each EVS. Note: The service startup properties for Symantec Scan Engine must be changed to identify an account that has the appropriate permissions on the EVS. If the change has not been done, the scan engine cannot register with the EVS because it does not have sufficient permission. See Editing the service startup properties on page 90.
103
About activating virus scanning

You can activate and deactivate virus scanning for each EVS. Select the EVS for which you want to activate scanning from the EVS drop-down box. Check Enable Virus Scanning in the NAS Servers administrative interface to activate virus scanning. Uncheck Enable Virus Scanning to deactivate virus scanning. For more information, see the appropriate NAS Server documentation.
About specifying the file extensions to be scanned on the NAS Server

Configure the list of extensions on BlueArc Storage System or Hitachi Highperformance NAS Server to contain only the file extensions that you want to scan. This list lets you control the file types that are passed to the Symantec Scan Engine for scanning. You can configure file extensions using the extensions inclusion list seen in the File types to scan field. A default list of extensions to be submitted for virus scanning is included with the NAS Server. You can modify the inclusion list by adding or removing extensions. To rollback to the default inclusion list, click Reset Defaults. To scan all file types irrespective of extensions, check Scan All File Types. The highest level of protection is achieved by scanning all file types; however, viruses are found only in those file types that contain executable code. So, every file type need not be scanned. You can save bandwidth and time by limiting the files to be scanned to only those file types that can contain viruses. For more information, see the appropriate NAS Server documentation.
About executing a full file system scan

You can flag all files for a re-scan if there are new updated virus definition files on Symantec Scan Engine. Click Request Full Scan in the NAS Servers administrative interface to ensure that all file types listed in the inclusion list are marked for scan. The scan on a file occurs the next time any user accesses the file.
About working with unavailable scan engines

BlueArc Storage System or Hitachi High-performance NAS Server is configured to deny access to files if virus scanning is enabled and the scan engines are not available. Ensure that more than one scan engine is configured for the CIFS shares on the NAS Server so that maximum accessibility of data is guaranteed.
104
You can deactivate virus scanning until the scan engines are available again so that file access is still available. BlueArc Storage System and Hitachi Highperformance NAS Platform keeps a track of all files that are not scanned in this duration. As soon as virus scanning is activated, the files that were created/ modified in the duration are scanned without fail. For more information, see the appropriate NAS Server documentation.
About working with unresponsive scan engines

When large or complex files are scanned (for example, container files with multiple embedded files or files that contain polymorphic or macro viruses), the scan engine can become unresponsive. Clients cannot, temporarily, access the files. The user can eventually access the file when the scanning is complete and if the file is deemed clean by the scan engine. For more information, see the appropriate NAS Server documentation.
Chapter
Configuring Symantec AntiVirus for Hitachi Essential NAS Platform


About software components How Symantec Scan Engine works with the Hitachi Essential NAS Platform About configuring Symantec Scan Engine

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for Hitachi Essential NAS Platform. Configure the following components to add antivirus scanning to the Hitachi Essential NAS Platform:
Symantec Scan Engine is installed when Symantec AntiVirus for Network Attached Storage is installed. Provides the virus scanning and repair services. For more information, see the Symantec Scan Engine Implementation Guide. Hitachi Essential NAS Platform Some options are configured directly on the NAS server. No additional code is necessary to connect Symantec Scan Engine to the NAS server.
106
Configuring Symantec AntiVirus for Hitachi Essential NAS Platform How Symantec Scan Engine works with the Hitachi Essential NAS Platform
How Symantec Scan Engine works with the Hitachi Essential NAS Platform
Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the Hitachi Essential NAS Platform. Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be located in the same domain as the NAS server for which it provides scanning and repair services. Symantec Scan Engine uses the proprietary Network Appliance adaptation of the RPC protocol to interface with Hitachi Essential NAS Platform. A single Symantec Scan Engine can support multiple NAS servers. You can use multiple scan engines to support one or more servers for sites with larger scan volumes. Load balancing is handled through the NAS server interface. Virus scanning on the Hitachi Essential NAS Platform is available only for those files that are requested through the Common Internet File System (CIFS).

The NAS server submits files to Symantec Scan Engine for scanning on both read and write. That is, files are scanned when they are accessed from storage (read) and if they are changed on the NAS server (write). When a user tries to access a file, the NAS server passes the file to Symantec Scan Engine for scanning. After a file is scanned, Symantec Scan Engine indicates the scanning results to the NAS server. If a file is infected and can be repaired, the scan engine returns the repaired file based on a configurable virus scan policy. Clean files are passed to the requesting user after the NAS server receives the scanning results. The repaired file is passed to the requesting user if the file is infected and can be repaired. The stored version of the infected file is then replaced with the repaired file. The user is denied access to the file if the file is infected and cannot be repaired, and the infected file is deleted from storage. Symantec Scan Engine can be configured to quarantine these irreparable files.

Scan Only Deny access to the infected file, but do nothing to the infected file.
Configuring Symantec AntiVirus for Hitachi Essential NAS Platform About configuring Symantec Scan Engine
107
Try to repair the infected file, and deny access to any irreparable file. Try to repair the infected file, and delete any irreparable file.
You can also configure the scan engine to quarantine irreparable files.

You must configure several settings on each Symantec Scan Engine that is used to support scanning for Hitachi Essential NAS Platform with NAS Option. Note: If you use multiple scan engines to support scanning, the configuration settings on each scan engine must be identical. LiveUpdate should be scheduled to occur at the same time on all scan engines so that virus definitions are consistent at all times. The scan engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you can configure ICAP-specific options.

You can configure several settings that are specific to the ICAP protocol through the Symantec Scan Engine administrative interface. You can also change the protocol through the administrative interface if Symantec Scan Engine has already been configured to use another protocol. However, you must manually restart the Symantec Scan Engine. For more information about accessing the administrative interface, see the Symantec Scan Engine Implementation Guide. Table 6-1describes the protocol-specific options for ICAP.
108
Table 6-1 Option

Bind address

By default, Symantec Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. In cases where multiple scan engines are used, specifying a bind address allows the easier identification of scan engine reports. The port number must be exclusive to Symantec Scan Engine. The default port number for ICAP is 1344. If you change the port number, use a number greater than 1024 that is not in use by any other program or service. When an infected file is found, Symantec Scan Engine can do any of the following: Scan only: Scan files for viruses, but do nothing to infected files. Scan and delete: Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying repair. Scan and repair files: Try to repair infected files, but do nothing to irreparable files (that is, do not delete the files from archive or container files). Scan and repair or delete: Try to repair infected files, and delete irreparable files from archive or container files.
Port number
Scan policy

the virus scan policy is automatically set to Scan only. Enable trickle This setting provides users with a quicker download response and avoids possible session timeout errors. Data trickling is disabled by default. You can specify how long the scan process should run before data trickling begins.
109
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol. You must manually stop and start the service if you change the protocol setting through the Symantec Scan Engine administrative interface.
Under ICAP Protocol Configuration, in the Bind address box, type a bind address, if necessary. By default, Symantec Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address.
In the Port number box, type the TCP/IP port number. The default setting for ICAP is port 1344.
110
Type the number of seconds that the scan process should run before data trickling begins. The setting defaults to 5 seconds and can be up to a maximum of 86400 seconds (24 hours).


The settings on Symantec Scan Engine must be configured to specify the types of files to be scanned for viruses. The scan policy on the scan engine determines which files it should scan from the Hitachi Essential NAS Platform Anti Virus Agent. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. Symantec Scan Engine is configured by default to scan all files. Note: Symantec Scan Engine examines the first few bytes of every file to determine whether the file could contain a virus. This action occurs even if the file extension is not one that was identified for scanning. Based on this examination, the scan engine may scan a file even though it has not been identified for scanning. For more information, see the Symantec Scan Engine Implementation Guide.
Specify which file types to scan on the scan engine

You can control which file types are scanned by specifying those extensions that you want to exclude from scanning, or you can scan all files regardless of extension.
111
1 2 3
4 5 6
Type each file extension that you want to add to the list on a separate line. Use a period with each extension in the list. To remove a file extension from the list, select it and delete it from the File extension exclude list. To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

1 2 3
112
5 6
To remove a file type from the list, select it and delete it from the File type exclude list. To restore the default file type exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

1 2 3 4
113
About specifying container handling limits

File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Scan Engine can be configured to impose limits on how container files are handled. This reduces the networks exposure to denial-of-service attacks. You can specify the following limits for handling container files:
You can specify whether to allow or deny access to the file if any of these specified limits is met or exceeded. Symantec Scan Engine blocks container files based on their type, because only certain file types contain virus or malicious code. You can configure Symantec Scan Engine to block partial container files, malformed container files, and encrypted container files as well. For more information on container handling limits, see the Symantec ScanEngine Implementation Guide.

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that Symantec Scan Engine always has the most current virus definitions. Schedule LiveUpdate to occur at the same time for each scan engine if you use multiple scan engines to support virus scanning. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on Hitachi Essential NAS Platform Anti Virus Agent. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed.
114
You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. To schedule LiveUpdate to update virus definitions automatically
1 2 3
In the LiveUpdate interval drop-down list, choose an interval. You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default LiveUpdate interval is 2 hours. On the toolbar, select one of the following:
Chapter
Configuring Symantec AntiVirus for ONStor EverON


About software components How Symantec Scan Engine works with the ONStor EverON About preparing for installation About configuring Symantec Scan Engine About configuring the ONStor VirusScan Applet

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for ONStor EverON. Configure the following components to add antivirus scanning to the ONStor EverON:
Symantec Scan Engine is installed when Symantec AntiVirus for Network Attached Storage is installed. Provides the virus scanning and repair services. For more information, see the Symantec Scan Engine Implementation Guide. ONStor EverON VirusScan Applet
116
Configuring Symantec AntiVirus for ONStor EverON How Symantec Scan Engine works with the ONStor EverON
The VirusScan applet handles the communication between the NAS server and the virus-scanning function on the server. An InstallShield guides you through the installation process. See About configuring the ONStor VirusScan Applet on page 125.
How Symantec Scan Engine works with the ONStor EverON

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the ONStor EverON. Symantec Scan Engine must be installed on a computer that is running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be located in the same domain as the NAS server for which it provides scanning and repair services. A single Symantec Scan Engine can support multiple NAS servers. You can use multiple scan engines to support one or more servers for sites with larger scan volumes. Load balancing is handled through the NAS server interface. Virus scanning on the ONStor EverON is available for incoming files for CIFS and NFS, and outgoing files for CIFS.

The NAS server submits files to Symantec Scan Engine for scanning on both read and write. That is, files are scanned when they are accessed from storage (read) and if they are changed on the NAS server (write). When a user tries to access a file, the NAS server passes the file to Symantec Scan Engine for scanning. After a file is scanned, Symantec Scan Engine indicates the scanning results to the NAS server. If a file is infected and can be repaired, the scan engine returns the repaired file based on a configurable virus scan policy. Clean files are passed to the requesting user after the NAS server receives the scanning results. The repaired file is passed to the requesting user if the file is infected and can be repaired. The stored version of the infected file is then replaced with the repaired file. The user is denied access to the file if the file is infected and cannot be repaired, and the infected file is deleted from storage. Symantec Scan Engine can be configured to quarantine these irreparable files. After a file has been scanned and declared clean, the scanned state information is stored in its metadata on disk. It avoids redundant scans of those files that have already been scanned. These files will not be scanned again unless they are
Configuring Symantec AntiVirus for ONStor EverON How Symantec Scan Engine works with the ONStor EverON
117
modified or the administrator requests a full scan of the files from the NAS servers administrative interface.

Scan Only Deny access to the infected file, but do nothing to the infected file. Try to repair the infected file, and deny access to any irreparable file. Try to repair the infected file, and delete any irreparable file.
You can also configure the scan engine to quarantine irreparable files.

When a virus is found in a file that is requested from the NAS server, Symantec Scan Engine automatically obtains (for logging purposes) identification information about the user who requested the infected file. This information includes the security identifier of the user and the IP address and host name of the requesting computer. The identification information supplements the information that is contained in Infection Found log messages that are logged to the local logs, the Windows Event Log, and SMTP. This information does not appear in the Infection Found messages that are logged to SNMP or SESA. Note: Symantec Scan Engine can obtain only the information that is made available by the NAS server. In some cases, all or some of this information is not available. The information that is obtained is reported in the related log entries. Any identification information that is not obtained from the NAS server is omitted from the log messages and from the user notification window. You also can configure Symantec Scan Engine to notify the requesting user that the retrieval of a file failed because a virus was found. The notification message only appears if the user uses a Windows computer. The notification message includes the following:
Date and time of the event
118
Configuring Symantec AntiVirus for ONStor EverON About preparing for installation
File name of the infected file Virus name and ID Virus definition date and revision number Manner in which the infected file was handled (for example, the file was repaired or deleted) Scan rule Disposition of the file Duration of scan time and connection time
To use the user notification feature, the Windows Messenger service must be running on the computer that is running Symantec Scan Engine, and on the users computer.

The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in theSymantec Scan Engine Implementation Guide. After you have installed the Symantec Scan Engine, configure the virus scanning functionality on the OnStor EverON NAS device.

You must configure several settings on each Symantec Scan Engine that is used to support scanning for ONStor EverON with NAS Option. Note: If you use multiple scan engines to support scanning, the configuration settings on each scan engine must be identical. LiveUpdate should be scheduled to occur at the same time on all scan engines so that virus definitions are consistent at all times. The scan engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you can configure ICAP-specific options.

You can configure several settings that are specific to the ICAP protocol through the Symantec Scan Engine administrative interface. You can also change the
Configuring Symantec AntiVirus for ONStor EverON About configuring Symantec Scan Engine
119
protocol through the administrative interface if Symantec Scan Engine has already been configured to use another protocol. However, you must manually restart the Symantec Scan Engine. For more information about accessing the administrative interface, see the Symantec Scan Engine Implementation Guide. describes the protocol-specific options for ICAP. Table 7-1 Option
Bind address

By default, Symantec Scan Engine binds to all interfaces. You can restrict access to a specific interface by entering the appropriate bind address. In cases where multiple scan engines are used, specifying a bind address allows the easier identification of scan engine reports. The port number must be exclusive to Symantec Scan Engine. The default port number for ICAP is 1344. If you change the port number, use a number greater than 1024 that is not in use by any other program or service. When an infected file is found, Symantec Scan Engine can do any of the following: Scan only: Scan files for viruses, but do nothing to infected files. Scan and delete: Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying repair. Scan and repair files: Try to repair infected files, but do nothing to irreparable files (that is, do not delete the files from archive or container files). Scan and repair or delete: Try to repair infected files, and delete irreparable files from archive or container files.
Port number
Scan policy

the virus scan policy is automatically set to Scan only.
120
Table 7-1 Option

Enable trickle

This setting provides users with a quicker download response and avoids possible session timeout errors. Data trickling is disabled by default. You can specify how long the scan process should run before data trickling begins.
1 2 3
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol. You must manually stop and start the service if you change the protocol setting through the Symantec Scan Engine administrative interface.
Under ICAP Protocol Configuration, in the Bind address box, type a bind address, if necessary. By default, Symantec Scan Engine binds to all interfaces. You can restrict access to a specific interface by typing the appropriate bind address.
In the Port number box, type the TCP/IP port number. The default setting for ICAP is port 1344.
121
Type the number of seconds that the scan process should run before data trickling begins. The setting defaults to 5 seconds and can be up to a maximum of 86400 seconds (24 hours).


The settings on Symantec Scan Engine must be configured to specify the types of files to be scanned for viruses. The scan policy on the scan engine determines which files it should scan. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. Symantec Scan Engine is configured by default to scan all files. Note: Symantec Scan Engine examines the first few bytes of every file to determine whether the file could contain a virus. This action occurs even if the file extension is not one that was identified for scanning. Based on this examination, the scan engine may scan a file even though it has not been identified for scanning. For more information, see the Symantec Scan Engine Implementation Guide. See About configuring the ONStor VirusScan Applet on page 125.

You can control which file types are scanned by specifying those extensions that you want to exclude from scanning, or you can scan all files regardless of extension.
122
1 2 3
4 5 6
Type each file extension that you want to add to the list on a separate line. Use a period with each extension in the list. To remove a file extension from the list, select it and delete it from the File extension exclude list. To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

1 2 3 4
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. Type each file type you want to add to the list on a separate line. To include all subtypes for a file type, use the wildcard character /*. For more information on how to write the file types, see the Symantec Scan Engine Implementation Guide.
123
5 6

1 2 3 4
About specifying container handling limits

File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Scan Engine can be configured to impose limits
124
on how container files are handled. This reduces the networks exposure to denial-of-service attacks. You can specify the following limits for handling container files:
You can specify whether to allow or deny access to the file if any of these specified limits is met or exceeded. Symantec Scan Engine blocks container files based on their type, because only certain file types contain virus or malicious code. You can configure Symantec Scan Engine to block partial container files, malformed container files, and encrypted container files as well. For more information on container handling limits, see the Symantec ScanEngine Implementation Guide.

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that Symantec Scan Engine always has the most current virus definitions. Schedule LiveUpdate to occur at the same time for each scan engine if you use multiple scan engines to support virus scanning. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on EMC Celerra Network Server. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time.
Configuring Symantec AntiVirus for ONStor EverON About configuring the ONStor VirusScan Applet
125
1 2 3
In the LiveUpdate interval drop-down list, choose an interval. You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default LiveUpdate interval is 2 hours. On the toolbar, select one of the following:
About configuring the ONStor VirusScan Applet

Before installing the VirusScan applet, verify the following:

Verify that your NAS server is installed, powered up, and configured. Ensure that the Symantec AntiVirus Scan Engine is installed and configured to use Internet Content Adaptation Protocol (ICAP). Refer to the Symantec AntiVirus Scan Engine documentation on how to do this. Verify that both the VirusScan applet and the virus-scan engine are installed on servers configured with a static IP address. You are logged in as an administrator or with an account that has administrator privileges for installing the VirusScan applet. CIFS domain users must have administrator privileges on the machine where the applet is installed.
126
Virus-Scan Server Recommendations for the VirusScan Applet

Follow these considerations for running the VirusScan applet:
For running the VirusScan applet, we recommend Windows 2000 with Service Pack 2 or a later operating system. The ONStor VirusScan applet needs to access files in read/write mode in the virtual server. Therefore, the user account that launches the applet must be configured with BACKUP and RESTORE privilege. The scope of the privilege can be either VIRTUAL SERVER or CLUSTER. To enable virus scanning, configure the privilege before starting the ONStor VirusScan applet, or restart the applet after you configure the privilege. Use the priv add command to configure privileges for the user account.
Installing the VirusScan Applet for the Symantec AntiVirus Scan Engine
To Install the VirusScan Applet by Using the InstallShield Utility
Double-click the setup application icon to launch the installation wizard. You can click Cancel at any time to stop the installation. Click Next to continue with the installation. Select Symantec as the applet that you want to install and click Next. The Custom Setup dialog box enables you to customize the default setup of the applet. You can make the following changes: Change the directory location where the applet will be installed. Select from a drop-down list whether you want to install the basic features or all features of the applet, and when and where you want to install them. View the disk space requirements for the installation.
2 3
4 5
From the Symantec Virus Scanner drop-down list, select the features you want. If you want to change the location of the applet, click Change on the Custom Setup dialog box. You can either browse to the directory where you want the applet to install or you can enter the directory path. To view disk space requirements for the installation of the applet, click Space on the Custom Setup menu. Disks that are highlighted on the Disk Space Requirements list do not have enough disk space available for the installation of the applet. When you have completed the custom setup, click Next to continue the installation.
127
8 9
On the Ready to Install the Program window, click Install to continue the installation of the applet. Click Finish to allow the InstallShield wizard to complete the installation and exit.
Configuring the VirusScan Applet for the Symantec AntiVirus Scan Engine
After the InstallShield has installed the VirusScan applet in either the default directory or the one that you specified, configure the applet and register the port map service and applet service. The default directory for the installation is applet_installation_directory. Table 7-2describes the directory containing the VirusScan applet executable and its associated files. Table 7-2 File
ONStorVirusScanApplet.exe VScanEngine.dll oncrpc.dll PortMap.exe
Contents of the VirusScan Applet Directory Description

Application ONStor dll ONC/SUN RPC dll for Windows RPC port mapping utilityWindow Service application Used by portmap.exe. Some machines might need that library Symantec dll Configuration file for entering the Symantec scan engine IP and ICAP port for the VirusScan apple
msvcr70d.dll
symcsapi.dll ONStorVirusScanApplet.config
The VirusScan applet file is an XML file that enables you to specify the Symantec AntiVirus Scan Engine IP address and ICAP port number for the applet to use. If no alternate configuration file is available, the applet uses the Symantec AntiVirus Scan Engine on the designated default machine, 127.0.0.1, and it uses the default ICAP port, 1344. The following example shows the applet with the default IP and ICAP port specified:
128
Note: If you do not use the default port for ICAP, you need to specify the port number in the applet configuration file.
<ONStorVirusScanApplet> <LogFile mode="disable" name="VScanApplet.log" /> <Resource MaxNumberofParallelFileScanning="100" /> <ScanEngine> <Symantec> <Engine IP="127.0.0.1" Port="1344" /> </Symantec> </ScanEngine> </ONStorVirusScanApplet>
You can specify for the virus-scan application to write a virus-scan log to a log file in the same directory in which the applet is installed. The applet shown previously includes a log-file entry that is disabled.
If you specify the log file mode by replacing disable in the shown code with enable, the applet creates a log file or writes to the existing log file either in the current directory or in a path you provide within the applet. If the log file mode is set to disable, the applet sends output to the console only.
Note: Enabling the log file mode is not recommended because it slows down the virus scanning performance. Even when the applet log file mode is disabled, the applet will log errors and some warnings to the Windows Event Log. If the current log file reaches the maximum size of 5MB, the file is automatically renamed (for example, from applet.log to an older version log file, such as applet.log.old). If an older version already exists, the newer version overwrites the older version, and new incoming messages are written to the active log file.
You can configure the applet to scan a number of files concurrently. The MaxNumberOfParallelScanning parameter in the configuration file specifies the maximum number of files the applet can scan concurrently. The default is 100. Note: Parallel scanning affects memory usage. Depending on the memory available, if you set the value for parallel scanning too high, your network operations might take a long time or the entire network might fail.
129
If you want the applet to use more than one virus-scan engine, add the IP addresses for each into the configuration file so the client library can automatically load balance over the virus scan engines. The following example shows an applet using two Symantec AntiVirus Scan Engines, 10.2.14.150 and 10.2.14.151. Both use the default port, 1344.
<ONStorVirusScanApplet> <LogFile mode="enable" name="VScanApplet.log" /> <Resource MaxNumberofParallelFileScanning="100" /> <ScanEngine> <Symantec> <Engine IP="10.2.14.150" Port="1344" /> <Engine IP="10.2.14.151" Port="1344" /> </Symantec> </ScanEngine> </ONStorVirusScanApplet>
130
Chapter
Configuring Symantec AntiVirus for EMC Celerra Network Server


About software components How Symantec Scan Engine works with EMC Celerra Network Server About preparing for installation About configuring Symantec Scan Engine About configuring EMC Celerra Network Server Known issue with EMC Celerra Network Server Recommendations while integrating multiple scan engines

Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the EMC Celerra series of network-attached storage (NAS) devices. To add antivirus scanning to EMC Celerra Network Server, install and configure the following components:
132
Configuring Symantec AntiVirus for EMC Celerra Network Server How Symantec Scan Engine works with EMC Celerra Network Server
Symantec Scan Engine
Provides the virus scanning and repair services. For more information, see the Symantec Scan Engine Implementation Guide.
CAVA or Celerra Anti Virus Agent
Provides the virus scanning functionality and ensures the seamless integration of Symantec Scan Engine with EMC Celerra Network Server. See About installing the Celerra Anti Virus Agent on page 145. Use the CAVA calculator to estimate the number of Celerra Anti Virus Agents for your network. For more information on the CAVA calculator, see the appropriate EMC Celerra documentation.
Virus-checking client (VC client)
Queues file names to the Celerra Anti Virus Agent. It is the agent component on EMC Celerra Network Server. See About configuring virus scanning on EMC Celerra Network Server on page 146.
How Symantec Scan Engine works with EMC Celerra Network Server
Symantec AntiVirus for Network Attached Storage provides virus scanning and repair capabilities for the EMC Celerra series of network-attached storage devices. The Celerra Anti Virus Agent uses the Internet Content Adaptation Protocol (ICAP) to communicate with Symantec Scan Engine 5.1.X and higher. However, CAVA uses the Native protocol to communicate with Symantec Scan Engine 4.3.X. In a typical EMC Celerra Network Server environment, a minimum of two scan engines is required to handle scan volume. Based on the number of Celerra Anti Virus Agents (CAVAs) and the size of the network, the CAVA sizing tool gives the ideal number of scan engines that must be installed in the network. For more information on the CAVA sizing tool, see the appropriate EMC Celerra documentation. EMC Celerra Network Server handles load balancing across multiple scan engines and Celerra Anti Virus Agents automatically.
133

The Celerra Anti Virus Agent is configured to scan a file when it is closed, if it has been modified. You can also enable a scan-on-read option on the Celerra Network Server. A file is scanned on first-read and rename also. See About scanning on read on page 133. When a user modifies or accesses a file, the Virus-checking client on EMC Celerra Network Server triggers a scan and queues the file path name to the Celerra Anti Virus Agent. The Celerra Anti Virus Agent opens a connection with Symantec Scan Engine. The Celerra Anti Virus Agent then passes the file path name to the scan engine. Symantec Scan Engine opens and scans the file, after which, the Celerra Anti Virus Agent closes the connection with the scan engine. Symantec Scan Engine indicates the scanning results to the Celerra Anti Virus Agent after a file is scanned. The scan engine also repairs the file on EMC Celerra Network Server if a file is infected and can be repaired. After the Celerra Anti Virus Agent receives the scanning results and reports that the file is clean, EMC Celerra Network Server allows access to the requesting user. You can configure the action to be taken with infected files by specifying the scan policy on Symantec Scan Engine. The scan engine repairs infected but repairable files in its place on EMC Celerra Network Server. This repaired file is passed to the requesting user. The user is denied access to the file, and the infected file is quarantined if the file is infected and cannot be repaired. However, the user will need to configure Symantec Scan Engine to quarantine an unrepairable file. See About quarantining unrepairable files on Symantec Scan Engine on page 135.
About scanning on read

The scan-on-read feature is disabled by default. This functionality can be enabled by using the server_viruschk command when configuring the Viruschecking client on the Celerra Network Server. The Celerra Anti Virus Agent uses the files access time to determine whether a file should be scanned on read once the scan-on-read option has been enabled. When the user tries to open a file, the Celerra Anti Virus Agent compares the files access time with a reference time. This reference time is stored in the virus checker configuration file found on EMC Celerra Network Server. If the file access time is before the reference time, then the file is scanned on read. The reference time can be set or disabled by the server_viruschk command. The Celerra Anti Virus Agent informs the Celerra Network Server to set the access time each time the virus definition files are updated on Symantec Scan Engine.
134
For more information, see the appropriate EMC Celerra documentation.

To specify the file types to be scanned for viruses, configure settings and parameters on both the Virus-checking client (VC client) and Symantec Scan Engine.
About specifying file types on the Virus-checking client

Based on file extensions, the Virus-checking client determines, initially, whether it should pass a file to the Celerra Anti Virus Agent and then to Symantec Scan Engine for scanning. You configure which files are passed to Symantec Scan Engine for scanning by modifying the masks= and excl= parameters in the viruschecker.conf file on EMC Celerra Network Server. You can control which files are scanned by using the exclusion or an inclusion list, or you can scan all files regardless of extension. The exclusion list is defined in the viruschecker.conf file by the excl= parameter and the inclusion list is defined by the masks= parameter. Configure the Celerra Anti Virus Agent to pass all file types to the scan engine except those that are contained in the exclusion list. The exclusion list contains extensions for those file types that are not likely to contain viruses and can be excluded from scanning. See About configuring virus scanning on EMC Celerra Network Server on page 146.

You can configure Symantec Scan Engine so that selected file types and file extensions are excluded from scanning. The scan policy on Symantec Scan Engine is as important as the Virus-checking client setting. The scan policy on the scan engine determines which files to scan upon receiving a file from the Celerra Anti Virus Agent. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using the file type and extension exclusion list, or you can scan all files regardless of extension. Note: Exclusion lists ensure that all file types are not scanned; therefore, new types of viruses might not be detected. Scanning all files regardless of extension and type is the most secure setting, but it imposes the heaviest demand on resources. During virus outbreaks, you might want to scan all files even if you normally control the file types that are scanned with the exclusion list. For more information, see the Symantec Scan Engine Implementation Guide.
Configuring Symantec AntiVirus for EMC Celerra Network Server About preparing for installation
135
See Specifying which file types to scan on the scan engine on page 139.

Scan only Scan files for viruses, but do nothing to infected files Scan files for viruses, and delete any infected files that are embedded in archive or container files without trying to repair Try to repair infected files, but do nothing to unrepairable files (that is, do not delete the files from archive or container files) Try to repair infected files, and delete unrepairable files from archive or container files
Scan and delete
About quarantining unrepairable files on Symantec Scan Engine

You can configure Symantec Scan Engine to quarantine files that are infected with viruses and are unrepairable. You must provide the host name or IP address of a Windows 2000 Server/Windows 2003 Server/Windows 2008 Server that has the Symantec Quarantine Server installed. For more information, see the Symantec Scan Engine Implementation Guide.

The computer on which you plan to install Symantec Scan Engine must meet the system requirements that are listed in the Symantec Scan Engine Implementation Guide. After you have installed Symantec Scan Engine, configure the virus scanning functionality on EMC Celerra Network Server by installing the Celerra Anti Virus Agent (CAVA) on each server that functions as the scan engine. Also, configure the Virus-Checking client on EMC Celerra Network Server.
136
Configuring Symantec AntiVirus for EMC Celerra Network Server About configuring Symantec Scan Engine

You must configure several settings on each Symantec Scan Engine that is used to support scanning for EMC Celerra Network Server. Note: The configuration settings on each scan engine must be identical if you use multiple scan engines to support scanning. LiveUpdate and Rapid Release should be scheduled to occur at the same time on all scan engines so that virus definitions are consistent at all times. The scan engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you can configure ICAP-specific options.

After you install Symantec Scan Engine, you can configure several settings that are specific to the ICAP protocol through the Symantec Scan Engine administrative interface. If Symantec Scan Engine has already been configured to use another protocol, you also can change the protocol through the administrative interface. However, you must manually restart the Symantec Scan Engine. For more information about accessing the administrative interface, see the Symantec Scan Engine Implementation Guide. Table 8-1 describes the protocol-specific options for ICAP.
137
Table 8-1 Option

Bind address


138
Table 8-1 Option

Scan policy

Note: If you choose the data trickle

feature, the virus sca policy is automatically set to Scan only. Enable trickle This setting provides users with a quicker download response and avoids possible session time-out errors. Data trickling is disabled by default. You can specify how long the scan process should run before data trickling begins.
1 2 3 4 5 6
On the Symantec Scan Engine administrative interface, in the left pane, click Configuration. Under Views, click Protocol. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol. n the Port number box, type the TCP/IP port number that the NAS Anti Virus Agent uses to pass files to Symantec Scan Engine for scanning. In the Scan policy list, select how you want Symantec Scan Engine to handle infected files.
139


The settings on Symantec Scan Engine must be configured to specify the types of files to be scanned for viruses. The scan policy on the scan engine determines which files it should scan from the Celerra Anti Virus Agent. The scanned files are those contained in archive or container file formats. You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. Symantec Scan Engine is configured by default to scan all files. Note: Symantec Scan Engine examines the first few bytes of every file to determine whether the file could contain a virus. This action occurs even if the file extension is not one that was identified for scanning. Based on this examination, the scan engine may scan a file even though it has not been identified for scanning. For more information, see the Symantec Scan Engine Implementation Guide. See About configuring virus scanning on EMC Celerra Network Server on page 146.
140

1 2 3
5 6
To remove a file extension from the list, select it and delete it from the File extension exclude list. To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.

1 2
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning.
141
In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you enable this option, both the file type exclude list and the file extension exclude list are activated automatically.
5 6

1 2
On the Symantec Scan Engine administrative interface, in the left pane, click Policies. Under Views, click Scanning.
142
3 4
In the right pane, under Files to Scan, click Scan all files. On the toolbar, select one of the following:

File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Scan Engine can be configured to impose limits on how container files are handled. This reduces the networks exposure to denial-of-service attacks. You can specify the following limits for handling container files:
143

Scheduling LiveUpdate to occur automatically at a specified time interval ensures that Symantec Scan Engine always has the most current virus definitions. Schedule LiveUpdate to occur at the same time for each scan engine if you use multiple scan engines to support virus scanning. This scheduling ensures that all scan engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on EMC Celerra Network Server. You must schedule LiveUpdate on each Symantec Scan Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the scan engine was installed. You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time. For more information on changing the base time, see the Symantec Scan Engine Implementation Guide. To schedule LiveUpdate to update virus definitions automatically
1 2 3

144

You can configure Symantec Scan Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Scan Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response. However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks. Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network. If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed. You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Scan Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default. Configuring Rapid Release updates to occur automatically
1 2 3

Configuring Symantec AntiVirus for EMC Celerra Network Server About configuring EMC Celerra Network Server
145

About configuring EMC Celerra Network Server

You must register at least one Symantec Scan Engine for each EMC Celerra Network Server for which you provide virus scanning. You must also configure the virus scan functionality on EMC Celerra Network Server in accordance with the EMC Celerra documentation. Install the Celerra Anti Virus Agent (CAVA) on each server that functions as the scan engine.
About installing the Celerra Anti Virus Agent

During the Celerra Anti Virus Agent installation procedure, ensure that you do all of the following:
Create a user account (for the CAVA server) in the domain to which each EMC Celerra Network Server belongs. Create a local group on each EMC Celerra Network Server and then add the CAVA user to this group. Assign virus-checking rights to this group in accordance with the EMC Celerra documentation. Also, assign local administrative rights to the CAVA user. For more information, see the appropriate EMC Celerra documentation. Configure virus scanning on EMC Celerra Network Server by setting certain virus checking parameters in the viruschecker.conf file. See About configuring virus scanning on EMC Celerra Network Server on page 146. Install the Celerra Anti Virus Agent on each server on which you installed Symantec Scan Engine. For more information, see the appropriate EMC Celerra documentation. Start the Virus-checking client (VC client) on each EMC Celerra Network Server.
146
See About starting the Virus-checking client on page 149.
About registering Symantec Scan Engine

You must register at least one Symantec Scan Engine to provide the virus scanning for each EMC Celerra Network Server in the group. In a typical environment, a minimum of two scan engines is required to handle scan volume. Having one scan engine can cause denial-of-file access in case the scan engine does not respond or is not available. EMC Celerra Network Server handles load balancing across multiple scan engines and Celerra Anti Virus Agents automatically. Note: You do not need to register the same scan engine to each EMC Celerra Network Server in the group. You can register different scan engines to different EMC Celerra Network Servers in the group. All of the scan engines in the same group must have identical configurations. Register Symantec Scan Engine by editing the addr parameter in the viruschecker.conf file on EMC Celerra Network Server. The viruschecker.conf file contains the virus checking parameters for each EMC Celerra Network Server in the group. You must provide the IP address or Fully Qualified Domain Name (FQDN) of the scan engine in the format addr=10.217.1.195 in the viruschecker.conf file on the Celerra Data Mover. Use colons to separate IP addresses of multiple scan engines, if any.
About configuring virus scanning on EMC Celerra Network Server

You must configure virus scanning (or the Virus-checking client) for each EMC Celerra Network Server. The Virus-checking client is the agent component on EMC Celerra Network Server. The VC client queues file names to the Celerra Anti Virus Agent for scanning. You configure the virus scan functionality (the Virus-checking client) by setting certain virus checking parameters in the viruschecker.conf file. Table 8-2describes some parameters that you should configure in the viruschecker.conf file for virus scan functionality.
147
Table 8-2 Parameter

masks=
Viruschecker.conf file parameters Description

Specify the file types to be passed to Symantec Scan Engine for scanning. This parameter defines the inclusion list. masks=*.* scans all files. Scanning all files regardless of type is the most secure setting, but it imposes the heaviest demand on resources. The recommended setting is to pass all file types to the scan engine except those that are contained in the exclusion list.
excl=
Specify the file types that should not be passed to Symantec Scan Engine for scanning. This parameter defines the exclusion list. This setting is similar to the Files to scan setting on Symantec Scan Engine. You must configure this setting on both EMC Celerra Network Server and Symantec Scan Engine.
addr=
Specify the IP address or FQDN of each scan engine to be used for scanning. Enter the IP addresses separated by colons, if there are multiple scan engines.
maxsize=<n>
Specify an upper limit for the size of files to be scanned. The file size is entered as a hexadecimal number with a prefix of 0x. Although you can choose a file size up to 0xFFFFFFFF (4 GB), Symantec Scan Engine can scan a maximum file size of 2047 MB (or 2 GB). If the maxsize parameter is not set or is equal to 0, then there is no limit to the maximum file size.
highWaterMark=<n>
Specify the upper limit for the number of scan requests occurring concurrently. Once this limit is reached, a log event is sent to EMC Celerra Network Server. The default value is 200.
148
Table 8-2 Parameter
Viruschecker.conf file parameters (continued) Description

Specify the lower limit for the number of scan requests occurring concurrently. If the number of scan requests goes below the lowWaterMark value, a log event is sent to EMC Celerra Network Server. The default value is 50.
lowWaterMark=<n>
surveyTime=<n>
Specify (in seconds) the interval at which registered scan engines are contacted to confirm their status. This parameter works in conjunction with the shutdown parameter and will trigger a shutdown if no scan engine is available. The default value is 60.
shutdown=
Specify the shutdown action to take if no scan engine is available. shutdown=no: Contact the list of registered scan engines continuously even if scan engines are not available. This is the default option. shutdown=viruschecking: Stop the virus checking functionality if there are no available scan engines. shutdown=cifs: Stops CIFS so that clients are denied access to EMC Celerra Network Server.
After configuring the virus checking parameters in the viruschecker.conf file, copy the file to the correct directory in EMC Celerra Network Server and to each EMC Celerra Network Server in the group. For more information, see the appropriate EMC Celerra documentation. Note: The virus scan functionality for each EMC Celerra Network Server in a group must be configured identically to avoid inconsistency. The scan results and repair results for infected files will be inconsistent if the settings differ for each EMC Celerra Network server in the group. Thus, it is necessary that the same viruschecker.conf file be copied to the correct directory and to each EMC Celerra Network Server in the group.
Configuring Symantec AntiVirus for EMC Celerra Network Server Known issue with EMC Celerra Network Server
149
Install the Celerra Anti Virus Agent on each server that functions as the scan engine in the domain. For more information on installing the Celerra Anti Virus Agent, see the appropriate EMC Celerra documentation.
About starting the Virus-checking client

After the Celerra Anti Virus Agent is installed and configured, use the server_setup command at the Control Station on each EMC Celerra Network Server to start the VC client. The VC client queues file names to the Celerra Anti Virus Agent for scanning. The VC client also informs Symantec Scan Engine what should be done with an infected file, based on user- configured options.
About executing a full file system scan

You can execute a full file system scan by running the server_viruschk -fsscan command on the Control Station on EMC Celerra Network Server. However, the Celerra Anti Virus Agent must be enabled and running for this function to occur. You can enquire about the status of the scan while the scan is in progress. You can stop the full file system scan as well. For more information, see the appropriate EMC Celerra documentation.
Known issue with EMC Celerra Network Server

When none of the registered Symantec Scan Engines are available, scan requests are queued until a scan engine is available.The scan engines are contacted, by default, every 60 seconds to determine their status. You can configure the shutdown= parameter in the viruschecker.conf file to define the shutdown action to take when no registered Symantec Scan Engine is available. The shutdown=no configuration achieves continuous file access even if none of the registered Symantec Scan Engines are available. Select the option of shutdown=cifs to deny users any access to CIFS shares if no scan engine is available. See Table 8-2 on page 147.

The recommendations while integrating multiple scan engines with EMC Celerra Network Server are as follows:
150
Configuring Symantec AntiVirus for EMC Celerra Network Server Recommendations while integrating multiple scan engines
Configure the settings on each Symantec Scan Engine to be identical. Schedule LiveUpdate and Rapid Release to occur at the same time on all of the scan engines. This ensures that virus definitions are consistent. Configure the virus scan functionality to be identical for each EMC Celerra Network Server in a group to avoid inconsistency. The scan results and repair results for infected files will be inconsistent if the settings differ for each appliance in a group. Delete the IP address of the scan engine (that is being removed) from the viruschecker.conf file before shutting down the Celerra Anti Virus Agent.
Index
A
antivirus scan policy configure 34, 93 RPC option 32 scan and repair files 32 scan and repair or delete 32 scan only 32 antivirus scanning 19
BlueArc Storage System and Hitachi High-performance NAS Platform (continued) specifying files to scan 97 system requirements 89 unavailable scan engines 103 unresponsive scan engines 104 user notification of infection found 88, 94 verify scan engine registration 102
B
Bloodhound 19 BlueArc Storage System 15 BlueArc Storage System and Hitachi High-performance NAS Platform activate virus scanning 103 add antivirus scanning 86 antivirus scan policy 91 automatically send antivirus update notifications 91 check RPC connection 91 configuring for virus scanning 102 configuring scan engine 90 connecting to Symantec Scan Engine 87 edit NAS Server list 93 editing service startup properties 90 enable virus scanning 103 file scanning 87 file type scanning 87 firmware version 89, 102 full file system scan 103 handling infected files 88 maximum number of reconnect attempts 91 overview of virus scanning 86 protocol 86 quarantining infected files 95 registered virus scanners 102 reset defaults 103 RPC client list 91 scan all file types 103 software components 86 specify file extensions 103
C
CAVA 132 CAVA sizing tool 132 Celerra Anti Virus Agent installing 145 sending files for scanning 139 Celerra Network Server 15 CIFS 28, 106 Common Internet File System 28, 106 connector about 1415 container files 19 container handling limits 77, 142
D
Data ONTAP 28, 31 decomposer 19 denial-of-file access 146 denial-of-service attack 18, 59, 77 documentation Symantec AntiVirus for Network Attached Storage 16 Symantec Scan Engine Implementation Guide 1617
E
EMC Celerra Network Server 15 EMC Celerra Network Server add antivirus scanning 131 addr parameter 146
152
Index
EMC Celerra Network Server (continued) CAVA calculator 131 Celerra Anti Virus Agent 131 configure virus scanning 145146 file scanning 133 ICAP 132 known issues 149 multiple scan engines 149 native protocol 132 parameters 146 protocol 132 protocol and supported version 15 SAV for NAS supported 15 scan-on-read 133 scanning overview 132 specify file types 134 specifying files to scan 139 VC client 131 virus scan functionality 146 virus scanning commands 133 enable Windows messenger logging 36 event security level 36 excl= 134 exclusion list 134
Hitachi Essential NAS Platform 15 Hitachi High-performance NAS Platform 15
I
ICAP configure 53, 71, 136 configure options 107, 118 default protocol 31 options 53 ICAP options bind address 53, 71, 136 complete list 71 Enable trickle 71 enable trickle 53, 107, 118, 136 port number 53, 71, 136 scan policy 53, 71, 136 time before trickle data starts 53, 71, 107, 118, 136 inclusion list 134 infected file 32 infected files 29, 106, 117 installation requirements Linux 22 Solaris 21 Windows 20 Internet Content Adaptation Protocol 31 irreparable files 106, 117
F
file access time 133 file attachments 59, 77 file extension exclude list 57, 75 file extension exclusion list 40, 97, 140 file type exclude list 57, 75 file type exclusion list 40, 97 file types scan procedure 57, 140 file types to be scanned BlueArc Storage System and Hitachi High-performance NAS Platform 97 EMC Celerra Network Server 139 NetApp Filer 39 Sun Storage 7000 Series 74 Sun StorageTek 5000 NAS Appliance 56 full file system scan 149 server_viruschk -fsscan 149
L
Linux system requirements 22
M
malicious code 18 masks= 134
N
NAVEX 19 NetApp Filer activate virus scanning 45 adding Symantec AntiVirus 27 backups 46 cache 35, 47 configure 44, 125 configuring for virus scanning 44 Data ONTAP 28 edit list 34 editing service startup properties 31
H
Hitachi Essential NAS Platform 15 High-performance NAS Platform 15
Index
153
NetApp Filer (continued) overview of virus scanning 28, 106, 116 protocol 28 protocol and supported version 15 quarantining infected files 38 rollback 45 software components 27, 105 specify file extensions 45 Symantec antivirus supported 15 system requirements 31 user notification of infection found 36, 117 verify scan engine registration 45 vscan extensions exclude add 45 vscan extensions exclude remove 45 vscan extensions include add 45 vscan extensions include remove 45 vscan extensions include reset 45 NetApp Filer:specifying files to scan 39 Network Appliance Filer 15, 27 Network File System 28 NFS 28 notification message event security level 94 information contained 36, 94 scan policy 94 virus name 36, 94 notification of infection found BlueArc Storage System and Hitachi High-performance NAS Platform 88, 94 NetApp Filer 36, 117
quarantining infected files BlueArc Storage System and Hitachi High-performance NAS Platform 95 NetApp Filer 38
R
Rapid Release automatic update 100 RPC client list 32 configure 32, 93 handling infected files 29, 106, 117 reconnect attempts 32 RPC client list 32, 107, 118 RPC options antivirus scan policy 91 automatically send antivirus update notifications 91 check RPC connection 91 maximum number of reconnect attempts 91 RPC client list 91 RPC protocol NetApp Filer 28, 116 options 32, 91
S
scan policy notification message 36 specify 52, 70 server_viruschk 133 service startup properties BlueArc Storage System and Hitachi High-performance NAS Platform 90 edit for RPC 31, 90 NetApp Filer 31 software components about 14 BlueArc Storage System and Hitachi High-performance NAS Platform 86 NetApp Filer 27, 105 Solaris system requirements 21 Striker 19 Sun Storage 7000 Series 15 StorageTek 5000 NAS Appliance 15 Sun Storage 7000 Series caching 68
O
ONStor EverON 15
P
policy virus scan 13 polymorphic viruses 19 Preparing for installation 31
Q
quarantine irreparable file 28, 38, 106, 116117 procedure 38, 95 RPC scan policy 38, 95 unrepairable file 29, 95
154
Index
Sun Storage 7000 Series (continued) configure virus scanning 81 file scanning 68 firmware version 68 handling infected files 70 ICAP 68 installation 20 known issues 83 registering Symantec Scan Engine 81 scanning overview 68 software components 67 specify file types 69 specifying files to scan 74 Symantec antivirus supported 15 Sun StorageTek 5000 NAS Appliance caching 51 Common Internet File System (CIFS) 50 configure virus scanning 6263 enable Anti Virus 63 extensions for scanning 63 file scanning 50 handling infected files 52 known issues 65, 149 maximum connections 63 maximum file size for scanning 63 NAS Anti Virus Agent 49 NAS Anti Virus Agent settings 63, 81 protocol 50 registering Symantec Scan Engine 63 scan engine IP address and port number 63 scanning overview 50 specify file types 51 specifying files to scan 56 Symantec antivirus supported 15 Symantec anitvirus technology Bloodhound 19 examples 19 NAVEX 19 Striker 19 Symantec AntiVirus for Network Attached Storage documentation 16 Integration Guide 17 Symantec Antivirus for Network Attached Storage software components 14 supported devices 15 Symantec Central Quarantine 38, 95 Symantec Scan Engine about 14 administrative interface 31
Symantec Scan Engine (continued) change protocol 31 configure 31 configuring for EMC Celerra Network Server 136 configuring for NetApp Filer 31, 107, 118 configuring for Sun Storage 7000 Series 71 container handling limits 59 default list 57, 75 documentation 17 enable Windows messenger logging 94 LiveUpdate 60, 78, 99, 143 protocols 1415 quarantine 28, 53, 135 Rapid Release 43, 61, 79, 144 scan all files 40, 97 scan policy 134135 specify file types 51 virus protection 19 Symantec Scan Engine Implementation Guide about 17 Symantec Scan Engine:configuring for Sun StorageTek 5000 NAS Appliance 53 Symantec Security Response about 20 infected files 38, 95 website 20
T
trojan horses 19
U
unrepairable files 29 unrepairable infected file 38 unresponsive scan engines 46
V
virus definition date 88 heuristically detected 38, 95 notification 30, 88, 106, 117 user identification 30, 88, 117 virus checker configuration file 133 virus definition automatic notification 35 automatic update 42, 60, 78, 99, 143 manual notification 112, 121 new 38, 95 on updating 35
Index
155
virus definition (continued) Rapid Release definitions 43, 79, 100, 144 virus definition date 117 virus protection description 19 for network attached storage 18 why 18 virus scan functionality 63, 81 virus scan policy 13 virus scanning add 14 virus-checking client specify file types 134 starting 149 virus-checking rights 145 viruschecker.conf 134, 146 viruschecker.conf file parameters addr= 146 excl= 146 highWaterMark= 146 lowWaterMark= 146 masks= 146 maxsize= 146 shutdown= 146 surveyTime= 146 VSCAN 67 vscan 45 vscan off 45 vscan on 45 vscan options mandatory_scan 46 vscan options timeout 46 vscan reset 28
W
wildcard extension ??? 45 Windows messenger service 36 Windows service startup properties 31

SAV For NAS 528

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAV For NAS 528

Uploaded by

Copyright:

Available Formats

Symantec AntiVirus for Network Attached Storage Integration Guide

Symantec AntiVirus for Network Attached Storage Integration Guide

Contacting Technical Support

Product release level

Licensing and registration

Support agreement resources

Configuring Symantec AntiVirus for NetApp Filer ................................................................................ 27

Configuring Symantec AntiVirus for Sun Storage 7000 Series .................................................................... 67

Configuring Symantec AntiVirus for ONStor EverON ........................................................................... 115

Index ................................................................................................................... 151

Introducing Symantec AntiVirus for Network Attached Storage

About Symantec AntiVirus for Network Attached Storage

About software components

About Symantec Scan Engine

About the connector

Supported storage devices

Supported storage devices and protocols Protocol used

4.0 or later CAVA 4.5 or later

Symantec Scan Engine Implementation Guide

Symantec AntiVirus for Network Attached Storage Integration Guide

About the Symantec Scan Engine Implementation Guide

Why you need virus protection in a network attached storage environment

How the scan engine protects against viruses

About Symantec Security Response

About preparing for installation

Windows system requirements

Processor Memory Disk space Hardware

100 Mbits/s Ethernet link (1 Gbit/s recommended)

Solaris system requirements

Processor Memory Disk space Hardware

100 Mbits/s Ethernet link (1 Gbit/s recommended)

Linux system requirements

Processor Memory Disk space Hardware

100 Mbits/s Ethernet link (1 Gbit/s recommended)

Introducing Symantec AntiVirus for Network Attached Storage Post-installation tasks

Introducing Symantec AntiVirus for Network Attached Storage Post-installation tasks

Introducing Symantec AntiVirus for Network Attached Storage Post-installation tasks

Configuring Symantec AntiVirus for NetApp Filer

About software components

What happens when a file is scanned

About connecting to Symantec Scan Engine

About limiting scanning by file type

About handling infected files

Scan and repair files

Scan and repair or delete

About user identification and notification when a virus is found

Disposition of the file Duration of scan time and connection time

About preparing for installation

About configuring Symantec Scan Engine

Editing the service startup properties

Configuring RPC protocol options

Table 2-1 Option

Protocol-specific options for RPC Description

Note: Multiple scan engines can support a single NetApp

Note: Do not set a maximum number of reconnect attempts

Configure RPC protocol options

To edit the list of NetApp Filers

To configure additional RPC-specific options

On the toolbar, select one of the following:

Notifying the NetApp Filer when virus definitions are updated

On the toolbar, select one of the following:

Notifying a requesting user that a virus was found