Antivirus architecture
The NetApp antivirus architecture consists of Vscan server software and associated settings.
Vscan server software
You must install this software on the Vscan server.
-
ONTAP Antivirus Connector
This is NetApp-provided software that handles scan request and response communication between the SVMs and antivirus software. It can run on a virtual machine, but for best performance use a physical machine. You can download this software from the NetApp Support Site (requires login).
-
Antivirus software
This is partner-provided software that scans files for viruses or other malicious code. You specify the remedial actions to be taken on infected files when you configure the software.
Vscan software settings
You must configure these software settings on the Vscan server.
-
Scanner pool
This setting defines the Vscan servers and privileged users that can connect to SVMs. It also defines a scan request timeout period, after which the scan request is sent to an alternative Vscan server if one is available.
You should set the timeout period in the antivirus software on the Vscan server to five seconds less than the scanner-pool scan-request timeout period. This will avoid situations in which file access is delayed or denied altogether because the timeout period on the software is greater than the timeout period for the scan request.
-
Privileged user
This setting is a domain user account that a Vscan server uses to connect to the SVM. The account must exist in the list of privileged users in the scanner pool.
-
Scanner policy
This setting determines whether a scanner pool is active. Scanner policies are system-defined, so you cannot create custom scanner policies. Only these three policies are available:
-
Primary
specifies that the scanner pool is active. -
Secondary
specifies that the scanner pool is active, only when none of the Vscan servers in the primary scanner pool are connected. -
Idle
specifies that the scanner pool is inactive.
-
-
On-access policy
This setting defines the scope of an on-access scan. You can specify the maximum file size to scan, file extensions and paths to include in the scan, and file extensions and paths to exclude from the scan.
By default, only read-write volumes are scanned. You can specify filters that enable scanning of read-only volumes or that restrict scanning to files opened with execute access:
-
scan-ro-volume
enables scanning of read-only volumes. -
scan-execute-access
restricts scanning to files opened with execute access.“Execute access” is different from “execute permission.” A given client will have “execute access” on an executable file only if the file was opened with “execute intent.”
You can set the
scan-mandatory
option to off to specify that file access is allowed when no Vscan servers are available for virus scanning. Within on-access mode you can choose from these two mutually-exclusive options:-
Mandatory: With this option, Vscan tries to deliver the scan request to the server until the timeout period expires. If the scan request is not accepted by the server, then the client access request is denied.
-
Non-Mandatory: With this option, Vscan always allows client access, whether or not a Vscan server was available for virus scanning.
-
-
On-demand task
This setting defines the scope of an on-demand scan. You can specify the maximum file size to scan, file extensions and paths to include in the scan, and file extensions and paths to exclude from the scan. Files in subdirectories are scanned by default.
You use a cron schedule to specify when the task runs. You can use the
vserver vscan on-demand-task run
command to run the task immediately. -
Vscan file-operations profile (on-access scanning only)
The
vscan-fileop-profile
parameter for thevserver cifs share create
command defines which SMB file operations trigger virus scanning. By default, the parameter is set tostandard
, which is NetApp best practice. You can adjust this parameter as necessary when you create or modify an SMB share:-
no-scan
specifies that virus scans are never triggered for the share. -
standard
specifies that virus scans are triggered by open, close, and rename operations. -
strict
specifies that virus scans are triggered by open, read, close, and rename operations.The
strict
profile provides enhanced security for situations in which multiple clients access a file simultaneously. If one client closes a file after writing a virus to it, and the same file remains open on a second client,strict
ensures that a read operation on the second client triggers a scan before the file is closed.You should be careful to restrict the
strict
profile to shares containing files that you anticipate will be accessed simultaneously. Since this profile generates more scan requests, it may impact performance. -
writes-only
specifies that virus scans are triggered only when modified files are closed.Since
writes-only
generates fewer scan requests, it typically improves performance.If you use this profile, the scanner must be configured to delete or quarantine unrepairable infected files, so they cannot be accessed. If, for example, a client closes a file after writing a virus to it, and the file is not repaired, deleted, or quarantined, any client that accesses the file
without
writing to it will be infected.
-
If a client application performs a rename operation, the file is closed with the new name and is not scanned. If such operations pose a security concern in your environment, you should use the |