Create an on-access policy


An on-access policy defines the scope of an on-access scan. You can specify the maximum size of the files to be scanned, the extensions of the files to be included in the scan, and the extensions and paths of the files to be excluded from the scan. You can create an on-access policy for an individual SVM or for all the SVMs in a cluster.

About this task

By default, ONTAP creates an on-access policy named “default_CIFS” and enables it for all the SVMs in a cluster.

You can set the scan-mandatory option to off to specify that file access is allowed when no Vscan servers are available for virus scanning. Keep in mind that any file that qualifies for scan exclusion based on the paths-to-exclude, file-ext-to-exclude, or max-file-size parameters is not considered for scanning even if the scan-mandatory option is set to on.


For potential issues related to the scan-mandatory option, see Potential connectivity issues involving the scan-mandatory option.

By default, only read-write volumes are scanned. You can specify filters that enable scanning of read-only volumes or that restrict scanning to files opened with execute access.

  1. Create an on-access policy:

    vserver vscan on-access-policy create -vserver data_SVM|cluster_admin_SVM -policy-name policy_name -protocol CIFS -max-file-size max_size_of_files_to_scan –filters [scan-ro-volume,][scan-execute-access] -file-ext-to-include extensions_of_files_to_include -file-ext-to-exclude extensions_of_files_to_exclude -scan-files-with-no-ext true|false -paths-to-exclude paths_of_files to exclude -scan-mandatory on|off

    • Specify a data SVM for a policy defined for an individual SVM, a cluster admin SVM for a policy defined for all the SVMs in a cluster.

    • The -file-ext-to-exclude setting overrides the -file-ext-to-include setting.

    • Set -scan-files-with-no-ext to true to scan files without extensions. The following command creates an on-access policy named Policy1 on the vs1SVM:

    cluster1::> vserver vscan on-access-policy create -vserver vs1 -policy-name Policy1 -protocol CIFS -filters scan-ro-volume -max-file-size 3GB -file-ext-to-include “mp*”,"tx*" -file-ext-to-exclude "mp3","txt" -scan-files-with-no-ext false -paths-to-exclude "\vol\a b\","\vol\a,b\"
  2. Verify that the on-access policy has been created: vserver vscan on-access-policy show -instance data_SVM|cluster_admin_SVM -policy-name policy_name

    For a complete list of options, see the man page for the command.

    The following command displays the details for the Policy1 policy:

    cluster1::> vserver vscan on-access-policy show -instance vs1 -policy-name Policy1
                               Vserver: vs1
                                Policy: Policy1
                         Policy Status: off
                   Policy Config Owner: vserver
                  File-Access Protocol: CIFS
                               Filters: scan-ro-volume
                        Mandatory Scan: on
    Max File Size Allowed for Scanning: 3GB
                File Paths Not to Scan: \vol\a b\, \vol\a,b\
           File Extensions Not to Scan: mp3, txt
               File Extensions to Scan: mp*, tx*
          Scan Files with No Extension: false