Create an on-access policy
An on-access policy defines the scope of an on-access scan. You can specify the maximum size of the files to be scanned, the extensions of the files to be included in the scan, and the extensions and paths of the files to be excluded from the scan. You can create an on-access policy for an individual SVM or for all the SVMs in a cluster.
By default, ONTAP creates an on-access policy named “default_CIFS” and enables it for all the SVMs in a cluster.
You can set the
scan-mandatory option to off to specify that file access is allowed when no Vscan servers are available for virus scanning. Keep in mind that any file that qualifies for scan exclusion based on the
max-file-size parameters is not considered for scanning even if the
scan-mandatory option is set to on.
For potential issues related to the
By default, only read-write volumes are scanned. You can specify filters that enable scanning of read-only volumes or that restrict scanning to files opened with execute access.
Create an on-access policy:
vserver vscan on-access-policy create -vserver data_SVM|cluster_admin_SVM -policy-name policy_name -protocol CIFS -max-file-size max_size_of_files_to_scan –filters [scan-ro-volume,][scan-execute-access] -file-ext-to-include extensions_of_files_to_include -file-ext-to-exclude extensions_of_files_to_exclude -scan-files-with-no-ext true|false -paths-to-exclude paths_of_files to exclude -scan-mandatory on|off
Specify a data SVM for a policy defined for an individual SVM, a cluster admin SVM for a policy defined for all the SVMs in a cluster.
-file-ext-to-excludesetting overrides the
-scan-files-with-no-extto true to scan files without extensions. The following command creates an on-access policy named
cluster1::> vserver vscan on-access-policy create -vserver vs1 -policy-name Policy1 -protocol CIFS -filters scan-ro-volume -max-file-size 3GB -file-ext-to-include “mp*”,"tx*" -file-ext-to-exclude "mp3","txt" -scan-files-with-no-ext false -paths-to-exclude "\vol\a b\","\vol\a,b\"
Verify that the on-access policy has been created:
vserver vscan on-access-policy show -instance data_SVM|cluster_admin_SVM -policy-name policy_name
For a complete list of options, see the man page for the command.
The following command displays the details for the
cluster1::> vserver vscan on-access-policy show -instance vs1 -policy-name Policy1 Vserver: vs1 Policy: Policy1 Policy Status: off Policy Config Owner: vserver File-Access Protocol: CIFS Filters: scan-ro-volume Mandatory Scan: on Max File Size Allowed for Scanning: 3GB File Paths Not to Scan: \vol\a b\, \vol\a,b\ File Extensions Not to Scan: mp3, txt File Extensions to Scan: mp*, tx* Scan Files with No Extension: false