Symantec Integration Guide

Symantec AntiVirus™ for
Network Attached Storage

Integration Guide
2
Symantec AntiVirus™ for Network Attached Storage

Integration Guide
The software described in this book is furnished under a license agreement and may be
used only in accordance with the terms of the agreement.
Documentation version 5.2.8
Legal Notice
Copyright © 2010 Symantec Corporation.
All rights reserved.
Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S and other countries. Other names may be
trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required
to provide attribution to the third party (“Third Party Programs”). Some of the Third Party
Programs are available under open source or free software licenses. The License
Agreement accompanying the Software does not alter any rights or obligations you may
have under those open source or free software licenses. Please see the Third Party Legal
Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED

CONDITIONS, REPRESENTATIONS, AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-
INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer

software as defined in FAR 12.212 and subject to restricted rights as defined in FAR
Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS
227.7202, “Rights in Commercial Computer Software or Commercial Computer Software
Documentation”, as applicable, and any successor regulations. Any use, modification,
reproduction release, performance, display or disclosure of the Licensed Software and
Documentation by the U.S Government shall be solely in accordance with the terms of this
Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
3
Technical support
Symantec Technical Support maintains support centers globally. Technical

Support’s primary role is to respond to specific queries about product features
and functionality. The Technical Support group also creates content for our
online Knowledge Base. The Technical Support group works collaboratively with
the other functional areas within Symantec to answer your questions in a timely
fashion. For example, the Technical Support group works with Product
Engineering and Symantec Secuirty Response to provide alerting services and
virus definition updates.
Symantec’s maintenance offerings include the following:
n A range of support options that give you the flexibility to select the right
amount of service for any site organization
n Telephone and Web-based support that provides rapid response and up-to-
the-minute information
n Upgrade assurance that delivers automatic software upgrade protection
n Global support purchased on a regional business hours or 24 hours a day, 7
days a week basis
n Premium service offerings that include Account Management Services
For information about Symantec’s Maintenance Programs, you can visit our
Web site at the following URL:
www.symantec.com/business/support/
All support services will be delivered in accordance with your support
agreement and the then-current enterprise technical support policy.
Contacting Technical Support

Customers with a current maintenance agreement may access Technical
Support information at the following URL:
Before contacting Technical Support, make sure that you have satisfied the
system requirements that are listed in your product documentation. Also, you
should be at the computer on which the problem occurred, in case it is necessary
to replicate the problem.
When you contact Technical Support, please have the following information
available:
n Product release level
n Hardware information
n Available memory, disk space, and NIC information
n Operating system
n Version and patch level
4
n Network topology
n Router, gateway, and IP address information
n Problem description:
n Error messages and log files
n Troubleshooting that was performed before contacting Symantec
n Recent software configuration changes and network changes
Licensing and registration

If your Symantec product requires registration or a license key, access our
technical support Web page at the following URL:
Customer Service
Customer service information is available at the following URL:
Customer Service is available to assist with the following types of issues:
n Questions regarding product licensing or serialization
n Product registration updates such as address or name changes
n General product information (features, language availability, local dealers)
n Latest information about product updates and upgrades
n Information about upgrade assurance and maintenance contracts
n Information about the Symantec Buying Programs
n Advice about Symantec’s technical support options
n Nontechnical presales questions
n Issues that are related to CD-ROMs or manuals
Support agreement resources

If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
Asia-Pacific and Japan [email protected]

Europe, Middle-East, and Africa [email protected]
North America and Latin America [email protected]

Contents
Technical support
Chapter 1 Introducing Symantec AntiVirus™ for Network Attached
Storage
About Symantec AntiVirus for Network Attached Storage .......................... 11
About software components ...................................................................... 12
About Symantec Scan Engine .................................................................... 12
About the connector .................................................................................... 13
Supported storage devices ................................................................................. 13
How to use the Symantec AntiVirus for Network Attached Storage
documentation ............................................................................................. 14
About the Symantec Scan Engine Implementation Guide .................... 15
About the Symantec AntiVirus for Network Attached Storage Integration
Guide ...................................................................................................... 15
Why you need virus protection in a network attached storage environment 16
How the scan engine protects against viruses ........................................ 17
About Symantec Security Response ......................................................... 18
About preparing for installation ....................................................................... 18
Windows system requirements ................................................................. 19
Solaris system requirements ..................................................................... 20
Linux system requirements ....................................................................... 21
Post-installation tasks ........................................................................................ 22
Chapter 2 Configuring Symantec™ AntiVirus for NetApp® Filer™

About software components .............................................................................. 25
How Symantec Scan Engine works with the NetApp Filer client ................ 26
What happens when a file is scanned ....................................................... 26
About connecting to Symantec Scan Engine ........................................... 27
About limiting scanning by file type ........................................................ 27
About handling infected files ..................................................................... 28
About user identification and notification when a virus is found ....... 28
About configuring Symantec Scan Engine ...................................................... 30
Editing the service startup properties ...................................................... 30
Configuring RPC protocol options ............................................................ 31
6 Contents
Notifying the NetApp Filer when virus definitions are updated .......... 34
Notifying a requesting user that a virus was found ............................... 35
About quarantining unrepairable infected files ..................................... 36
Specifying which embedded files to scan ................................................ 37
Scheduling LiveUpdate to update virus definitions automatically ..... 40
Configuring Rapid Release updates to occur automatically ................. 41
About configuring the client NetApp Filer ...................................................... 42
About verifying that the scan engine is registered with the filer ........ 42
About activating virus scanning ............................................................... 43
About specifying the file extensions to be scanned on the NetApp Filer 43
About working with unresponsive scan engines .................................... 44
How virus scanning affects backups on NetApp Filer ........................... 44
About clearing the scanned files cache .................................................... 44
About notifying a requesting user that a virus was found .................... 45
Chapter 3 Configuring Symantec AntiVirus™ for Sun StorageTek™

5000 NAS Appliance
How Symantec Scan Engine works with the Sun StorageTek 5000 NAS Appliance
48
How are files scanned ................................................................................. 48
How caching works ...................................................................................... 49
About specifying which file types are scanned ....................................... 49
About specifying the scan policy ............................................................... 51
About handling infected files on the NAS device ................................... 51
Configuring ICAP-specific options ............................................................ 52
Specifying which file types to scan on the scan engine ......................... 55
Specifying container handling limits ....................................................... 57
About configuring the Sun StorageTek 5000 NAS Appliance ...................... 60
Registering Symantec Scan Engine .......................................................... 60
About configuring virus scanning on the Sun StorageTek 5000 NAS
Appliance .............................................................................................. 61
Recommendations while integrating multiple scan engines ....................... 63
Chapter 4 Configuring Symantec AntiVirus™ for Sun Storage 7000

Series
How Symantec Scan Engine works with the Sun Storage 7000 Series NAS device
Contents 7
66
How are files scanned ................................................................................. 66
How caching works ...................................................................................... 67
About specifying which file types are scanned ....................................... 67
About specifying the scan policy ............................................................... 68
About handling infected files on the NAS device ................................... 68
Configuring ICAP-specific options ............................................................ 69
Specifying which file types to scan on the scan engine ......................... 72
Specifying container handling limits ....................................................... 75
About configuring the Sun Storage 7000 Series NAS device ........................ 78
Registering Symantec Scan Engine .......................................................... 78
About configuring virus scanning on the Sun Storage 7000 Series NAS
device ..................................................................................................... 78
Recommendations while integrating multiple scan engines ....................... 80
Chapter 5 Configuring Symantec™ AntiVirus for BlueArc® Storage

System and Hitachi® High-performance NAS Platform™,
powered by BlueArc®
How Symantec Scan Engine works with BlueArc Storage System and Hitachi
High-performance NAS Platform .............................................................. 82
What happens when a file is scanned ....................................................... 83
About connecting to Symantec Scan Engine ........................................... 83
About limiting scanning by file type ........................................................ 83
About handling infected files ..................................................................... 84
About user identification and notification when a virus is found ....... 84
Editing the service startup properties ...................................................... 86
Configuring RPC protocol options ............................................................ 87
Notifying a requesting user that a virus was found ............................... 90
About quarantining unrepairable infected files ..................................... 91
Specifying which embedded files to scan ................................................. 92
About configuring BlueArc Storage System or Hitachi High-performance NAS
Platform ........................................................................................................ 97
About verifying that the scan engine is registered with the NAS Server 98
About activating virus scanning ............................................................... 98
8 Contents
About specifying the file extensions to be scanned on the NAS Server 98

About executing a full file system scan .................................................... 99
About working with unavailable scan engines ....................................... 99
About working with unresponsive scan engines .................................... 99
Chapter 6 Configuring Symantec™ AntiVirus for Hitachi® Essential

NAS Platform™
About software components ............................................................................ 101
How Symantec Scan Engine works with the Hitachi Essential NAS Platform 102
What happens when a file is scanned ..................................................... 102
About handling infected files ................................................................... 103
About configuring Symantec Scan Engine .................................................... 103
Configuring ICAP-specific options .......................................................... 103
Specifying which file types to scan on the scan engine ....................... 106
About specifying container handling limits .......................................... 108
Scheduling LiveUpdate to update virus definitions automatically ... 109
Chapter 7 Configuring Symantec™ AntiVirus for ONStor EverON

How Symantec Scan Engine works with the ONStor EverON .................... 112
What happens when a file is scanned ..................................................... 112
About handling infected files ................................................................... 113
About specifying container handling limits .......................................... 118
Scheduling LiveUpdate to update virus definitions automatically ... 119
About configuring the ONStor VirusScan Applet ........................................ 120
Configuring the VirusScan Applet for the Symantec Scan Engine ... 120
Chapter 8 Configuring Symantec AntiVirus™ for EMC® Celerra™

Network Server
How Symantec Scan Engine works with EMC Celerra Network Server .... 124
How are files scanned ............................................................................... 125
About scanning on read ............................................................................ 125
About specifying which file types are scanned ..................................... 126
About specifying the scan policy ............................................................. 127
About preparing for installation ..................................................................... 128
Contents 9
About specifying container handling limits ..........................................133

Scheduling LiveUpdate to update virus definitions automatically ...134
Configuring Rapid Release updates to occur automatically ...............135
About configuring EMC Celerra Network Server ..........................................136
About installing the Celerra Anti Virus Agent ......................................136
About registering Symantec Scan Engine .............................................137
About configuring virus scanning on EMC Celerra Network Server .137
About starting the Virus-checking client ..............................................139
About executing a full file system scan ..................................................140
Known issue with EMC Celerra Network Server ..........................................140
Recommendations while integrating multiple scan engines ......................140
Index
10 Contents
Chapter 1
Introducing Symantec
AntiVirus™ for Network
Attached Storage
This chapter includes the following topics:
n About Symantec AntiVirus for Network Attached Storage
n Supported storage devices
n How to use the Symantec AntiVirus for Network Attached Storage

documentation
n Why you need virus protection in a network attached storage environment
n About preparing for installation
n Post-installation tasks
About Symantec AntiVirus for Network Attached

Storage
Symantec AntiVirus™ for Network Attached Storage provides virus scanning
and repair services for a number of network-attached storage (NAS) devices. You
can scan files for viruses automatically as they are accessed from storage before
the requesting user gains access to it. Based on a configurable virus scan policy,
when a virus is found in a file, the file is repaired. The clean file is stored on the
NAS device and only then is the requesting user granted access.
12 Introducing Symantec AntiVirus™ for Network Attached Storage
About Symantec AntiVirus for Network Attached Storage
About software components

In most cases, adding virus scanning to a supported NAS device requires
installation and configuration of the following components:
n Symantec Scan Engine, which provides the virus scanning and repair
services
See “About Symantec Scan Engine” on page 12.
n Connector, which lets the NAS device communicate with Symantec Scan
Engine
See “About the connector” on page 13.
Figure 1-1 shows a typical integration of a network attached storage device with
Symantec Scan Engine.
Figure 1-1 Integration of a network attached storage device with the Symantec
Scan Engine
1. The client tries to access a file on the network attached storage device.
2. The network attached storage device, by means of a connector, sends the file to the
Symantec Scan Engine for scanning.
3. Symantec Scan Engine scans the file, repairs it if it is infected, and returns the clean file
to the network attached storage device.
4. The network attached storage device writes the cleaned file to disk, caches the fact that
the file has been cleaned, and sends the file to the client.
About Symantec Scan Engine

Symantec Scan Engine, formerly marketed as Symantec AntiVirus Scan Engine,
is a carrier-class content scanning engine. Symantec Scan Engine provides
content scanning capabilities to any application on an IP network, regardless of
platform. Any application can pass files to Symantec Scan Engine for scanning.
Introducing Symantec AntiVirus™ for Network Attached Storage 13
Supported storage devices
Symantec Scan Engine accepts scan requests from client applications that use
the following protocols:
n The Internet Content Adaptation Protocol (ICAP), version 1.0, as presented
in RFC 3507 (April 2003)
n A proprietary implementation of remote procedure call (RPC)
n Symantec Scan Engine native protocol
Symantec Scan Engine is included in the Symantec AntiVirus for Network
Attached Storage distribution package.
For more information about the scan engine, see the Symantec Scan Engine
Implementation Guide on the product CD.
About the connector

The connector handles the communication between the scan engine and the
NAS device and interprets the results that are returned from the scan engine
after scanning. The manufacturer of the NAS device develops and provides
support for the connector. The connector typically is installed and configured
on the NAS device. (In some cases, the manufacturer pre-installs the connector.)
In some cases, no connector is necessary. The NAS device handles the
communication with the scan engine, and any configuration options are
available directly on the device.
Supported storage devices

Symantec AntiVirus for Network Attached Storage supports the following
storage devices:
n Network Appliance™ (NetApp) Filer™
n Sun® StorageTek™ 5000 NAS Appliance
n Sun® Storage 7000 Series
n BlueArc® Storage System
n Hitachi® High-performance NAS Platform™
n Hitachi® Essential NAS Platform™
n ONStor EverON
n EMC Celerra® Network Server
How to use the Symantec AntiVirus for Network Attached Storage documentation
Table 1-1 gives the list of storage devices, its supported versions, and the
protocol that Symantec Scan Engine uses to interface with these storage
devices.
Table 1-1 Supported storage devices and protocols
Storage device Protocol used Supported version
Network Appliance™ (NetApp) Filer™ RPC Data ONTAP™ version

6.1.3R2 or later
Sun® StorageTek™ 5000 NAS Appliance ICAP Sun NAS Firmware 4.21
M1 or later
Sun Storage 7000 Series ICAP Sun Storage 7xxx version

2008.10
BlueArc® Storage System RPC 4.0 or later
Hitachi® High-performance NAS RPC 4.0 or later

Platform™
Hitachi® Essential NAS Platform™ ICAP 6.2 or later
ONStor EverON ICAP 4.0 or later
EMC Celerra® Network Server ICAP CAVA 4.5 or later
Note: If the scan engine uses RPC protocol to interface with your network
attached storage device, Symantec Scan Engine must be installed on Windows
2000 Server/Windows 2003 Server/Windows 2008 Server platforms only.
How to use the Symantec AntiVirus for Network

Attached Storage documentation
To configure Symantec AntiVirus for Network Attached Storage to work with
one of the supported NAS devices, you need the documentation that is included
in the Symantec AntiVirus for Network Attached Storage distribution package.
You need the documentation that is provided by the manufacturer of the NAS
device as well.
The Symantec AntiVirus for Network Attached Storage distribution package
includes the following documents:
n Symantec Scan Engine Implementation Guide
n Symantec AntiVirus for Network Attached Storage Integration Guide
How to use the Symantec AntiVirus for Network Attached Storage documentation
The manufacturer of the NAS device develops the connector to integrate

Symantec Scan Engine. The manufacturer of the NAS device also prepares and
distributes supporting documentation for the connector. Obtain the connector
and any supporting documentation from the manufacturer if you do not receive
it with the NAS device.
About the Symantec Scan Engine Implementation Guide

Use the Symantec Scan Engine Implementation Guide as the primary guide for
installing and configuring Symantec Scan Engine. This guide contains the
information that you need to consider about the scan engine configuration
options.
Refer to the Symantec AntiVirus for Network Attached Storage Integration Guide
for instructions on configuring Symantec Scan Engine to work with a specific
NAS device.
About the Symantec AntiVirus for Network Attached Storage

Integration Guide
The Symantec AntiVirus for Network Attached Storage Integration Guide
includes a chapter for each supported NAS device. Use the guidance and
recommendations that are in the appropriate chapter of this guide with the
manufacturer-prepared documentation to implement virus scanning.
Each chapter in the Symantec AntiVirus for Network Attached Storage
Integration Guide includes the following information:
General information on how Virus scanning functionality can differ depending on

antivirus scanning works with the the capabilities of the NAS device and the complexity
NAS device of the connector. Some of the virus scanning functions
include handling of infected files, timing of file
scanning, and logging of infections found. This
section provides an overview of how Symantec Scan
Engine and the NAS device interact during virus
scanning.
Why you need virus protection in a network attached storage environment
Information for configuring the This section discusses the configuration options on
scan engine to work with the NAS the scan engine that must be configured to work with
device the NAS device. It may highlight other options that
are important in setting up comprehensive virus
protection as well. This information does not replace
the Symantec Scan Engine Implementation Guide.
Consult the implementation guide for installation
information and for additional information on
configuring Symantec Scan Engine to meet your
needs.
Information on configuring the This section discusses any configuration options on

NAS device to work with the scan the NAS device that must be configured to work with
engine Symantec Scan Engine. It may make
recommendations for configuring the NAS device to
ensure comprehensive virus protection. This
information does not replace the documentation that
is provided by the manufacturer of the NAS device.
Consult the product documentation for additional
information on configuring the NAS device for virus
scanning.
Known issues This section describes the issues that can affect
operation between Symantec Scan Engine and the
NAS device.
Why you need virus protection in a network

attached storage environment
Network attached storage provides many benefits, such as increased
performance, heterogeneous data access, data redundancy, ease of storage
management, and real-time backup recovery. However, the implementation of a
NAS system introduces security risks that should be addressed. Data can be
accessed and compromised more quickly when it is consolidated into a
centralized NAS system. This occurs because NAS systems are typically
connected directly to the local network.
Installing virus protection software at key locations in the corporate network is
not sufficient to protect data on NAS servers. Examples of such key locations are
firewalls, email gateways, and desktops.
Why you need virus protection in a network attached storage environment
Dedicated antivirus protection for a NAS system should be part of a

comprehensive security policy for the following reasons:
n Storage servers are susceptible to attacks from viruses, worms, Trojan
horses, and other malicious code because large number of users access them
and they contain large amounts of data.
n Malicious code can result in lost, stolen, or corrupted files, which can result
in costly downtime to the enterprise.
n The NAS system can become a vector for the malicious code when a threat is
stored on the NAS system. It can compromise the computers and the data of
the users who access the NAS system.
n Malicious code can be replicated multiple times in multiple locations
through NAS backup, mirroring of data, and archiving. The malicious code
can be re-introduced to the NAS system when NAS data that contains
malicious code is restored from one of these locations. This re-introduction
can potentially reinfect the network.
n Malicious code could replicate on the NAS system in multiple locations and
infect other parts of the network. The effort to remove a threat becomes a
time-consuming task that involves significant downtime as well as time and
money for data recovery.
n The NAS system can be used as an access point to the rest of the network or
as a launch point for an attack. For example, a denial-of-service attack can
be launched in a NAS system.
n Industry regulations and laws now require that organizations that maintain
financial, medical, personal, and email data should protect the data from
being stolen, altered, or destroyed. Organizations are legally responsible for
providing comprehensive protection for stored data.
How the scan engine protects against viruses

Symantec Scan Engine detects viruses, worms, and Trojan horses in all major
file types (for example, Windows files, DOS files, and Microsoft Word and Excel
files). Symantec Scan Engine includes a decomposer that handles most
compressed and archive file formats and nested levels of files. You can configure
the scan engine to limit scanning to certain file types by a file extension and file
type exclusion list.
Symantec Scan Engine provides protection against those container files that can
cause denial-of-service attacks. Examples are those container files that are
overly large, that contain large numbers of embedded compressed files, or that
have been designed to use resources maliciously and degrade performance. You
can specify the maximum amount of time that the scan engine devotes to
About preparing for installation
extracting a file and its contents, the maximum file size for container files, and
the maximum number of nested levels to be decomposed for scanning.
Symantec Scan Engine also detects mobile code such as Java™, ActiveX®, and
standalone script-based threats. Symantec Scan Engine uses Symantec antivirus
technologies, including Bloodhound™, for heuristic detection of new or
unknown viruses; NAVEX™, which provides protection from new classes of
viruses automatically through LiveUpdate; and Striker, for the detection of
polymorphic viruses.
The scan engine can also be configured to send alerts when specific thresholds
are met or exceeded. For example, if the same type of virus has been detected ten
times in a 20-minute interval, the scan engine can be configured to send an alert
to any of the scan engine logging or alerting destinations.
About Symantec Security Response

Symantec Scan Engine is supported by the Symantec Security Response team.
These Symantec engineers work 24 hours per day, 7 days per week, tracking new
virus outbreaks and identifying new virus threats.
For more information about protection against a specific virus, visit the
Symantec Security Response Web site at:
http://securityresponse.symantec.com
For more information, see the Symantec Scan Engine Implementation Guide.

Before you install Symantec Antivirus for Network Attached Storage, you
should ensure that your computer meets the system requirements for installing
the scan engine. The scan engine is included on the Symantec AntiVirus for
Network Attached Storage CD.
If the scan engine uses RPC protocol to interface with your network attached
storage device, Symantec Scan Engine must be installed on Windows 2000
Server/Windows 2003 Server/Windows 2008 Server platforms only.
For more information about installing the scan engine, see the Symantec Scan
Engine Implementation Guide on the product CD.
Windows system requirements

The following are the system requirements for installing Symantec AntiVirus
for Network Attached Storage on a Windows 2000 Server/Windows 2003
Server/Windows 2008 Server:
Operating system n Windows 2000 Server with the latest service pack
n Windows Server 2003 (32-bit)
n Windows Server 2003 R2 (32-bit)
Processor Pentium 4 processor 1 GHz or higher
Memory 1 GB of RAM or higher
Disk space 500 MB of hard disk space
Hardware n 1 network interface card (NIC) running TCP/IP with a static IP

address
n Internet connection to update definitions
n 100 Mbits/s Ethernet link (1 Gbit/s recommended)
Software n J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or

JRE 6.0
The most current version of JRE 5.0 and JRE 6.0 at the time of
product ship is provided on the product CD in the following
folder:
Tools\Java\Win32
n One of the following Web browsers to access the Symantec
Scan Engine console
n Microsoft Internet Explorer 6 (SP1) or later
Use Microsoft Internet Explorer to access the Symantec
Scan Engine console from a Windows client computer.
n Mozilla Firefox 1.5 or later
Use Mozilla Firefox to access the Symantec Scan Engine
console from a Solaris or Linux client computer.
The Web browser is only required for Web-based
administration. You must install the Web browser on a
computer from which you want to access the Symantec Scan
Engine console. The computer must have access to the server
on which Symantec Scan Engine runs.
Solaris system requirements

for Network Attached Storage on a Sun Solaris system:
Operating system Solaris 9 and 10

Ensure that your operating system has the latest patches that are
available.
Processor SPARC®

address
Software n J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or

JRE 6.0
folder:
Tools\Java\Solaris
If you install the self-extracting JRE, ensure that you note the
installation location. You must provide the location of the JRE
if the installer is unable to detect it.
Scan Engine console

Linux system requirements

for Network Attached Storage on a Linux system:
Operating system n Red Hat Linux Enterprise Server 3 and 4

n Red Hat Linux Advanced Server 3 and 4
n Red Hat Enterprise Linux 5
n SuSE Linux Enterprise Server 9 and 10
n Red Hat Enterprise Linux 5 (64-bit)
Processor Pentium 4 processor 1 GHZ or higher

address
Post-installation tasks
Software n Ensure that the following packages are installed:

n GNU sharutils-4.6.1-2 or later
Use this package to expand the Rapid Release packages.
n ncompress-4.2.4-44 or later
Use this package to expand the Rapid Release packages.
n GNU C Library (glibc)
n initscripts
This package is required for Red Hat Linux only.
n aaa_base package
This package is required for SuSE only.
n J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or
JRE 6.0
folder:
Tools\Java\RedHat
Install the JRE using Red Hat Package Manager (RPM). Ensure
that you note the installation location. You must provide the
location of the JRE if the installer is unable to detect it.
Scan Engine console

The Symantec AntiVirus for Network Attached Storage connectors do not
require licensing from Symantec. However, you must install the appropriate
licenses for Symantec Scan Engine. These licenses are required to activate
antivirus scanning functionality for the scan engine and to receive updated
virus definitions.
For more information about licensing, see the Symantec Scan Engine
Implementation Guide.
After you install and configure the scan engine, you must configure the
connector for your network attached storage device to send files to the scan
engine.
For more information about integrating a specific connector with the scan
engine, see the appropriate chapter in this guide.
Chapter 2
Configuring Symantec™
AntiVirus for NetApp®
Filer™
n About software components
n How Symantec Scan Engine works with the NetApp Filer client
n About configuring Symantec Scan Engine
n About configuring the client NetApp Filer

Symantec AntiVirus for Network Attached Storage provides virus scanning and
repair capabilities for Network Appliance™ (NetApp) Filer™ storage appliances.
Configure the following components to add antivirus scanning to the NetApp
Filer:
services
26 Configuring Symantec™ AntiVirus for NetApp® Filer™
How Symantec Scan Engine works with the NetApp Filer client
n The NetApp Filer

Some options are configured directly on the NetApp Filer. No additional
code is necessary to connect Symantec Scan Engine to the NetApp Filer.
See “About configuring the client NetApp Filer” on page 42
How Symantec Scan Engine works with the NetApp

Filer client
repair capabilities for the NetApp Filer storage appliances that support Data
ONTAP™ version 6.1.3 or later. Each Filer must be running Data ONTAP 6.1.3 or
later if you plan to use a single Symantec Scan Engine to support multiple Filer
storage appliances.
Symantec Scan Engine must be installed on a computer that is running
Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be
located in the same domain as the NetApp Filer for which it provides scanning
and repair services. Symantec Scan Engine uses the proprietary Network
Appliance adaptation of the RPC protocol to interface with NetApp Filer storage
appliances.
A single Symantec Scan Engine can support multiple NetApp Filers. You can use
multiple scan engines to support one or more filers for sites with larger scan
volumes. Load balancing is handled through the NetApp Filer interface.
Virus scanning on the NetApp Filer is available only for those files that are
requested through the Common Internet File System (CIFS). Files that are
requested through the Network File System (NFS) are not scanned for viruses.
What happens when a file is scanned

The NetApp Filer submits files to Symantec Scan Engine for scanning on both
read and write. That is, files are scanned when they are accessed from storage
(read), renamed (write) and when submitted for storage, if modified (write).
When a user tries to access a file, the filer passes the file to Symantec Scan
Engine for scanning. After a file is scanned, Symantec Scan Engine indicates the
scanning results to the filer. If a file is infected and can be repaired, the scan
engine returns the repaired file based on a configurable virus scan policy.
Clean files are passed to the requesting user after the filer receives the scanning
results. The repaired file is passed to the requesting user if the file is infected
and can be repaired. The stored version of the infected file is then replaced with
the repaired file. The user is denied access to the file if the file is infected and
Configuring Symantec™ AntiVirus for NetApp® Filer™ 27
cannot be repaired, and the infected file is deleted from storage. Symantec Scan
Engine can be configured to quarantine these unrepairable files.
See “About quarantining unrepairable infected files” on page 36.
The filer caches scanning results for each clean file to avoid redundant scans of
those files that have already been scanned. The cache is purged when the virus
definitions on Symantec Scan Engine are updated, the “vscan reset” command is
run on the filer, or when the scan engine is restarted. If the cache is full and a
file that is not in the cache is accessed, the oldest information in the cache is
purged. This ensures that the scanning results for the newly scanned file can be
stored.
About connecting to Symantec Scan Engine

A connection is maintained between each NetApp Filer and Symantec Scan
Engine. Symantec Scan Engine monitors the connection with each NetApp Filer
by checking the connection at a configured time interval. The scan engine tries
to reconnect if it determines that the connection is not active. (The number of
times that the scan engine tries to re-establish the connection can also be
configured.)
About limiting scanning by file type

Viruses are found only in the file types that contain executable code. Only those
file types that can contain viruses need be scanned. Limiting scanning by file
type saves bandwidth and time.
You have the following levels of control over which files are scanned:
You can control the files that are The NetApp Filer lets you specify by file extension the
initially submitted to the scan files that are to be passed to Symantec Scan Engine for
engine by the NetApp Filer for scanning. You configure the file types that you want to
scanning submit for scanning through the NetApp Filer
interface in accordance with the product
documentation.
See “About specifying the file extensions to be
scanned on the NetApp Filer” on page 43.
You can control the files that are The scan engine lets you specify the file types and the
embedded in archival file formats file extensions that you do not want to scan. The file
(for example, .zip or .lzh files) that extensions exclusion list and the file type exclusion
are to be scanned by Symantec list achieve this purpose. You can also scan all file
Scan Engine types regardless of extension. You configure which
embedded files are scanned through the Symantec
Scan Engine administrative interface.
See “Specifying which embedded files to scan” on
page 37.
About handling infected files

You can configure Symantec Scan Engine to do any of the following when an
infected file is found:
Scan Only Deny access to the infected file, but do nothing

to the infected file.
Scan and repair files Try to repair the infected file, and deny access
to any unrepairable file.
Scan and repair or delete Try to repair the infected file, and delete any
unrepairable file.
You can also configure the scan engine to quarantine unrepairable files.
See“About quarantining unrepairable infected files” on page 36.
About user identification and notification when a virus is found

When a virus is found in a file that is requested from the NetApp Filer, Symantec
Scan Engine automatically obtains (for logging purposes) identification
information about the user who requested the infected file. This information
includes the security identifier of the user and the IP address and host name of
the requesting computer.
The identification information supplements the information that is contained in
Infection Found log messages that are logged to the local logs, the Windows
Event Log, and SMTP. This information does not appear in the Infection Found
messages that are logged to SNMP or SSIM.
Note: Symantec Scan Engine can obtain only the information that is made
available by the NetApp Filer. In some cases, all or some of this information is
not available. The information that is obtained is reported in the related log
entries. Any identification information that is not obtained from the NetApp
Filer is omitted from the log messages and from the user notification window.
You also can configure Symantec Scan Engine to notify the requesting user that
the retrieval of a file failed because a virus was found.The notification message
includes the following:
n Date and time of the event
n File name of the infected file
n Virus name and ID
n Virus definition date and revision number
n Manner in which the infected file was handled (for example, the file was
repaired or deleted)
n Scan policy
n Disposition of the file
n Duration of scan time and connection time
To use the user notification feature, the Windows Messenger service must be
running on the computer that is running Symantec Scan Engine, and on the
user’s computer.
See “Notifying a requesting user that a virus was found” on page 35.

The Network Appliance Filer storage appliance must support Data ONTAP
version 6.1.3 or later to interface with Symantec Scan Engine. If you plan to use
a single Symantec Scan Engine to support multiple filer storage appliances, each
filer must support Data ONTAP version 6.1.3 or later. As a prerequisite, ensure
that each NetApp Filer for which the scan engine is to provide scanning and
repair services meets this requirement.
To use RPC, Symantec Scan Engine must be installed on a computer that is
running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server.
The computer on which you plan to install Symantec Scan Engine must meet the
system requirements that are listed in the Symantec Scan Engine
About configuring Symantec Scan Engine
After you install Symantec Scan Engine, configure the NetApp Filer to work with
the scan engine.
See “About configuring the client NetApp Filer” on page 42.

Configure Symantec Scan Engine to use RPC as the communication protocol.
The Internet Content Adaptation Protocol (ICAP) is the default protocol at
installation, but you can change the protocol to RPC through the administrative
interface. Then you can configure the RPC-specific options.
See “Configuring RPC protocol options” on page 31
You must also change the Windows service startup properties to identify an
account that has the appropriate permissions.
See “Editing the service startup properties” on page 30.
Editing the service startup properties

If you change the protocol setting to RPC, you need to change the service startup
properties to identify an account that has the following appropriate
permissions:
n The user account must have local administrator permissions on the
computer that has the scan engine.
n The user account must have Backup Operator privileges or above on the
NetApp Filer.
You must change the service startup properties if the list of NetApp Filers is
edited as well.
To edit the service startup properties

1 In the Windows 2000/2003/2008 Control Panel, click Administrative Tools.
2 Click Services.
3 In the list of services, right-click Symantec Scan Engine, and then click
Properties.
4 In the Properties dialog box, on the Log On tab, click This Account.
5 Type the account name and password for the user account that has local
administrator rights on the computer that has the scan engine. This account
should also have domain backup operator privileges or above.
Use the following format for the account name:
domain\username
6 Click OK.
7 Stop and start the Symantec Scan Engine service.
For more information on stopping and starting the Symantec Scan Engine
service, see the Symantec Scan Engine Implementation Guide.
Configuring RPC protocol options

After you install Symantec Scan Engine, you can configure settings that are
specific to the RPC protocol. You must manually stop and start the scan engine
service when you change to the RPC protocol. A proper connection to the
NetApp Filer is ensured.
Table 2-1 describes the protocol-specific options for RPC.
Table 2-1 Protocol-specific options for RPC
Option Description
RPC client list A single Symantec Scan Engine can support one or more NetApp
Filers. NetApp Filers must be located in the same domain as the
scan engine. You must provide the IP address of each NetApp Filer.
Note: Multiple scan engines can support a single NetApp Filer.
Configure the multiple scan engines through the NetApp Filer
interface.
Check RPC Symantec Scan Engine maintains a connection with the NetApp
connection every __ Filer. Symantec Scan Engine can be configured to check the
seconds connection with the NetApp Filer at a prescribed interval to
ensure that the connection is active. The default value is 20
seconds.
Maximum number You can configure the scan engine to make a specified number of
of reconnect tries to re-establish a lost connection with the NetApp Filer. By
attempts default, Symantec Scan Engine is configured to try to reconnect
with the NetApp Filer indefinitely.
Note: Do not set a maximum number of reconnect attempts if the

scan engine provides scanning for multiple NetApp Filers. Use the
default setting.
Option Description
Antivirus scan You can configure Symantec Scan Engine to do one of the
policy following when an infected file is found:
n Scan only: Deny access to the infected file, but do nothing to
the infected file.
n Scan and repair files: Try to repair the infected file, and deny
access to any unrepairable file.
n Scan and repair or delete: Try to repair the infected file, and
delete any unrepairable file from archive files.
Note: You must select Scan and repair or delete if you plan to
quarantine the infected files that cannot be repaired. For more
information, see the Symantec Scan Engine Implementation Guide.
Automatically send You can configure Symantec Scan Engine to automatically notify
antivirus update the NetApp Filer when new virus definitions are used. This
notifications notification causes the NetApp filer to clear its cache of scanned
files.
Configure RPC protocol options

To configure RPC, do the following:
n Provide an IP address for each NetApp Filer for which Symantec Scan
Engine should provide scanning services. You can add or delete filers from
this list at any time.
n Configure the additional RPC-specific options.
To edit the list of NetApp Filers

1 On the Symantec Scan Engine administrative interface, in the left pane,
click Configuration.
2 Under Views, click Protocol.
3 In the right pane, under Select Communication Protocol, click RPC.
The configuration settings are displayed for the selected protocol.
4 In the Manual Restart Required dialog box, click OK.
Whenever you switch protocols, you must restart the server. You can
continue to make and apply changes in the administrative interface.
However, the changes do not take effect until you restart the Symantec Scan
Engine service.
5 To add a NetApp Filer to the list of RPC clients, type the IP address of the
NetApp Filer for which Symantec Scan Engine should provide scanning
services.
Type one entry per line.
6 To delete a NetApp Filer from the list of RPC clients, select and delete the IP
address of the NetApp Filer.
7 On the toolbar, select one of the following:
Save Saves your changes.

You can continue to make changes in the
administrative interface until you are ready to
apply them.
Apply Applies your changes.

Your changes are not implemented until you
apply them. You must perform a manual restart
for the changes to take place and for a proper
connection to the NetApp Filer.
To configure additional RPC-specific options

3 Under RPC Configuration, in the Check RPC connection every box, type how
frequently Symantec Scan Engine checks the RPC connection with the
NetApp Filer to ensure that the connection is active.
The default interval is 20 seconds.
4 In the Maximum number of reconnect attempts box, type the maximum
number of tries that the Symantec Scan Engine should undertake to re-
establish a lost connection with the NetApp Filer.
The default setting is 0. Symantec Scan Engine tries indefinitely to re-
establish a connection. Use the default setting if the scan engine provides
scanning for multiple NetApp Filers.
5 In the Antivirus scan policy list, select how you want Symantec Scan Engine
to handle infected files.
The default setting is Scan and repair or delete.

apply them.

connection to the NetApp Filer.
Notifying the NetApp Filer when virus definitions are updated

When Symantec Scan Engine scans a file, it is stored in the NetApp Filer’s cache.
This cached file is sent to any user who subsequently requests the same file thus
conserving scanning resources.
You can configure the scan engine to automatically notify the NetApp Filer
when the scan engine begins using new virus definitions. This notification
prompts the NetApp Filer to clear its cache of scanned files. Any new requests
for files causes the file to be sent to the scan engine again for scanning. The
scanned clean files are cached, and these cached files are sent to the requesting
user.
You can manually clear the cache of scanned files at the command line interface
of the NetApp Filer as well.
See “About clearing the scanned files cache” on page 44.
The process of automatically notifying the NetApp Filer about virus definitions
updates could affect system performance, depending on how frequently you
schedule LiveUpdate. You can send the notification manually to minimize the
impact on scanning resources.
To automatically notify the NetApp Filer when virus definitions are updated
1 On the administrative interface, in the left pane, click Configuration.
3 Under RPC Configuration, check Automatically send AntiVirus update
notifications.
This option is disabled by default.

apply them.

for the changes to take place.
To manually notify the NetApp Filer when virus definitions are updated
1 On the administrative interface, in the left pane, click Configuration.
3 In the left pane, under Tasks, click Send AntiVirus Update Notification.
Notifying a requesting user that a virus was found

You can configure Symantec Scan Engine to notify the requesting user that the
retrieval of a file failed because a virus was found. The notification message is
displayed only if the user uses a Windows computer. In addition, the requesting
user’s computer must be in the same domain as the scan engine. Both the user’s
computer and the scan engine must have the Windows Messenger service
running to use this feature.
The notification message includes the following information:
n The date and time of the event
n The event security level (for example, Warning)
n The scan policy (for example, scan and repair or delete)
n The file name of the infected file
n The virus name and ID
n The manner in which the infected file was handled (for example, the file was
n The disposition of the file (for example, infected)
n The IP address and name of the requesting user’s computer
n The date and revision number of the virus definitions used
n The duration (in seconds) of scan and connection time
You can enable the NetApp Filer to display warning messages to the requesting
user as well.
See “About notifying a requesting user that a virus was found” on page 45.
To notify a requesting user that a virus was found

click Monitors.
2 Under Views, click Alerting.
3 In the right pane, under Log Windows Messenger, check Enable Windows
Messenger Logging.
User notification is disabled by default.

apply them.

About quarantining unrepairable infected files

You can quarantine unrepairable infected files when you use the RPC protocol.
To achieve the quarantine feature, Symantec Central Quarantine must be
installed separately on a computer that runs Windows 2000 Server/Windows
2003 Server/Windows 2008 Server. Symantec Central Quarantine is included on
the Symantec Scan Engine distribution CD along with supporting
documentation.
Symantec Scan Engine forwards the infected files that cannot be repaired to
Symantec Central Quarantine. Typically, the heuristically-detected viruses that
cannot be eliminated by the current set of virus definitions are forwarded to the
quarantine. They are isolated so that the viruses cannot spread. The infected
items can be submitted to Symantec Security Response for analysis from the
quarantine. New virus definitions are posted if a new virus is identified.
Note: You must select “Scan and repair or delete” as the RPC scan policy to
forward files to the quarantine. The original infected file is deleted when a copy
of an infected file is forwarded to the quarantine. If submission to the
quarantine is not successful, the original file is not deleted, and an error
message is returned to the NetApp Filer. Access to the infected file is denied.
For more information about installing and configuring Symantec Central

Quarantine, see the Symantec Central Quarantine Administrator’s Guide.
To quarantine unrepairable infected files

click Policies.
2 Under Views, click Scanning.
3 In the right pane, under Quarantine, check Quarantine files.
4 In the Central server quarantine host or IP box, type the host name or the IP
address for the computer on which Symantec Central Quarantine is
installed.
5 In the Port box, type the TCP/IP port number to be used by the Symantec
Scan Engine to pass files to the Symantec Central Quarantine.
This setting must match the port number that is selected at installation for
Symantec Central Quarantine.

apply them.

apply them.
Specifying which embedded files to scan

The NetApp Filer submits files to Symantec Scan Engine for scanning based on
the file extension of the top-level file. You can configure the file types that are
submitted for scanning through the filer administrative interface. The top-level
files that are sent to Symantec Scan Engine are scanned regardless of file
extension.
When the scan engine receives an archive file (for example, a .zip or .lzh file)
that contains embedded files, it must break down the archive file and scan each
embedded file. You can control, through the scan engine administrative
interface, which embedded files are scanned by using a file extension and file
type exclusion list. You can also scan all files regardless of extension.
Symantec Scan Engine is configured by default to scan all files. The file type and
file extension exclusion list is prepopulated with the file types that are unlikely
to contain viruses, but you can edit this list.
Note: During virus outbreaks, you might want to scan all files even if you
normally control the file types that are scanned with the file type or file
extension exclusion list.
Specify which embedded files to scan

You can scan all files regardless of extension, or you can control which files are
scanned by specifying the extensions or the file types that you want to exclude.
Symantec Scan Engine is configured by default to scan all files.
To scan all files regardless of extension or type

click Policies.
3 In the right pane, under Files to Scan, click Scan all files.

apply them.

apply them.
To scan all files except for those that are in the file extension exclusion list
click Policies.
3 In the right pane, under Files to Scan, click Scan all files except those in the
extension or type exclude lists.
On activating this option, both the file extension exclude list and the file
type exclude list gets activated automatically.
4 Type each file extension that you want to add to the list on a separate line.
Use a period with each extension in the list.
5 To remove a file extension from the list, select it and delete it from the File
extension exclude list.
6 To restore the default file extension exclude list, in the left pane, under
Tasks, click Reset Default List.
This option restores the default file-type exclude list and the file-extension
exclude list.

apply them.

apply them.
To scan all file types except those in the file type exclusion list
click Policies.
When you activate this option, both the file type exclude list and the file
extension exclude list are activated automatically.
4 Type each file type you want to add to the list on a separate line.
To include all subtypes for a file type, use the wildcard character /*.
For more information on how to write the file types, see the Symantec Scan
Engine Implementation Guide.
5 To remove a file type from the list, select it and delete it from the File type
exclude list.
6 To restore the default file type exclude list, in the left pane, under Tasks,
click Reset Default List.
exclude list.

apply them.

apply them.
Scheduling LiveUpdate to update virus definitions automatically

Scheduling LiveUpdate to occur automatically at a specified time interval
ensures that the Symantec Scan Engine always has the most current virus
definitions. If you use multiple scan engines to support virus scanning, schedule
LiveUpdate to occur at the same time for each scan engine. This scheduling
ensures that all scan engines have the same version of virus definitions. Having
the same version of virus definitions is necessary for proper functioning of virus
scanning on the NetApp Filer.
You must schedule LiveUpdate on each Symantec Scan Engine. When
LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative
to the LiveUpdate base time. The default LiveUpdate base time is the time that
the scan engine was installed.
You can change the LiveUpdate base time. If you change the scheduled
LiveUpdate interval, the interval adjusts based on the LiveUpdate base time.
For more information on changing the base time, see the Symantec Scan Engine
To schedule LiveUpdate to update virus definitions automatically

click System.
2 Under Views, click LiveUpdate Content.
3 In the right pane, under LiveUpdate Content, check Enable scheduled
LiveUpdate.
This option is enabled by default.
4 In the LiveUpdate interval drop-down list, choose an interval.
You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default
LiveUpdate interval is 2 hours.

apply them.

apply them.
Configuring Rapid Release updates to occur automatically

You can configure Symantec Scan Engine to obtain uncertified definition
updates with Rapid Release. You can configure Symantec Scan Engine to
retrieve Rapid Release definitions every 5 minutes to every 120 minutes.
Rapid Release definitions are created when a new threat is discovered. Rapid
Release definitions undergo basic quality assurance tests by Symantec Security
Response. However, they do not undergo the intense testing that is required for
a LiveUpdate release. Symantec updates Rapid Release definitions as needed to
respond to high-level outbreaks.
Warning: Rapid Release definitions do not undergo the same rigorous quality
assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec
encourages users to rely on the full quality-assurance-tested definitions
whenever possible. Ensure that you deploy Rapid Release definitions to a test
environment before you install them on your network.
If you use a proxy or firewall that blocks FTP communications, the Rapid
Release feature does not function. Your environment must allow FTP traffic for
the FTP session to succeed.
You can schedule Rapid Release updates to occur automatically at a specified
time interval to ensure that Symantec Scan Engine always has the most current
definitions. Scheduled Rapid Release updates are disabled by default.

click System.
2 Under Views, click Rapid Release Content.
About configuring the client NetApp Filer
3 In the content area under Rapid Release Content, check Enable scheduled
Rapid Release to enable automatic downloads of Rapid Release definitions.
4 In the Rapid Release interval box, to specify the interval between which you
want Symantec Scan Engine to download Rapid Release definitions, do any
of the following steps:
n Type the interval.
n Click the up arrow or down arrow to select the interval.
You can select any number between 5 minutes and 120 minutes. The default
value is 30 minutes.

apply them.

apply them.

After you configure Symantec Scan Engine to use RPC as the communication
protocol, you configure the client NetApp Filers to work with Symantec Scan
Engine.
NetApp Filer clients must be running Data ONTAP version 6.1.3 or later to
interface with Symantec Scan Engine. If you plan to support more than one filer
with a single scan engine, each filer must be running Data ONTAP 6.1.3 or later.
Each NetApp Filer should be installed and configured in accordance with the
accompanying product documentation. Each filer should be functional before
you initiate virus scanning using Symantec Scan Engine.
About verifying that the scan engine is registered with the filer
You can verify that the scan engine is registered with the filer after you install
Symantec Scan Engine. Registration is automatic if you have provided the
correct information to Symantec Scan Engine for contacting the filer.
Registration occurs when the scan engine connects to the Filer. Use the “vscan”
command at the command line interface to check the list of registered scan
engines.
Note: The service startup properties for Symantec Scan Engine must be changed
to identify an account that has the appropriate permissions on the filer. If the
change has not been done, the scan engine cannot register with the filer because
it does not have sufficient permission.
About activating virus scanning

You can activate and deactivate virus scanning. Use the “vscan on” command at
the command line to activate virus scanning. Use the “vscan off” command to
deactivate virus scanning.
About specifying the file extensions to be scanned on the NetApp

Filer
Configure the list of extensions on the NetApp Filer to contain only the file
extensions that you want to scan. This lets you control the file types that are
passed to Symantec Scan Engine for scanning. You can configure file extensions
using the extensions include and exclude list. The extensions that are
configured on the NetApp Filer have preference over the file types and the
extensions configured on Symantec Scan Engine. For example, if .doc is included
in the extensions include list for the NetApp Filer but is excluded on Symantec
Scan Engine, .doc files are still scanned.
A default list of extensions to be submitted for virus scanning is included with
the NetApp Filer. To modify the extensions include list, at the command line
interface, use the “vscan extensions include add” command to add additional
extensions and the “vscan extensions include remove” command to remove
extensions from the list.
Similarly, for the extensions exclude list, the “vscan extensions exclude add”
command would add extensions to the exclude list while the “vscan extensions
exclude remove” would successfully remove extensions from the exclude list on
the NetApp Filer.
To rollback to the default include list, use the “vscan extensions include reset”
command at the command line interface. The wildcard extension (???), which
scans all files regardless of file extension, might negatively impact performance.
The highest level of protection is achieved by scanning all file types; however,
viruses are found only in those file types that contain executable code. So, every
file type need not be scanned. You can save bandwidth and time by limiting the
files to be scanned to only those file types that can contain viruses.
For more information, see the NetApp Filer documentation.
About working with unresponsive scan engines

The NetApp Filer can be configured to let the connection time out while waiting
for a reply from Symantec Scan Engine. Connections mostly time out when large
or complex files are scanned (for example, container files with multiple
embedded files or files that contain polymorphic or macro viruses). The time out
option can be configured by using the “vscan options time-out” command. The
default value is 10 seconds. When the scan request times out, the NetApp Filer
checks to see if the scan engine is currently at work on its request. If there is still
no response, it sends the scan request to another scan engine.
If none of the scan engines respond, then the NetApp Filer can either allow file
access without virus scanning or deny file access altogether. Configure this
option by using the “vscan options mandatory_scan” command.
You can end a virus scanning session by the “vscan scanners stop” command.
For more information, see the NetApp Filer documentation.
How virus scanning affects backups on NetApp Filer

The service startup properties for Symantec Scan Engine must be edited to
identify an account with Backup Operator privileges on the NetApp Filer.
Otherwise, backups on the filer might not finish successfully when virus
scanning is active.
The NetApp Filer can time out while waiting for a reply from the Symantec Scan
Engine when large files are scanned. Virus scanning also increases the length of
time that is needed for a backup to finish.
Note: Ensure that you have edited the service startup privileges appropriately,
or disable virus scanning before you initiate a backup of the NetApp Filer.
About clearing the scanned files cache

When Symantec Scan Engine scans a file, it is stored in the NetApp Filer’s cache.
This cached file is sent to any user who subsequently requests the same file thus
conserving scanning resources. Symantec Scan Engine can automatically notify
the NetApp Filer when the scan engine begins using new virus definitions. This
notification prompts the NetApp Filer to clear its cache of scanned files. Any
new requests for files causes the file to be sent to the scan engine again for
scanning.
See “Notifying the NetApp Filer when virus definitions are updated” on page 34.
You can manually clear the cache of scanned files by using the “vscan reset”
command at the command line interface.
About notifying a requesting user that a virus was found

retrieval of a file failed because a virus was found.
You can also enable Data ONTAP on the NetApp Filer to display warning
messages by the “vscan options client_msgbox {on|off}” command.
Chapter 3
Configuring Symantec
AntiVirus™ for Sun
StorageTek™ 5000 NAS
Appliance
n How Symantec Scan Engine works with the Sun StorageTek 5000 NAS
Appliance
n About configuring the Sun StorageTek 5000 NAS Appliance
n Recommendations while integrating multiple scan engines

48 Configuring Symantec AntiVirus™ for Sun StorageTek™ 5000 NAS Appliance

repair capabilities for the Sun StorageTek™ 5000 series of network-attached
storage (NAS) devices.
To add antivirus scanning to the Sun StorageTek 5000 NAS Appliance, configure
the following components:
services
n The NAS Anti Virus Agent, which provides the virus scanning functionality
and ensures the seamless integration of Symantec Scan Engine with the Sun
StorageTek 5000 NAS Appliance. The NAS Anti Virus Agent is an integral
part of the Sun StorageTek 5000 NAS Appliance. No separate license is
required.
See “About configuring virus scanning on the Sun StorageTek 5000 NAS
Appliance” on page 61.
How Symantec Scan Engine works with the Sun

StorageTek 5000 NAS Appliance
repair capabilities for the Sun StorageTek 5000 series of network-attached
storage devices that support the Sun NAS firmware version 4.21 M1 and later.
Virus scanning and repair is provided for files on the Common Internet File
System (CIFS).
The Internet Content Adaptation Protocol (ICAP) is used to communicate with
Symantec Scan Engine. In a typical Sun StorageTek 5000 NAS environment, a
minimum of two scan engines is required to handle scan volume. A maximum of
four scan engines can be supported per Sun StorageTek 5000 NAS Appliance.
The NAS Anti Virus Agent handles load balancing across multiple scan engines
automatically.
How are files scanned

The NAS Anti Virus Agent is configured to scan a file in real-time (that is, when
a file is opened and when it is closed, if it has been modified).
When a user tries to access a file from storage, the NAS Anti Virus Agent opens a
connection with Symantec Scan Engine. The NAS Anti Virus Agent then passes
Configuring Symantec AntiVirus™ for Sun StorageTek™ 5000 NAS Appliance 49
the file to the scan engine for scanning. When scanning is complete, the NAS
Anti Virus Agent closes the connection with the scan engine.
The Symantec Scan Engine indicates the scanning results to the NAS Anti Virus
Agent after a file is scanned. The scan engine also returns the repaired file if a
file is infected and can be repaired.
After the NAS Anti Virus Agent receives the scanning results, the file is handled
in the following way: Only clean files are passed to the requesting user. The
repaired file is passed to the requesting user if the file is infected and can be
repaired. The stored version of the infected file is then replaced with the
repaired file. If the file is infected and cannot be repaired, the user is denied
access to the file, and the infected file is quarantined. The user can also
configure the Symantec Scan Engine to quarantine an unrepairable file.
See “About quarantining unrepairable files on Symantec Scan Engine” on
page 51.
How caching works

The NAS Anti Virus Agent caches scanning results for each clean file. The
cached information includes the date and revision number of the virus
definitions that were used to perform the scan. So, if a second user requests
access to a file that has already been scanned and if the virus definitions have
not changed, a redundant scan is avoided.
The cache is purged when the virus definitions on Symantec Scan Engine are
updated and when the Sun StorageTek 5000 NAS Appliance is restarted.
Individual cache entries are updated whenever a stored file is changed.
About specifying which file types are scanned

To specify the file types to be scanned for viruses, configure settings on both the
NAS Anti Virus Agent and Symantec Scan Engine.
About specifying file types on the NAS Anti Virus Agent

Based on file extensions, the NAS Anti Virus Agent determines, initially,
whether it should pass a file to Symantec Scan Engine for scanning. You
configure which files are passed to Symantec Scan Engine for scanning when
you set up the NAS Anti Virus Agent.
You can control which files are scanned by using the exclusion or an inclusion
list, or you can scan all files regardless of extension. Configure the NAS
Anti Virus Agent to pass all file types to the scan engine except those that are
contained in the exclusion list. The exclusion list can include extensions for
those file types that are not likely to contain viruses and can be excluded from
scanning.
About specifying file types on Symantec Scan Engine

You can configure Symantec Scan Engine so that selected file types and file
extensions are excluded from scanning. The setting on Symantec Scan Engine is
as important as the NAS Anti Virus Agent setting. This setting on the scan
engine determines which files to scan upon receiving a file from the NAS Anti
Virus Agent. The scanned files are those contained in archive or container file
formats. You can control which embedded files are scanned by using the file
type and extension exclusion list, or you can scan all files regardless of
extension.
Note: Exclusion lists ensure that all file types are not scanned; therefore, new
types of viruses might not be detected. Scanning all files regardless of extension
and type is the most secure setting, but it imposes the heaviest demand on
resources. During virus outbreaks, you might want to scan all files even if you
normally control the file types that are scanned with the exclusion list.
See “Specifying which file types to scan on the scan engine” on page 55.
About specifying the scan policy

You configure the scan policy through the Symantec Scan Engine
administrative interface. When an infected file is found, the scan engine can do
any of the following:
Scan only Scan files for viruses, but do nothing to infected

files
Scan and delete Scan files for viruses, and delete any infected files
that are embedded in archive or container files
without trying to repair
Scan and repair files Try to repair infected files, but do nothing to
unrepairable files (that is, do not delete the files
from archive or container files).
Scan and repair or delete Try to repair infected files, and delete
unrepairable files from archive or container files
About handling infected files on the NAS device

When an unrepairable infected file is found, the NAS Anti Virus Agent does not
delete the file, even though the scan engine tells it to. Instead, the NAS Anti
Virus Agent quarantines the file and denies any access to the file. The
quarantined files can be deleted or removed from quarantine by using the
command-line interface in the Sun StorageTek 5000 NAS Appliance or through
Windows Explorer on the requesting CIFS client.
For more information, see the appropriate Sun StorageTek documentation.
About quarantining unrepairable files on Symantec Scan

Engine
You can configure Symantec Scan Engine to quarantine files that are infected
with viruses and are unrepairable. You must provide the host name or IP
address of a Windows 2000 Server/Windows 2003 Server/Windows 2008 Server
computer that has the Symantec™ Quarantine Server installed.

After you have installed the Symantec Scan Engine, configure the virus
scanning functionality on the Sun StorageTek 5000 NAS device.

You must configure several settings on each Symantec Scan Engine that is used
to support scanning for the Sun StorageTek 5000 NAS family.
Note: The configuration settings on each scan engine must be identical if you
use multiple scan engines to support scanning. LiveUpdate and Rapid Release
should be scheduled to occur at the same time on all scan engines so that virus
definitions are consistent at all times.
The scan engine must be configured to use ICAP as the communication protocol.
ICAP is the default protocol at installation. After you have selected ICAP, you
can configure ICAP-specific options.
Configuring ICAP-specific options

After you install Symantec Scan Engine, you can configure several settings that
are specific to the ICAP protocol through the Symantec Scan Engine
administrative interface. If Symantec Scan Engine has already been configured
to use another protocol, you also can change the protocol through the
administrative interface. However, you must manually restart the Symantec
Scan Engine.
For more information about accessing the administrative interface, see the
Symantec Scan Engine Implementation Guide.
Table 3-1 describes the protocol-specific options for ICAP.
Table 3-1 Protocol-specific options for ICAP
Option Description
Bind address Symantec Scan Engine detects all of the available IP addresses
that are installed on the host. By default, Symantec Scan
Engine accepts scanning requests on (binds to) all of the
scanning IP addresses that it detects. You can configure up to
64 IP addresses as scanning IP addresses.
You can specify whether you want Symantec Scan Engine to
bind to all of the IP addresses that it detects, or you can
restrict access to one or more interfaces. If you do not specify
at least one IP address, Symantec Scan Engine binds to all of
the scanning IP addresses that it detects.
If Symantec Scan Engine fails to bind to any of the selected IP
addresses, an event is written to the log as a critical error.
Even if Symantec Scan Engine is unable to bind to any IP
address, you can access the console. However, scanning
functionality is unavailable.
Note: You can use 127.0.0.1 (the loopback interface) to let only
the clients that are running on the same computer connect to
Port number The port number must be exclusive to Symantec Scan Engine.
For ICAP, the default port number is 1344. If you change the
port number, use a number greater than 1024 that is not in
use by any other program or service.
Scan policy When an infected file is found, Symantec Scan Engine can do
n Scan only: Scan files for viruses, but do nothing to
infected files.
n Scan and delete: Scan files for viruses, and delete any
infected files that are embedded in archive or container
files without trying to repair.
n Scan and repair files: Try to repair infected files, but do
nothing to unrepairable files (that is, do not delete the
files from archive or container files).
n Scan and repair or delete: Try to repair infected files, and
delete unrepairable files from archive or container files.
Note: If you choose the data trickle feature, the virus scan
policy is automatically set to Scan only.
Option Description
Enable trickle This setting provides users with a quicker download response
and avoids possible session time-out errors. Data trickling is
disabled by default.
Time before trickle data You can specify how long the scan process should run before
starts data trickling begins.
To configure ICAP-specific options

3 In the right pane, under Select Communication Protocol, click ICAP.
If you change the protocol setting from RPC to ICAP through the Symantec
Scan Engine administrative interface, you must manually stop and start the
service.
4 Under ICAP Configuration, in the Bind address box, select the scanning IP
addresses that you want to bind to Symantec Scan Engine. Check Select All
to select every IP Address in the Bind address table.
By default, Symantec Scan Engine binds to all interfaces.
5 In the Port number box, type the TCP/IP port number that the NAS
Anti Virus Agent uses to pass files to Symantec Scan Engine for scanning.
The default setting for ICAP is port 1344.
6 In the Scan policy list, select how you want Symantec Scan Engine to handle
infected files.
The default setting is Scan and repair or delete, which is the recommended
setting.
7 Check Enable trickle to enable the data trickle feature. The scan policy is
automatically set to Scan only. However, enabling data trickle can
compromise antivirus integrity. The data that is trickled to the user might
contain a virus. You also cannot use the Quarantine feature when you enable
data trickling.
8 Type the number of seconds that the scan process should run before data
trickling begins.
The setting defaults to 5 seconds and can be up to a maximum of 86400
seconds.

apply them.

apply them.
Specifying which file types to scan on the scan engine

The settings on Symantec Scan Engine must be configured to specify the types
of files to be scanned for viruses. This setting on the scan engine determines
which files to scan on receiving a file from the NAS Anti Virus Agent. The
scanned files are those contained in archive or container file formats.
You can control which embedded files are scanned by using an extension or type
exclusion list, or you can scan all files regardless of extension and type. A pre-
populated extension and type exclusion list exists that you can modify. The
Note: Symantec Scan Engine examines the first few bytes of every file to
determine whether the file could contain a virus. This action occurs even if the
file extension is not one that was identified for scanning. Based on this
examination, the scan engine may scan a file even though it has not been
identified for scanning.
Specify which file types to scan

You can control which file types are scanned by specifying those extensions that
you want to exclude from scanning, or you can scan all files regardless of
extension.
click Policies.
When you enable this option, both the file extension exclude list and the file
type exclude list are activated automatically.
exclude list.

apply them.

apply them.
click Policies.
When you enable this option, both the file type exclude list and the file
exclude list.
exclude list.

apply them.

apply them.

click Policies.

apply them.

apply them.
Specifying container handling limits

File attachments that consist of container files can overload the system and
cause denial-of-service attacks. They can be overly large, contain large numbers
of embedded, compressed files, or be designed to maliciously use resources and
degrade performance. Symantec Scan Engine can be configured to impose limits
on how container files are handled. This reduces the network’s exposure to
denial-of-service attacks.
You can specify the following limits for handling container files:
n The maximum amount of time, in seconds, that is spent decomposing a
container file and its contents
This setting does not apply to .hqx or .amg files.
n The maximum file size, in megabytes, for the individual files that are in a
container file
n The maximum number of nested levels to decompose for scanning
n The maximum number of bytes that are read when determining whether a
file is MIME-encoded
You can specify whether to allow or deny access to the file if any of these
specified limits is met or exceeded.
Symantec Scan Engine blocks container files based on their type, because only
certain file types contain virus or malicious code.You can configure Symantec
Scan Engine to block partial container files, malformed container files, and
encrypted container files as well.
For more information on container handling limits, see the Symantec Scan

scanning on the Sun StorageTek 5000 NAS Appliance.

click System.
LiveUpdate.


apply them.

apply them.


click System.
About configuring the Sun StorageTek 5000 NAS Appliance


apply them.

apply them.
About configuring the Sun StorageTek 5000 NAS

Appliance
You must register at least one Symantec Scan Engine for each Sun StorageTek
5000 NAS Appliance for which you provide virus scanning. You also must
configure the virus scan functionality in accordance with the Sun StorageTek
documentation. The Sun StorageTek 5000 NAS Appliance for which you provide
virus scanning must be in the 5000 series of network-attached storage devices.
For more information, see the appropriate Sun StorageTek documentation.
Registering Symantec Scan Engine

You must register at least one Symantec Scan Engine to provide the virus
scanning for each Sun StorageTek 5000 NAS Appliance. In a typical
environment, a minimum of two scan engines is required to handle scan volume.
Having one scan engine can cause denial-of-file access, in case it does not
respond. A maximum of four scan engines can be supported per Sun StorageTek
5000 NAS Appliance. The NAS Anti Virus Agent handles load balancing across
multiple scan engines automatically.
Note: You do not need to register the same scan engine with each Sun
StorageTek 5000 NAS Appliance. You can register different scan engines to
different Sun StorageTek 5000 NAS Appliances. However, all of the scan engines
registered with a Sun StorageTek 5000 NAS Appliance must have identical
configurations.
You register Symantec Scan Engine through the Configure AntiVirus setup
screen for the NAS AntiVirus Agent. You must provide the IP address, the port
number, and the maximum number of simultaneous scan requests for each scan
engine that is used for scanning. The port number must match the port number
that was selected during the installation of Symantec Scan Engine.
About configuring virus scanning on the Sun StorageTek 5000 NAS

Appliance
You must configure virus scanning (the NAS Anti Virus Agent) for each Sun
StorageTek 5000 NAS Appliance. You configure the virus scan functionality
through the Configure AntiVirus setup screen for each NAS Appliance.
Note: The virus scan functionality for each Sun StorageTek 5000 NAS Appliance
accessing a scan engine must be configured identically to avoid inconsistency.
The scan results and repair results for infected files will be inconsistent if the
settings differ for each appliance.
Table 3-2 describes the settings that you should configure for virus scan
functionality.
Table 3-2 NAS Anti Virus Agent settings
Setting Description
Enable Anti Virus Activate the NAS AntiVirus Agent by enabling this option.
Scan Engine IP address and Type the IP address and the port number of each scan
port number engine to be used for scanning.
Ensure that the entered port number matches the one used
while installing the scan engine. Each Sun StorageTek 5000
NAS appliance can support up to four scan engines.
Table 3-2 NAS Anti Virus Agent settings
Setting Description
Maximum Connections Specify the number of concurrent scan requests that can be
handled by the scan engine. The default setting on the NAS
Anti Virus Agent is 2. The similar configurable option on
the Symantec Scan Engine defaults to 128.
Maximum scan size Select whether to specify an upper limit for the size of files
to be scanned.
Although you can choose a file size between 1 MB and 9999
MB, the Symantec Scan Engine can scan a maximum file
size of 2047 MB (or 2GB). The default setting is 1GB.
You can choose to allow or deny access to files that are
larger than the limit that is specified in Maximum scan size.
Note: Allowing access to files that have not been scanned

can make your network vulnerable to virus attacks.
Extensions for scanning Select the file types to be passed to Symantec Scan Engine
(file types to be scanned) for scanning.
You can use either an exclusion or an inclusion list, or you
can scan all files regardless of extension. This setting is
similar to the Files to scan setting on Symantec Scan
Engine. You must configure this setting on both the Sun
StorageTek 5000 NAS Appliance and Symantec Scan
Engine.
The recommended setting is to pass all file types to the scan
engine except those that are contained in the exclusion list.
If the Symantec Scan Engine’s scanning results indicate that the file is
unrepairable and must be deleted, then the NAS AntiVirus Agent quarantines
the file. All access to the file is denied. If the file is infected but repairable, the
repaired file is passed to the requesting user. The stored version of the infected
file is replaced with the repaired file.
If one scan engine does not respond, the NAS AntiVirus Agent requests virus
scanning for a given file from other registered scan engines. If none respond,
then file access is denied.
Recommendations while integrating multiple scan engines
Recommendations while integrating multiple scan

engines
Do the following when multiple scan engines are used to support the Sun
StorageTek 5000 NAS Appliance:
n Configure the settings on each Symantec Scan Engine to be identical.
n Schedule LiveUpdate and Rapid Release to occur at the same time on all of
the scan engines. This ensures that virus definitions are consistent.
n Configure the virus scan functionality to be identical for each Sun
StorageTek 5000 NAS Appliance in a group to avoid inconsistency.
The scan results and repair results for infected files will be inconsistent if
the settings differ for each appliance in a group.
Chapter 4
AntiVirus™ for Sun Storage
7000 Series
n How Symantec Scan Engine works with the Sun Storage 7000 Series NAS
device
n About configuring the Sun Storage 7000 Series NAS device

66 Configuring Symantec AntiVirus™ for Sun Storage 7000 Series

Symantec AntiVirus for Network Attached Storage provides virus scanning
capabilities for the Sun Storage 7000 Series of network-attached storage (NAS)
devices.
To add antivirus scanning to the Sun Storage 7000 Series NAS device, configure
services
n The VSCAN service, which provides the virus scanning functionality and
ensures the seamless integration of Symantec Scan Engine with the Sun
Storage 7000 Series NAS device. The VSCAN service is an integral part of
the Sun Storage 7000 Series NAS device. No separate license is required.
See “About configuring virus scanning on the Sun Storage 7000 Series NAS
device” on page 78.
How Symantec Scan Engine works with the Sun

Storage 7000 Series NAS device
capabilities for the Sun Storage 7000 Series of network-attached storage (NAS)
devices. Symantec AntiVirus for Network Attached Storage is certified with Sun
Storage 7000 Series NAS device that supports the Sun Storage 7xxx version
2008.10 firmware version. The Internet Content Adaptation Protocol (ICAP) is
used to communicate with Symantec Scan Engine. In a typical Sun Storage 7000
Series NAS device environment, a minimum of two scan engines is required to
handle scan volume. A maximum of four scan engines can be supported per Sun
Storage 7000 Series NAS device. The VSCAN service handles load balancing
across multiple scan engines automatically.

The VSCAN service is configured to scan a file in real-time (that is, when a file is
opened and when it is closed, if it has been modified).
When a user tries to access a file from storage, the VSCAN service opens a
connection with Symantec Scan Engine. The VSCAN service then passes the file
to the scan engine for scanning. When scanning is complete, the VSCAN service
closes the connection with the scan engine.
Configuring Symantec AntiVirus™ for Sun Storage 7000 Series 67
Based on the scan policy that you set on the Symantec Scan Engine, the
Symantec Scan Engine indicates the scanning results to the VSCAN service after
a file is scanned. After the VSCAN service receives the scanning results, the file
is handled in the following way: Only clean files are passed to the requesting
user. If the file is infected, the user is denied access to the file, and the infected
file is quarantined.
How caching works

The VSCAN service caches scanning results for each clean file. The cached
information includes the date and revision number of the virus definitions that
were used to perform the scan. So, if a second user requests access to a file that
has already been scanned and if the virus definitions have not changed, a
redundant scan is avoided.
The cache is purged when the virus definitions on Symantec Scan Engine are
updated and when the Sun Storage 7000 Series NAS device is restarted.
Individual cache entries are updated whenever a stored file is changed.

To specify the file types to be scanned for viruses, configure settings on both the
VSCAN service and Symantec Scan Engine.
About specifying file types on the VSCAN service

Based on file extensions, the VSCAN service determines, initially, whether it
should pass a file to Symantec Scan Engine for scanning. You configure which
files are passed to Symantec Scan Engine for scanning when you set up the
VSCAN service.
You can control which files are scanned by using the File extensions scanned
list. The exclusion list contains the extensions that you specify against the
action “Don’t Scan”. The exclusion list can include extensions for those file
types that are not likely to contain viruses and can be excluded from scanning.
The inclusion list contains the extensions that you specify against the action
“Scan”.

extensions are excluded from scanning. The setting on Symantec Scan Engine is
as important as the VSCAN service setting. This setting on the scan engine
determines which files to scan upon receiving a file from the VSCAN service.
The scanned files are those contained in archive or container file formats. You
can control which embedded files are scanned by using the file type and
extension exclusion list, or you can scan all files regardless of extension.


files
The Sun Storage 7000 Series NAS device does not support the repair of infected
files. Hence, it is recommended that you select the “Scan only” scan policy on
the Symantec Scan Engine administrative interface.
See “Configuring ICAP-specific options” on page 69.
About handling infected files on the NAS device

When an infected file is found, the VSCAN service does not delete or repair the
file, even though the scan engine tells it to. Instead, the VSCAN service
quarantines the file and denies any access to the file. The quarantined files can
be deleted or removed from quarantine by using the command-line interface in

the Sun Storage 7000 Series NAS device or through Windows Explorer on the
requesting CIFS client.
For more information, see the appropriate Sun Storage documentation.

After you have installed the Symantec Scan Engine, configure the virus
scanning functionality on the Sun Storage 7000 Series NAS device.

to support scanning of the Sun Storage 7000 Series NAS device.
use multiple scan engines to support scanning. LiveUpdate should be scheduled
to occur at the same time on all scan engines so that virus definitions are
consistent at all times.

to use another protocol, you also can change the protocol through the
administrative interface.
Option Description
infected files. This setting is recommended.
nothing to irreparable files (that is, do not delete the files
delete irreparable files from archive or container files.
Option Description
Note: The Sun Storage 7000 Series does not support the trickle
feature.
Note: The Sun Storage 7000 Series does not support the trickle
feature.

service.
5 In the Port number box, type the TCP/IP port number that the VSCAN
service uses to pass files to Symantec Scan Engine for scanning.
infected files.
The default setting is Scan and repair or delete, but the recommended
setting is Scan only.
7 Check Enable trickle to enable the data trickle feature.
The scan policy is automatically set to Scan only. However, enabling data
trickle can compromise antivirus integrity. The data that is trickled to the
user might contain a virus. You also cannot use the Quarantine feature when
you enable data trickling.
Note: The Sun Storage 7000 Series does not support the trickle feature.
trickling begins.
seconds.

apply them.

apply them.

of files to be scanned for viruses. This setting on the scan engine determines
which files to scan on receiving a file from the VSCAN service. The scanned files
are those contained in archive or container file formats.
populated extension and type exclusion list exists that you can modify. The
Specify which file types to scan

extension.
click Policies.
exclude list.

apply them.

apply them.
click Policies.
exclude list.
exclude list.

apply them.

apply them.

click Policies.

apply them.

apply them.
Specifying container handling limits

container file
certain file types contain virus or malicious code.You can configure Symantec

scanning on the Sun Storage 7000 Series NAS device.

click System.
LiveUpdate.

apply them.

apply them.

retrieve Rapid Release definitions every 5 minutes to every 120 minutes. If you
use multiple scan engines to support virus scanning, schedule Rapid Release to
occur at the same time for each scan engine. This scheduling ensures that all
scan engines have the same version of definition updates. Having the same
version of virus definitions is necessary for proper functioning of virus scanning
on the Sun Storage 7000 Series NAS device.

click System.

apply them.

apply them.
About configuring the Sun Storage 7000 Series NAS device
About configuring the Sun Storage 7000 Series NAS

device
You must register at least one Symantec Scan Engine for each Sun Storage 7000
Series NAS device for which you provide virus scanning. You also must
configure the virus scan functionality in accordance with the Sun Storage
documentation. The Sun Storage 7000 Series NAS device for which you provide
virus scanning must be in the Sun Storage 7000 Series series of network-
attached storage devices.
For more information, see the appropriate Sun Storage documentation.
Registering Symantec Scan Engine

scanning for each Sun Storage 7000 Series NAS device. In a typical
Having one scan engine can cause denial-of-file access, in case it does not
respond. A maximum of four scan engines can be supported per Sun Storage
7000 Series NAS device. The VSCAN service handles load balancing across
multiple scan engines automatically.
Note: You do not need to register the same scan engine with each Sun Storage
7000 Series NAS device. You can register different scan engines to different Sun
Storage 7000 Series NAS devices. However, all of the scan engines registered
with a Sun Storage 7000 Series NAS device must have identical configurations.
You register Symantec Scan Engine through the Virus Scan setup screen for the
VSCAN service. You must provide the IP address, the port number, and the
maximum number of simultaneous scan requests for each scan engine that is
used for scanning. The port number must match the port number that was
selected during the installation of Symantec Scan Engine.
About configuring virus scanning on the Sun Storage 7000 Series

NAS device
You must configure virus scanning (the VSCAN service) for each Sun Storage
7000 Series NAS device. You configure the virus scan functionality through the
Virus Scan setup screen for each Sun Storage 7000 Series NAS device.
About configuring the Sun Storage 7000 Series NAS device
Note: The virus scan functionality for each Sun Storage 7000 Series NAS device
accessing a scan engine must be configured identically to avoid inconsistency.
The scan results for infected files will be inconsistent if the settings differ for
each appliance.
Table 4-2 describes the settings that you should configure for virus scan
functionality.
Table 4-2 VSCAN service settings
Setting Description
Maximum file size to scan Select an upper limit for the size of files to be scanned.
The default setting is 1 GB.
Symantec Scan Engine can scan a maximum file size of
2048 MB (or 2GB).
Allow access to files that You can choose to allow or deny access to files that are
exceed maximum file size larger than the limit that is specified in Maximum file size
to scan.
Allowing access to files that have not been scanned can
make your network vulnerable to virus attacks.
Virus Scanning Engines In the fields Host and Port, type the IP address and the port
number of each scan engine to be used for scanning. Ensure
that the entered port number matches the one used while
installing the scan engine.
In the field Maximum Connections, specify the number of
concurrent scan requests that the scan engine can handle.
The default setting on the VSCAN service is 32. The similar
configurable option on the Symantec Scan Engine defaults
to 128.
Put a check mark against a Symantec Scan Engine under
the Enable field to activate it for scanning.
Each Sun Storage 7000 Series NAS device can support up to
four scan engines.
Table 4-2 VSCAN service settings
Setting Description
File extensions scanned Select the file types to be passed to Symantec Scan Engine
for scanning.
You can use either an exclusion or an inclusion list, or you
can scan all files regardless of extension. This setting is
similar to the Files to scan setting on Symantec Scan
Engine. You must configure this setting on both the Sun
Storage 7000 Series NAS device and Symantec Scan Engine.
To add an extension to the exclusion list, select “Don’t Scan”
from the Action drop-down menu and specify the extension
in the “Pattern” field. To add an extension to the inclusion
list, select “Scan” from the Action drop-down menu and
specify the extension in the “Pattern” field.
The default setting “*” sends all file types regardless of
extension to the Symantec Scan Engine for scanning.
If the Symantec Scan Engine’s scanning results indicate that the file is infected,
then the VSCAN service quarantines the file. All access to the file is denied. You
can only view and delete the quarantined file in a file browser.
If one scan engine does not respond, the VSCAN service requests virus scanning
for a given file from other registered scan engines. If none respond, then file
access is denied.

engines
Do the following when multiple scan engines are used to support the Sun
Storage 7000 Series NAS device:
n Configure the virus scan functionality to be identical for each Sun Storage
7000 Series NAS device in a group to avoid inconsistency.
The scan results for infected files will be inconsistent if the settings differ
for each appliance in a group.
Chapter 5
AntiVirus for BlueArc®
Storage System and
Hitachi® High-
performance NAS
Platform™, powered by
BlueArc®
n How Symantec Scan Engine works with BlueArc Storage System and
Hitachi High-performance NAS Platform
n About configuring BlueArc Storage System or Hitachi High-performance

NAS Platform
82 Configuring Symantec™ AntiVirus for BlueArc® Storage System and Hitachi® High-performance NAS Platform™, powered
by BlueArc®

repair capabilities for BlueArc® Storage System and Hitachi® High-performance
NAS Platform™, powered by BlueArc®.
Configure the following components to add antivirus scanning to BlueArc
Storage System or Hitachi High-performance NAS Platform:
services
n BlueArc Storage System or Hitachi High-performance NAS Platform
Some options are configured directly on the NAS Server. No additional code
is necessary to connect Symantec Scan Engine to the NAS Server.
See “About configuring BlueArc Storage System or Hitachi High-
performance NAS Platform” on page 97.
How Symantec Scan Engine works with BlueArc

Storage System and Hitachi High-performance NAS
Platform
repair capabilities for BlueArc Storage System and Hitachi High-performance
NAS Platform storage appliances that have firmware version 4.0 or later.
Symantec Scan Engine must be installed on a computer that is running
Windows 2000 Server/Windows 2003 Server/Windows 2008 Server. It must be
located in the same domain as the NAS Server for which it provides scanning
and repair services. Symantec Scan Engine uses the RPC protocol to interface
with BlueArc Storage System and Hitachi High-performance NAS Platform
storage appliances.
On the NAS Server, you can enable virus scanning individually for each
Enterprise Virtual Server (EVS). An EVS is a virtual NAS system that consists of
CIFS shares with individual IP addresses. A single Symantec Scan Engine can
support multiple EVSs. Hence, represent each EVS as an RPC client through the
Symantec Scan Engine administrative interface, You can use multiple scan
engines to support one or more EVSs for sites with larger scan volumes. Load
balancing is handled through the NAS Server’s administrative interface to
achieve high availability and performance scaling.
Configuring Symantec™ AntiVirus for BlueArc® Storage System and Hitachi® High-performance NAS Platform™, powered 83
by BlueArc®
Virus scanning on BlueArc Storage System and Hitachi High-performance NAS

Platform is available only for those files that are requested through the
Common Internet File System (CIFS).

The NAS Server submits files to Symantec Scan Engine for scanning on both
(read) and if they are changed on the NAS Server (write).
When a user tries to access a file, the NAS Server passes the file path to
Symantec Scan Engine for scanning. After the file is opened and scanned,
Symantec Scan Engine indicates the scanning results to the NAS Server. The
scan engine returns the repaired file based on a configurable virus scan policy if
a file is infected and can be repaired.
The NAS Server passes the clean files to the requesting user after it received the
scanning results. The repaired file is passed to the requesting user if the file is
infected and can be repaired. The stored version of the infected file is then
replaced with the repaired file. The user is denied access to the file if the file is
infected and cannot be repaired, and the infected file is deleted from storage.
You can configure Symantec Scan Engine to quarantine these unrepairable files.
After a file has been scanned and declared clean, the scanned state information
is stored in its metadata on disk. It avoids redundant scans of those files that
have already been scanned. These files will not be scanned again unless they are
modified or the administrator requests a full scan of the files from the NAS
Server’s administrative interface.
See “About executing a full file system scan” on page 99.
About connecting to Symantec Scan Engine

Symantec Scan Engine monitors the connection with each EVS by checking the
connection at a configured time interval. The scan engine tries to reconnect if it
determines that the connection is not active. (You can configure the number of
times that the scan engine tries to re-establish the connection.)
About limiting scanning by file type

Viruses are found only in the file types that contain executable code. Only those
file types that can contain viruses need be scanned. Limiting scanning by file
type saves bandwidth and time.
by BlueArc®
You have the following levels of control over which files are scanned:
You can control the files that are The NAS Server lets you specify by file extension the
initially submitted to the scan files that are to be passed to Symantec Scan Engine
engine by BlueArc Storage System for scanning. You configure the file types that you
or Hitachi High-performance NAS want to submit for scanning through the NAS Server
Platform for scanning. interface in accordance with the product
documentation.
See “About specifying the file extensions to be
scanned on the NAS Server” on page 98.
You can control the files that are The file extension exclusion list and the file type
embedded in archival file formats exclusion lists let you specify the file types and the file
(for example, .zip or .lzh files) that extensions that you do not want to scan. The file
are to be scanned by Symantec extensions exclusion list and the file type exclusion
Scan Engine. list achieve this purpose. You can also scan all file
types regardless of extension. You configure which
embedded files are scanned through the Symantec
Scan Engine administrative interface.
See “Specifying which embedded files to scan” on
page 92.


to any unrepairable file.
unrepairable file.
You can also configure the scan engine to quarantine unrepairable files.
See“About quarantining unrepairable infected files” on page 91.
About user identification and notification when a virus is found

When a virus is found in a file that is requested from the NAS Server, Symantec
Scan Engine automatically obtains (for logging purposes) identification
information about the user who requested the infected file. This information
by BlueArc®
includes the security identifier of the user and the IP address and host name of
the requesting computer.
The identification information supplements the information that is contained in
Infection Found log messages that are logged to the local logs, the Windows
Event Log, and SMTP. This information does not appear in the Infection Found
messages that are logged to SNMP or SSIM.
Note: Symantec Scan Engine can obtain only the information that is made
available by the NAS Server. In some cases, all or some of this information is not
available. The information that is obtained is reported in the related log entries.
Any identification information that is not obtained from the NAS Server is
omitted from the log messages and from the user notification window.
You also can configure Symantec Scan Engine to notify the requesting user that
the retrieval of a file failed because a virus was found. The notification message
only appears if the user uses a Windows computer.
The notification message includes the following:
n Date and time of the event
n File name of the infected file
n Virus name and ID
n Virus definition date and revision number
n Manner in which the infected file was handled (for example, the file was
n Scan policy
n Disposition of the file (for example, infected)
n Duration of scan time and connection time
The Windows Messenger service must be running on the computer that is
running the Symantec Scan Engine and on the user’s computer to use the user
notification feature.

BlueArc Storage System and Hitachi High-performance NAS Platform storage
appliance must support a firmware version of 4.0 or later to interface with
Symantec Scan Engine. As a prerequisite, ensure that each NAS Server for
by BlueArc®
which the scan engine is to provide scanning and repair services meets this
requirement.
To use RPC, Symantec Scan Engine must be installed on a computer that is
running Windows 2000 Server/Windows 2003 Server/Windows 2008 Server.
After you install Symantec Scan Engine, configure the NAS Server to work with
the scan engine.
See “About configuring BlueArc Storage System or Hitachi High-performance
NAS Platform” on page 97.

Configure Symantec Scan Engine to use RPC as the communication protocol.
The Internet Content Adaptation Protocol (ICAP) is the default protocol at
installation, but you can change the protocol to RPC through the administrative
interface. Then you can configure the RPC-specific options.
You must also change the Windows service startup properties to identify an
account that has the appropriate permissions.
Editing the service startup properties

If you change the protocol setting to RPC through the Symantec Scan Engine
administrative interface, you need to change the service startup properties to
identify an account that has the following appropriate permissions:
n The account must have local administrator permissions on the computer
that has the scan engine.
n The user account must have Backup Operator privileges or above on the
NAS Server.
For more information on how to set up a shared account with local group
backup operator privileges on the NAS Server, see the appropriate product
documentation.
You must change the service startup properties if the list of NAS Servers is
edited as well.
by BlueArc®
To edit the service startup properties

1 In the Windows 2000/2003/2008 Control Panel, click Administrative Tools.
2 Click Services.
3 In the list of services, right-click Symantec Scan Engine, and then click
Properties.
4 In the Properties dialog box, on the Log On tab, click This Account.
5 Type the account name and password for the user account that has local
administrator rights on the computer that has the scan engine. This account
should also have Backup Operator privileges or above on the NAS Server.
Use the following format for the account name:
domain\username
6 Click OK.
7 Stop and start the Symantec Scan Engine service.
For more information on stopping and starting the Symantec Scan Engine
service, see the Symantec Scan Engine Implementation Guide.
Configuring RPC protocol options

After you install Symantec Scan Engine, you can configure settings that are
specific to the RPC protocol. You must manually stop and start the scan engine
service when you change to the RPC protocol through the Symantec Scan
Engine administrative interface. A proper connection to the NAS Server is
ensured.
Table 5-1 describes the protocol-specific options for RPC.
Option Description
RPC client list A single Symantec Scan Engine can support one or more EVSs.
Each EVS must be located in the same domain as Symantec Scan
Engine. You must provide the IP address of each EVS.
Note: Multiple scan engines can support a single EVS. Configure

the multiple scan engines through the BlueArc Storage System or
Hitachi High-performance NAS Platform interface.
Check RPC Symantec Scan Engine maintains a connection with the EVS on
connection every __ the NAS Server. Symantec Scan Engine can be configured to check
seconds the connection with the EVS at a prescribed interval to ensure that
the connection is active. The default value is 20 seconds.
by BlueArc®
Option Description
Maximum number You can configure Symantec Scan Engine to make a specified
of reconnect number of tries to re-establish a lost connection with the EVS. By
attempts default, Symantec Scan Engine is configured to try to reconnect
with the EVS indefinitely.
Note: Do not set a maximum number of reconnect attempts if the

scan engine provides scanning for multiple Enterprise Virtual
Servers. Use the default setting.
Antivirus scan You can configure Symantec Scan Engine to do one of the
policy following when an infected file is found:
n Scan only: Deny access to the infected file, but do nothing to
the infected file.
n Scan and repair files: Try to repair the infected file, and deny
access to any unrepairable file.
n Scan and repair or delete: Try to repair the infected file, and
delete any unrepairable file.
Note: You must select Scan and repair or delete if you plan to
quarantine the infected files that cannot be repaired. For more
information, see the Symantec Scan Engine Implementation Guide.
Automatically send You can configure Symantec Scan Engine to automatically notify
antivirus update BlueArc Storage System and Hitachi High-performance NAS
notifications Platform when new virus definitions are used.
Configure RPC protocol options

To configure RPC, do the following:
n Provide an IP address for each EVS for which Symantec Scan Engine should
provide scanning services. You can add or delete Enterprise Virtual Servers
from this list at any time.
n Configure the additional RPC-specific options.
To edit the list of NAS Servers

3 In the right pane, under Select Communication Protocol, click RPC.
4 In the Manual Restart Required dialog box, click OK.
by BlueArc®
5 To add an EVS to the list of RPC clients, type the IP address of the EVS for
which Symantec Scan Engine should provide scanning services.
Type one entry per line.
6 To delete an EVS from the list of RPC clients, select and delete the IP address
of the EVS.

apply them.

connection to the EVS.
To configure additional RPC-specific options

3 Under RPC Configuration, in the Check RPC connection every box, type how
frequently Symantec Scan Engine checks the RPC connection with the EVS
to ensure that the connection is active.
The default interval is 20 seconds.
4 In the Maximum number of reconnect attempts box, type the maximum
number of tries that the Symantec Scan Engine should undertake to re-
establish a lost connection with the EVS.
The default setting is 0. Symantec Scan Engine tries indefinitely to re-
establish a connection. Use the default setting if the scan engine provides
scanning for multiple enterprise virtual servers.
5 In the Antivirus scan policy list, select how you want Symantec Scan Engine
to handle infected files.
The default setting is Scan and repair or delete.
by BlueArc®

apply them.

connection to the EVS.
Notifying a requesting user that a virus was found

retrieval of a file failed because a virus was found. The notification message is
displayed only if the user uses a Windows computer. In addition, the requesting
user’s computer must be in the same domain as the scan engine. Both the user’s
computer and the scan engine must have the Windows Messenger service
running to use this feature.
The notification message includes the following information:
n The date and time of the event
n The event security level (for example, Warning)
n The scan policy (for example, scan and repair or delete)
n The file name of the infected file
n The virus name and ID
n The manner in which the infected file was handled (for example, the file was
n The disposition of the file (for example, infected)
n The IP address and name of the requesting user’s computer
n The date and revision number of the virus definitions used
n The duration (in seconds) of scan and connection time
To notify a requesting user that a virus was found

click Monitors.
2 Under Views, click Alerting.
by BlueArc®
3 In the right pane, under Log Windows Messenger, check Enable Windows
Messenger Logging.
User notification is disabled by default.

apply them.

About quarantining unrepairable infected files

You can quarantine unrepairable infected files when you use the RPC protocol.
To use the quarantine feature, Symantec Central Quarantine must be installed
separately on a computer that runs Windows 2000 Server/Windows 2003
Server/Windows 2008 Server. Symantec Central Quarantine is included on the
Symantec Scan Engine distribution CD along with supporting documentation.
Symantec Scan Engine forwards the infected files that cannot be repaired to
Symantec Central Quarantine. Typically, the heuristically-detected viruses that
cannot be eliminated by the current set of virus definitions are forwarded to the
quarantine. They are isolated so that the viruses cannot spread. The infected
items can be submitted to Symantec Security Response for analysis from the
quarantine. New virus definitions are posted if a new virus is identified.
Note: You must select “Scan and repair or delete” as the RPC scan policy to
forward files to the quarantine. The original infected file is deleted when a copy
of an infected file is forwarded to the quarantine. If submission to the
quarantine is not successful, the original file is not deleted, and an error
message is returned to the NAS Server. Access to the infected file is denied.
For more information about installing and configuring Symantec Central

Quarantine, see the Symantec Central Quarantine Administrator’s Guide.
by BlueArc®
To quarantine unrepairable infected files

click Policies.
3 In the right pane, under Quarantine, check Quarantine files.
4 In the Central server quarantine host or IP box, type the host name or the IP
address for the computer on which Symantec Central Quarantine is
installed.
5 In the Port box, type the TCP/IP port number to be used by the Symantec
Scan Engine to pass files to the Symantec Central Quarantine.
This setting must match the port number that is selected at installation for
Symantec Central Quarantine.

apply them.

Your changes are not implemented until you apply
them.
Specifying which embedded files to scan

The NAS Server submits files to Symantec Scan Engine for scanning based on
the file extension of the top-level file. You can configure the file types that are
submitted for scanning through the NAS Server administrative interface. The
top-level files that are sent to Symantec Scan Engine are scanned regardless of
file extension.
When the scan engine receives an archive file (for example, a .zip or .lzh file)
that contains embedded files, it must break down the archive file and scan each
embedded file. You can control, through the scan engine administrative
interface, which embedded files are scanned by using a file extension and file
type exclusion list. You can also scan all files regardless of extension.
by BlueArc®
Symantec Scan Engine is configured by default to scan all files. The file type and
file extension exclusion lists are prepopulated with the file types that are
unlikely to contain viruses, but you can edit this list.
Note: During virus outbreaks, you might want to scan all files even if you
normally control the file types that are scanned with the file type or file
extension exclusion list.
Specify which embedded files to scan

You can scan all files regardless of extension, or you can control which files are
scanned by specifying the extensions or the file types that you want to exclude.

click Policies.

apply them.

apply them.
click Policies.
On activating this option, both the file extension exclude list and the file
type exclude list gets activated automatically.
by BlueArc®
exclude list.

apply them.

apply them.
click Policies.
When you activate this option, both the file type exclude list and the file
4 Type each file type that you want to add to the list on a separate line.
exclude list.
This option restores the default file type exclude list and the file extension
exclude list.
by BlueArc®

apply them.

apply them.

scanning on the NAS Server.

click System.
LiveUpdate.
by BlueArc®

apply them.

apply them.


click System.
by BlueArc®


apply them.

apply them.
About configuring BlueArc Storage System or

Hitachi High-performance NAS Platform
After you configure Symantec Scan Engine to use RPC as the communication
protocol, configure the client Enterprise Virtual Servers (EVSs) to work with
BlueArc Storage System or Hitachi High-performance EVS clients must be
running a firmware version 4.0 or later to interface with the Symantec Scan
Engine.
Each EVS should be installed and configured in accordance with the
accompanying product documentation. Each EVS should be functional before
you initiate virus scanning using Symantec Scan Engine.
You must set up a shared account with backup operator privileges on the NAS
Server before you configure virus scanning on the NAS Server. Ensure that
Symantec Scan Engine service runs with this shared account as well.
For more information on how to set up a shared account with local group backup
operator privileges on the NAS Server, see the appropriate NAS Server
documentation.
by BlueArc®
The main virus scanning parameters that you should configure can be found in
the “Virus Scanning” window under the Data Protection section in the Home
page.
About verifying that the scan engine is registered with the NAS
Server
You can verify that the scan engine is registered with the NAS Server after you
install Symantec Scan Engine. Registration is automatic if you have provided
the correct information to Symantec Scan Engine for contacting the EVS.
Registration occurs when Symantec Scan Engine connects to the EVS. The
“Registered Virus Scanners” field in the NAS Server’s administrative interface
contains the names of the registered scan engines. Ensure that at least one
registered scan engine is present to be assured of virus protection for each EVS.
Note: The service startup properties for Symantec Scan Engine must be changed
to identify an account that has the appropriate permissions on the EVS. If the
change has not been done, the scan engine cannot register with the EVS because
it does not have sufficient permission.
About activating virus scanning

You can activate and deactivate virus scanning for each EVS. Select the EVS for
which you want to activate scanning from the “EVS” drop-down box. Check
“Enable Virus Scanning” in the NAS Server’s administrative interface to
activate virus scanning. Uncheck “Enable Virus Scanning” to deactivate virus
scanning.
For more information, see the appropriate NAS Server documentation.
About specifying the file extensions to be scanned on the NAS Server

Configure the list of extensions on BlueArc Storage System or Hitachi High-
performance NAS Server to contain only the file extensions that you want to
scan. This list lets you control the file types that are passed to the Symantec
Scan Engine for scanning. You can configure file extensions using the
extensions inclusion list seen in the “File types to scan” field.
A default list of extensions to be submitted for virus scanning is included with
the NAS Server. You can modify the inclusion list by adding or removing
extensions.
by BlueArc®
To rollback to the default inclusion list, click “Reset Defaults.” To scan all file
types irrespective of extensions, check “Scan All File Types.” The highest level
of protection is achieved by scanning all file types; however, viruses are found
only in those file types that contain executable code. So, every file type need not
be scanned. You can save bandwidth and time by limiting the files to be scanned
to only those file types that can contain viruses.
About executing a full file system scan

You can flag all files for a re-scan if there are new updated virus definition files
on Symantec Scan Engine. Click “Request Full Scan” in the NAS Server’s
administrative interface to ensure that all file types listed in the inclusion list
are marked for scan. The scan on a file occurs the next time any user accesses
the file.
About working with unavailable scan engines

BlueArc Storage System or Hitachi High-performance NAS Server is configured
to deny access to files if virus scanning is enabled and the scan engines are not
available. Ensure that more than one scan engine is configured for the CIFS
shares on the NAS Server so that maximum accessibility of data is guaranteed.
You can deactivate virus scanning until the scan engines are available again so
that file access is still available. BlueArc Storage System and Hitachi High-
performance NAS Platform keeps a track of all files that are not scanned in this
duration. As soon as virus scanning is activated, the files that were created/
modified in the duration are scanned without fail.
About working with unresponsive scan engines

When large or complex files are scanned (for example, container files with
multiple embedded files or files that contain polymorphic or macro viruses), the
scan engine can become unresponsive. Clients cannot, temporarily, access the
files. The user can eventually access the file when the scanning is complete and
if the file is deemed clean by the scan engine.
by BlueArc®
Chapter 6
AntiVirus for Hitachi®
Essential NAS Platform™
n How Symantec Scan Engine works with the Hitachi Essential NAS Platform

repair capabilities for Hitachi Essential NAS Platform.
Configure the following components to add antivirus scanning to the Hitachi
Essential NAS Platform:
n Symantec Scan Engine is installed when Symantec AntiVirus for Network
Attached Storage is installed.
Provides the virus scanning and repair services.
n Hitachi Essential NAS Platform Anti Virus Agent
Some options are configured directly on theNAS Platform Anti Virus Agent.
No additional code is necessary to connect Symantec Scan Engine to the
NAS server.
102 Configuring Symantec™ AntiVirus for Hitachi® Essential NAS Platform™
How Symantec Scan Engine works with the Hitachi Essential NAS Platform
How Symantec Scan Engine works with the Hitachi

Essential NAS Platform
repair capabilities for the Hitachi Essential NAS Platform.
A single Symantec Scan Engine can support multiple NAS servers. You can use
multiple scan engines to support one or more servers for sites with larger scan
volumes. Load balancing is handled through the NAS server interface.
Virus scanning on the Hitachi Essential NAS Platform is available only for those
files that are requested through the Common Internet File System (CIFS).

The NAS server submits files to Symantec Scan Engine for scanning on both
(read) and if they are changed on the NAS server (write).
When a user tries to access a file, the NAS server passes the file to Symantec
Scan Engine for scanning. After a file is scanned, Symantec Scan Engine
indicates the scanning results to the NAS server. If a file is infected and can be
repaired, the scan engine returns the repaired file based on a configurable virus
scan policy.
Clean files are passed to the requesting user after the NAS server receives the
Symantec Scan Engine can be configured to quarantine these irreparable files.
Configuring Symantec™ AntiVirus for Hitachi® Essential NAS Platform™ 103


Scan and delete Scan files for viruses, and delete any infected
files that are embedded in archive or container
files without trying to repair
to any irreparable file.
irreparable file.
You can also configure the scan engine to quarantine irreparable files.

to support scanning for Hitachi Essential NAS Platform.
Note: If you use multiple scan engines to support scanning, the configuration
settings on each scan engine must be identical. LiveUpdate and Rapid Release

You can configure several settings that are specific to the ICAP protocol through
the Symantec Scan Engine administrative interface. You can also change the
protocol through the administrative interface if Symantec Scan Engine has
already been configured to use another protocol. However, you must manually
restart the Symantec Scan Engine.
Option Description
that are installed on the host. By default, Symantec Scan Engine
accepts scanning requests on (binds to) all of the scanning IP
addresses that it detects. You can configure up to 64 IP addresses
as scanning IP addresses.
You can specify whether you want Symantec Scan Engine to bind
to all of the IP addresses that it detects, or you can restrict access
to one or more interfaces. If you do not specify at least one IP
address, Symantec Scan Engine binds to all of the scanning IP
addresses that it detects.
addresses, an event is written to the log as a critical error. Even if
Symantec Scan Engine is unable to bind to any IP address, you can
access the console. However, scanning functionality is
unavailable.
You can use 127.0.0.1 (the loopback interface) to let only the
clients that are running on the same computer connect to
Port number The port number must be exclusive to Symantec Scan Engine. The
default port number for ICAP is 1344. If you change the port
number, use a number greater than 1024 that is not in use by any
other program or service.
Scan policy When an infected file is found, Symantec Scan Engine can do any
of the following:
n Scan only: Scan files for viruses, but do nothing to infected
files.
infected files that are embedded in archive or container files
without trying repair.
Note: If you choose the data trickle feature, the virus scan policy is
automatically set to Scan only.
Option Description
Enable trickle This setting provides users with a quicker download response and
avoids possible session timeout errors. Data trickling is disabled
by default.
Time before trickle You can specify how long the scan process should run before data
data starts trickling begins.

You must manually stop and start the service if you change the protocol
setting through the Symantec Scan Engine administrative interface.
5 In the Port number box, type the TCP/IP port number.
infected files.
setting.
data trickling.
trickling begins.
seconds (24 hours).

apply them.

apply them.

of files to be scanned for viruses. The scan policy on the scan engine determines
which files it should scan from the Hitachi Essential NAS Platform Anti Virus
Agent. The scanned files are those contained in archive or container file
formats.
exclusion list, or you can scan all files regardless of extension and type. A
prepopulated extension and type exclusion list exists that you can modify.
Specify which file types to scan on the scan engine

extension.
click Policies.
exclude list.

apply them.

apply them.
click Policies.
4 Type each file type you want to add to the list on a separate line. To include
all subtypes for a file type, use the wildcard character /*.
exclude list.
exclude list.

apply them.

apply them.

click Policies.

apply them.

apply them.
About specifying container handling limits

container file
certain file types contain virus or malicious code. You can configure Symantec
For more information on container handling limits, see the Symantec
ScanEngine Implementation Guide.

ensures that Symantec Scan Engine always has the most current virus
definitions. Schedule LiveUpdate to occur at the same time for each scan engine
if you use multiple scan engines to support virus scanning. This scheduling
scanning on Hitachi Essential NAS Platform Anti Virus Agent.

click System.
LiveUpdate.

apply them.

Chapter 7
AntiVirus for ONStor
EverON
n How Symantec Scan Engine works with the ONStor EverON
n About configuring the ONStor VirusScan Applet

repair capabilities for ONStor EverON.
Configure the following components to add antivirus scanning to the ONStor
EverON:
n Symantec Scan Engine is installed when Symantec AntiVirus for Network
Attached Storage is installed.
Provides the virus scanning and repair services.
n ONStor EverON VirusScan Applet
The VirusScan applet handles the communication between the NAS Server
and the Symantec Scan Engine. An InstallShield guides you through the
installation process.
112 Configuring Symantec™ AntiVirus for ONStor EverON
How Symantec Scan Engine works with the ONStor EverON
How Symantec Scan Engine works with the ONStor

EverON
repair capabilities for the ONStor EverON.
A single Symantec Scan Engine can support multiple NAS servers. You can use
multiple scan engines to support one or more servers for sites with larger scan
volumes. Load balancing is handled through the NAS server interface.
Virus scanning on the ONStor EverON is available for incoming files for CIFS
and NFS, and outgoing files for CIFS.

The NAS server submits files to Symantec Scan Engine for scanning on both
(read) and if they are changed on the NAS server (write).
When a user tries to access a file, the NAS server passes the file to Symantec
Scan Engine for scanning. After a file is scanned, Symantec Scan Engine
indicates the scanning results to the NAS server. If a file is infected and can be
repaired, the scan engine returns the repaired file based on a configurable virus
scan policy.
Clean files are passed to the requesting user after the NAS server receives the
Symantec Scan Engine can be configured to quarantine these irreparable files.
After a file has been scanned and declared clean, the scanned state information
is stored in its metadata on disk. It avoids redundant scans of those files that
have already been scanned. These files will not be scanned again unless they are
modified or the administrator requests a full scan of the files from the NAS
server’s administrative interface.
Configuring Symantec™ AntiVirus for ONStor EverON 113


Scan and delete Scan files for viruses, and delete any infected
files that are embedded in archive or container
files without trying to repair
to any irreparable file.
irreparable file.
You can also configure the scan engine to quarantine irreparable files.

to support scanning for ONStor EverON with NAS Option.
Note: If you use multiple scan engines to support scanning, the configuration
settings on each scan engine must be identical. LiveUpdate and Rapid Release

You can configure several settings that are specific to the ICAP protocol through
the Symantec Scan Engine administrative interface. You can also change the
protocol through the administrative interface if Symantec Scan Engine has
already been configured to use another protocol. However, you must manually
restart the Symantec Scan Engine.
Option Description
that are installed on the host. By default, Symantec Scan Engine
accepts scanning requests on (binds to) all of the scanning IP
addresses that it detects. You can configure up to 64 IP addresses
as scanning IP addresses.
You can specify whether you want Symantec Scan Engine to bind
to all of the IP addresses that it detects, or you can restrict access
to one or more interfaces. If you do not specify at least one IP
address, Symantec Scan Engine binds to all of the scanning IP
addresses that it detects.
addresses, an event is written to the log as a critical error. Even if
Symantec Scan Engine is unable to bind to any IP address, you can
access the console. However, scanning functionality is
unavailable.
You can use 127.0.0.1 (the loopback interface) to let only the
clients that are running on the same computer connect to
Symantec Scan Engine..
Port number The port number must be exclusive to Symantec Scan Engine. The
default port number for ICAP is 1344. If you change the port
number, use a number greater than 1024 that is not in use by any
other program or service.
Scan policy When an infected file is found, Symantec Scan Engine can do any
of the following:
n Scan only: Scan files for viruses, but do nothing to infected
files.
infected files that are embedded in archive or container files
without trying repair.
Note: If you choose the data trickle feature, the virus scan policy is
automatically set to Scan only.
Option Description
Enable trickle This setting provides users with a quicker download response and
avoids possible session timeout errors. Data trickling is disabled
by default.
Time before trickle You can specify how long the scan process should run before data
data starts trickling begins.

You must manually stop and start the service if you change the protocol
setting through the Symantec Scan Engine administrative interface.
5 In the Port number box, type the TCP/IP port number.
infected files.
setting.
data trickling.
trickling begins.
seconds (24 hours).

apply them.

apply them.

which files it should scan. The scanned files are those contained in archive or
container file formats.
exclusion list, or you can scan all files regardless of extension and type. A
prepopulated extension and type exclusion list exists that you can modify.

extension.
click Policies.
exclude list.

apply them.

apply them.
click Policies.
4 Type each file type you want to add to the list on a separate line. To include
all subtypes for a file type, use the wildcard character /*.
exclude list.
exclude list.

apply them.

apply them.

click Policies.

apply them.

apply them.

container file

For more information on container handling limits, see the Symantec
ScanEngine Implementation Guide.

scanning on ONStore EverON.

click System.
LiveUpdate.
About configuring the ONStor VirusScan Applet

apply them.


Before installing the VirusScan applet, verify the following:
n Verify that your NAS server is installed, powered up, and configured.
n Ensure that the Symantec Scan Engine is installed and configured to use
Internet Content Adaptation Protocol (ICAP). Refer to the Symantec Scan
Engine documentation on how to do this.
n Verify that both the VirusScan applet and the Symantec Scan Engine are
installed on servers configured with a static IP address.
n You are logged in as an administrator or with an account that has
administrator privileges for installing the VirusScan applet.
n CIFS domain users must have administrator privileges on the machine
where the applet is installed.
Configuring the VirusScan Applet for the Symantec Scan Engine

The ONStor VirusScan applet needs to access files in read/write mode in the
virtual server. Therefore, the user account that launches the applet must be
configured with BACKUP and RESTORE privilege. The scope of the privilege can
be either VIRTUAL SERVER or CLUSTER. To enable virus scanning, configure
the privilege before starting the ONStor VirusScan applet, or restart the applet
after you configure the privilege. Use the priv add command to configure
privileges for the user account.
Table 7-2 describes the directory containing the VirusScan applet executable
and its associated files.
Table 7-2 Contents of the VirusScan Applet Directory
File Description
ONStorVirusScanApplet.exe Application
VScanEngine.dll ONStor dll
oncrpc.dll ONC/SUN RPC dll for Windows
PortMap.exe RPC port mapping utility—Window Service

application
msvcr70d.dll Used by portmap.exe. Some machines

might need this library
symcsapi.dll Symantec Scan Engine dll
ONStorVirusScanApplet.config Configuration file for entering the

Symantec Scan Engine IP and ICAP port for
the VirusScan applet
The VirusScan applet file is an XML file that enables you to specify the
Symantec Scan Engine IP address and ICAP port number for the applet to use. If
no alternate configuration file is available, the applet uses the Symantec Scan
Engine on the designated default machine, 127.0.0.1, and it uses the default
ICAP port, 1344. The following example shows the applet with the default IP and
ICAP port specified:
Note: If you do not use the default port for ICAP, you need to specify the port
number in the applet configuration file.
<ONStorVirusScanApplet>
<LogFile mode="disable" name="VScanApplet.log" />
<Resource MaxNumberofParallelFileScanning="100" />
<ScanEngine>
<Symantec>
<Engine IP="127.0.0.1" Port="1344" />
</Symantec>
</ScanEngine>
</ONStorVirusScanApplet>
n You can configure the applet so that Symantec Scan Engine writes a scan log
to a log file in the same directory in which the applet is installed. The applet
shown previously includes a log-file entry that is disabled.
n If you specify the log file mode by replacing disable in the shown code with
enable, the applet creates a log file or writes to the existing log file either in the
current directory or in a path you provide within the applet.
n If the log file mode is set to disable, the applet sends output to the console only.
If the current log file reaches the maximum size of 5MB, the file is automatically
renamed (for example, from applet.log to an older version log file, such as
applet.log.old). If an older version already exists, the newer version
overwrites the older version, and new incoming messages are written to the
active log file.
n You can configure the applet to scan a number of files concurrently. The
MaxNumberOfParallelScanning parameter in the configuration file
specifies the maximum number of files the applet can scan concurrently.
The default is 100.
Note: Parallel scanning affects memory usage. Depending on the memory

available, if you set the value for parallel scanning too high, your network
operations might take a long time or the entire network might fail.
n If you want the applet to use more than one Symantec Scan Engine, add the
IP addresses for each into the configuration file so the client library can
automatically load balance over the virus scan engines. The following
example shows an applet using two Symantec Scan Engines, 10.2.14.150
and 10.2.14.151. Both use the default port, 1344.
<ONStorVirusScanApplet>
<LogFile mode="enable" name="VScanApplet.log" />
<Resource MaxNumberofParallelFileScanning="100" />
<ScanEngine>
<Symantec>
<Engine IP="10.2.14.150" Port="1344" />
<Engine IP="10.2.14.151" Port="1344" />
</Symantec>
</ScanEngine>
</ONStorVirusScanApplet>
Chapter 8
AntiVirus™ for EMC®
Celerra™ Network Server
n How Symantec Scan Engine works with EMC Celerra Network Server
n About configuring EMC Celerra Network Server
n Known issue with EMC Celerra Network Server

124 Configuring Symantec AntiVirus™ for EMC® Celerra™ Network Server

repair capabilities for the EMC® Celerra™ series of network-attached storage
(NAS) devices.
To add antivirus scanning to EMC Celerra Network Server, install and configure
Symantec Scan Engine Provides the virus scanning and repair services.
For more information, see the Symantec Scan Engine
CAVA or Celerra Anti Virus Agent Provides the virus scanning functionality and ensures
the seamless integration of Symantec Scan Engine
with EMC Celerra Network Server.
See “About installing the Celerra Anti Virus Agent” on
page 136
Use the CAVA calculator to estimate the number of
Celerra Anti Virus Agents for your network.
For more information on the CAVA calculator, see the
appropriate EMC Celerra documentation.
Virus-checking client (VC client) Queues file names to the Celerra Anti Virus Agent. It
is the agent component on EMC Celerra Network
Server.
See “About configuring virus scanning on EMC
Celerra Network Server” on page 137.
How Symantec Scan Engine works with EMC Celerra

Network Server
repair capabilities for the EMC Celerra series of network-attached storage
devices.
The Celerra Anti Virus Agent uses the Internet Content Adaptation Protocol
(ICAP) to communicate with Symantec Scan Engine 5.1.X and higher. However,
CAVA uses the Native protocol to communicate with Symantec Scan Engine
4.3.X. In a typical EMC Celerra Network Server environment, a minimum of two
scan engines is required to handle scan volume. Based on the number of Celerra
Anti Virus Agents (CAVAs) and the size of the network, the CAVA sizing tool
gives the ideal number of scan engines that must be installed in the network.
Configuring Symantec AntiVirus™ for EMC® Celerra™ Network Server 125
How Symantec Scan Engine works with EMC Celerra Network Server
For more information on the CAVA sizing tool, see the appropriate EMC Celerra
documentation.
EMC Celerra Network Server handles load balancing across multiple scan
engines and Celerra Anti Virus Agents automatically.

The Celerra Anti Virus Agent is configured to scan a file when it is closed, if it
has been modified. You can also enable a scan-on-read option on the Celerra
Network Server. A file is scanned on first-read and rename also.
See “About scanning on read” on page 125.
When a user modifies or accesses a file, the Virus-checking client on EMC
Celerra Network Server triggers a scan and queues the file path name to the
Celerra Anti Virus Agent. The Celerra Anti Virus Agent opens a connection with
Symantec Scan Engine. The Celerra Anti Virus Agent then passes the file path
name to the scan engine. Symantec Scan Engine opens and scans the file, after
which, the Celerra Anti Virus Agent closes the connection with the scan engine.
Symantec Scan Engine indicates the scanning results to the Celerra Anti Virus
Agent after a file is scanned. The scan engine also repairs the file on EMC
Celerra Network Server if a file is infected and can be repaired.
After the Celerra Anti Virus Agent receives the scanning results and reports
that the file is clean, EMC Celerra Network Server allows access to the
requesting user. You can configure the action to be taken with infected files by
specifying the scan policy on Symantec Scan Engine. The scan engine repairs
infected but repairable files in its place on EMC Celerra Network Server. This
repaired file is passed to the requesting user.
The user is denied access to the file, and the infected file is quarantined if the
file is infected and cannot be repaired. However, the user will need to configure
Symantec Scan Engine to quarantine an unrepairable file.
See “About quarantining unrepairable files on Symantec Scan Engine” on
page 127.
About scanning on read

The scan-on-read feature is disabled by default. This functionality can be
enabled by using the “server_viruschk” command when configuring the Virus-
checking client on the Celerra Network Server.
The Celerra Anti Virus Agent uses the file’s access time to determine whether a
file should be scanned on read once the scan-on-read option has been enabled.
When the user tries to open a file, the Celerra Anti Virus Agent compares the
file’s access time with a reference time. This reference time is stored in the virus
checker configuration file found on EMC Celerra Network Server. If the file
access time is before the reference time, then the file is scanned on read. The
reference time can be set or disabled by the “server_viruschk” command.
The Celerra Anti Virus Agent informs the Celerra Network Server to set the
access time each time the virus definition files are updated on Symantec Scan
Engine.
For more information, see the appropriate EMC Celerra documentation.

To specify the file types to be scanned for viruses, configure settings and
parameters on both the Virus-checking client (VC client) and Symantec Scan
Engine.
About specifying file types on the Virus-checking client

Based on file extensions, the Virus-checking client determines, initially,
whether it should pass a file to the Celerra Anti Virus Agent and then to
Symantec Scan Engine for scanning. You configure which files are passed to
Symantec Scan Engine for scanning by modifying the “masks=” and “excl=”
parameters in the “viruschecker.conf” file on EMC Celerra Network Server.
You can control which files are scanned by using the exclusion or an inclusion
list, or you can scan all files regardless of extension. The exclusion list is defined
in the “viruschecker.conf” file by the “excl=” parameter and the inclusion list is
defined by the “masks=” parameter. Configure the Celerra Anti Virus Agent to
pass all file types to the scan engine except those that are contained in the
exclusion list. The exclusion list contains extensions for those file types that are
not likely to contain viruses and can be excluded from scanning.
See “About configuring virus scanning on EMC Celerra Network Server” on
page 137.

extensions are excluded from scanning. The scan policy on Symantec Scan
Engine is as important as the Virus-checking client setting. The scan policy on
the scan engine determines which files to scan upon receiving a file from the
Celerra Anti Virus Agent. The scanned files are those contained in archive or
container file formats. You can control which embedded files are scanned by
using the file type and extension exclusion list, or you can scan all files
regardless of extension.


files
About quarantining unrepairable files on Symantec Scan

Engine
You can configure Symantec Scan Engine to quarantine files that are infected
with viruses and are unrepairable. You must provide the host name or IP
address of a Windows 2000 Server/Windows 2003 Server/Windows 2008 Server
computer that has the Symantec™ Quarantine Server installed.

After you have installed Symantec Scan Engine, configure the virus scanning
functionality on EMC Celerra Network Server by installing the Celerra Anti
Virus Agent (CAVA) on each server that functions as the scan engine. Also,
configure the Virus-Checking client on EMC Celerra Network Server.

to support scanning for EMC Celerra Network Server.
use multiple scan engines to support scanning. LiveUpdate and Rapid Release

to use another protocol, you can also change the protocol through the
administrative interface. However, you must manually restart the Symantec
Scan Engine.
Option Description
infected files.
nothing to unrepairable files (that is, do not delete the
files from archive or container files).
delete unrepairable files from archive or container files.
Option Description

service.
5 In the Port number box, type the TCP/IP port number that the Celerra
Anti Virus Agent uses to pass files to Symantec Scan Engine for scanning.
infected files.
setting.
7 Check Enable trickle to activate the data trickling feature. The scan policy is
data trickling.
trickling begins.
seconds.

apply them.

apply them.

which files it should scan from the Celerra Anti Virus Agent. The scanned files
are those contained in archive or container file formats.
populated extension and type exclusion list exists that you can modify.
page 137.

extension.
click Policies.
exclude list.

apply them.

Your changes are not implemented until you apply
them.
click Policies.
exclude list.
exclude list.

apply them.

apply them.

click Policies.

apply them.

apply them.

container file

scanning on EMC Celerra Network Server.

click System.
LiveUpdate.


apply them.

apply them.


click System.
About configuring EMC Celerra Network Server


apply them.

apply them.

You must register at least one Symantec Scan Engine for each EMC Celerra
Network Server for which you provide virus scanning. You must also configure
the virus scan functionality on EMC Celerra Network Server in accordance with
the EMC Celerra documentation. Install the Celerra Anti Virus Agent (CAVA) on
each server that functions as the scan engine.
About installing the Celerra Anti Virus Agent

During the Celerra Anti Virus Agent installation procedure, ensure that you do
all of the following:
n Create a user account (for the CAVA server) in the domain to which each
EMC Celerra Network Server belongs. Create a local group on each EMC
Celerra Network Server and then add the CAVA user to this group. Assign
virus-checking rights to this group in accordance with the EMC Celerra
documentation. Also, assign local administrative rights to the CAVA user.
n Configure virus scanning on EMC Celerra Network Server by setting certain

virus checking parameters in the viruschecker.conf file.
page 137.
n Install the Celerra Anti Virus Agent on each server on which you installed
n Start the Virus-checking client (VC client) on each EMC Celerra Network
Server.
See “About starting the Virus-checking client” on page 139.
About registering Symantec Scan Engine

scanning for each EMC Celerra Network Server in the group. In a typical
Having one scan engine can cause denial-of-file access in case the scan engine
does not respond or is not available. EMC Celerra Network Server handles load
balancing across multiple scan engines and Celerra Anti Virus Agents
automatically.
Note: You do not need to register the same scan engine to each EMC Celerra
Network Server in the group. You can register different scan engines to different
EMC Celerra Network Servers in the group. All of the scan engines in the same
group must have identical configurations.
Register Symantec Scan Engine by editing the “addr” parameter in the

“viruschecker.conf” file on EMC Celerra Network Server. The viruschecker.conf
file contains the virus checking parameters for each EMC Celerra Network
Server in the group. You must provide the IP address or Fully Qualified Domain
Name (FQDN) of the scan engine in the format “addr=10.217.1.195” in the
viruschecker.conf file on the Celerra Data Mover. Use colons to separate IP
addresses of multiple scan engines, if any.
About configuring virus scanning on EMC Celerra Network Server

You must configure virus scanning (or the Virus-checking client) for each EMC
Celerra Network Server. The Virus-checking client is the agent component on
EMC Celerra Network Server. The VC client queues file names to the Celerra
Anti Virus Agent for scanning. You configure the virus scan functionality (the
Virus-checking client) by setting certain virus checking parameters in the
viruschecker.conf file.
Table 8-2 describes some parameters that you should configure in the
viruschecker.conf file for virus scan functionality.
Table 8-2 Viruschecker.conf file parameters
Parameter Description
masks= Specify the file types to be passed to Symantec Scan Engine

for scanning. This parameter defines the inclusion list.
masks=*.* scans all files. Scanning all files regardless of
type is the most secure setting, but it imposes the heaviest
demand on resources. The recommended setting is to pass
all file types to the scan engine except those that are
contained in the exclusion list.
excl= Specify the file types that should not be passed to Symantec
Scan Engine for scanning. This parameter defines the
exclusion list.
This setting is similar to the Files to scan setting on
Symantec Scan Engine. You must configure this setting on
both EMC Celerra Network Server and Symantec Scan
Engine.
addr= Specify the IP address or FQDN of each scan engine to be

used for scanning.
Enter the IP addresses separated by colons, if there are
multiple scan engines.
maxsize=<n> Specify an upper limit for the size of files to be scanned.

The file size is entered as a hexadecimal number with a
prefix of 0x. Although you can choose a file size up to
0xFFFFFFFF (4 GB), Symantec Scan Engine can scan a
maximum file size of 2047 MB (or 2 GB).
If the maxsize parameter is not set or is equal to 0, then
there is no limit to the maximum file size.
highWaterMark=<n> Specify the upper limit for the number of scan requests
occurring concurrently.
Once this limit is reached, a log event is sent to EMC Celerra
Network Server. The default value is 200.
lowWaterMark=<n> Specify the lower limit for the number of scan requests
occurring concurrently.
If the number of scan requests goes below the
lowWaterMark value, a log event is sent to EMC Celerra
Network Server. The default value is 50.
Table 8-2 Viruschecker.conf file parameters
Parameter Description
surveyTime=<n> Specify (in seconds) the interval at which registered scan

engines are contacted to confirm their status.
This parameter works in conjunction with the “shutdown”
parameter and will trigger a shutdown if no scan engine is
available. The default value is 60.
shutdown= Specify the shutdown action to take if no scan engine is

available.
n shutdown=no: Contact the list of registered scan
engines continuously even if scan engines are not
available. This is the default option.
n shutdown=viruschecking: Stop the virus checking
functionality if there are no available scan engines.
n shutdown=cifs: Stops CIFS so that clients are denied
access to EMC Celerra Network Server.
After configuring the virus checking parameters in the viruschecker.conf file,

copy the file to the correct directory in EMC Celerra Network Server and to each
EMC Celerra Network Server in the group.
Note: The virus scan functionality for each EMC Celerra Network Server in a
group must be configured identically to avoid inconsistency. The scan results
and repair results for infected files will be inconsistent if the settings differ for
each EMC Celerra Network server in the group. Thus, it is necessary that the
same viruschecker.conf file be copied to the correct directory and to each EMC
Celerra Network Server in the group.
Install the Celerra Anti Virus Agent on each server that functions as the scan
engine in the domain.
For more information on installing the Celerra Anti Virus Agent, see the
appropriate EMC Celerra documentation.
About starting the Virus-checking client

After the Celerra Anti Virus Agent is installed and configured, use the
“server_setup” command at the Control Station on each EMC Celerra Network
Server to start the VC client. The VC client queues file names to the Celerra Anti
Known issue with EMC Celerra Network Server
Virus Agent for scanning. The VC client also informs Symantec Scan Engine
what should be done with an infected file, based on user- configured options.
About executing a full file system scan

You can execute a full file system scan by running the “server_viruschk -fsscan”
command on the Control Station on EMC Celerra Network Server. However, the
Celerra Anti Virus Agent must be enabled and running for this function to occur.
You can enquire about the status of the scan while the scan is in progress. You
can stop the full file system scan as well.
Known issue with EMC Celerra Network Server

When none of the registered Symantec Scan Engines are available, scan
requests are queued until a scan engine is available.The scan engines are
contacted, by default, every 60 seconds to determine their status. You can
configure the “shutdown=” parameter in the viruschecker.conf file to define the
shutdown action to take when no registered Symantec Scan Engine is available.
The “shutdown=no” configuration achieves continuous file access even if none
of the registered Symantec Scan Engines are available. Select the option of
“shutdown=cifs” to deny users any access to CIFS shares if no scan engine is
available.
See “Viruschecker.conf file parameters” on page 138.

engines
The recommendations while integrating multiple scan engines with EMC
Celerra Network Server are as follows:
n Configure the virus scan functionality to be identical for each EMC Celerra
Network Server in a group to avoid inconsistency.
The scan results and repair results for infected files will be inconsistent if
the settings differ for each appliance in a group.
n Delete the IP address of the scan engine (that is being removed) from the
viruschecker.conf file before shutting down the Celerra Anti Virus Agent.
Index
A RPC 86
RPC client list 87
antivirus scan policy
scan all file types 99
configure 33, 89
software components 82
RPC option 32
specify file extensions 98
scan and repair files 32
specifying files to scan 92
scan and repair or delete 32
system requirements 85
scan only 32
unavailable scan engines 99
antivirus scanning 17
unresponsive scan engines 99
antivirus update notification
user notification of infection found 84, 90
automatic 32
verify scan engine registration 98
B C
Bloodhound 18
CAVA 124
BlueArc
CAVA sizing tool 124
Storage System 13
Celerra Anti Virus Agent
BlueArc Storage System 13
installing 136
BlueArc Storage System and Hitachi High-
sending files for scanning 131
performance NAS Platform
virus-checking rights 136
activate virus scanning 98
Celerra Network Server 13, 14
add antivirus scanning 82
CIFS 26, 102
antivirus scan policy 88
Common Internet File System 26, 102
automatically send antivirus update
configure AntiVirus setup screen 61
notifications 88
connector
check RPC connection 87
about 12, 13
configuring for virus scanning 97
container files 17
configuring scan engine 86
container handling limits 57, 75, 133
connecting to Symantec Scan Engine 83
edit NAS Server list 88
editing service startup properties 86 D
enable virus scanning 98 Data ONTAP 26, 29, 42
file scanning 83 decomposer 17
file type scanning 83 denial-of-file access 137
firmware version 85, 97 denial-of-service attack 17, 57, 75
full file system scan 99 documentation
handling infected files 84 Symantec AntiVirus for Network Attached
maximum number of reconnect attempts 88 Storage Integration Guide 14
overview of virus scanning 82 Symantec Scan Engine Implementation
protocol 82 Guide 14
quarantining infected files 91
registered virus scanners 98
reset defaults 99
142 Index
E file type exclusion list 39, 94, 132

file types
embedded files
scan procedure 55, 73, 131
specify for scanning 37
file types to be scanned
EMC
BlueArc Storage System and Hitachi High-
Celerra Network Server 13, 14
performance NAS Platform 92
EMC Celerra Network Server
EMC Celerra Network Server 131
add antivirus scanning 124
NetApp Filer 37
addr parameter 137
Sun Storage 7000 Series 72
CAVA 124
Sun StorageTek 5000 NAS Appliance 55
CAVA calculator 124
CAVA sizing tool 124
Celerra Anti Virus Agent 124 H
configure virus scanning 136, 137 Hitachi
excl parameter 126 High-performance NAS Platform 13, 14
exclusion list 126 Hitachi Essential NAS Platform 13
file access time 125 Hitachi High-performance NAS Platform 13, 14
file scanning 125
ICAP 124
inclusion list 126 I
masks parameter 126 ICAP
native protocol 124 configure 52, 69
overview of virus scanning 124 configure options 105, 115
parameters 138 default protocol 30
protocol 124 options 53, 70
protocol and supported version 14 ICAP options
registering Symantec Scan Engine 137 bind address 53, 70, 129
SAV for NAS supported 13 complete list 53, 70
scanning overview 124 enable trickle 54, 71, 105, 115, 130
scan-on-read 125 port number 53, 70, 129
server_viruschk 125 scan policy 53, 70, 129
specify file types 126 time before trickle data starts 54, 71, 105, 115,
specifying files to scan 131 130
VC client 124 inclusion list 126
virus checker configuration file 126 infected file 32
virus scanning commands 125 infected files 28, 103, 113
viruschecker.conf 126, 137 installation requirements
Virus-checking client 124 about 18
enable Windows messenger logging 36, 91 Linux 21, 102, 112
event security level 35 Solaris 20, 102, 112
excl= 126 Windows 19
exclusion list 126 Internet Content Adaptation Protocol 30
irreparable files 103, 113
F
file access time 125 L
file attachments 57, 75 Linux
file extension exclude list 56, 73 system requirements 21
file extension exclusion list 38, 93, 131 LiveUpdate
file type exclude list 56, 73 configuring Symantec Scan Engine 128
Index 143
scheduling 40, 58, 75, 95 Network File System 26

NFS 26
notification message
M event security level 35, 90
malicious code 17 information contained 35, 90
masks= 126 scan policy 90
scan rule 35
N virus name 35, 90
NAS 49 notification of infection found
NAVEX 18 BlueArc Storage System and Hitachi High-
NetApp Filer performance NAS Platform 84, 90
activate virus scanning 43 NetApp Filer 28, 35, 103
adding Symantec AntiVirus 25
backups 44 O
cache 34, 44 ONStor EverON 13
Common Internet File System 26, 102
configure 42, 120
configuring for virus scanning 42 P
configuring scan engine 30, 103, 113 policy
Data ONTAP 26, 42 virus scan 11
edit list 32 polymorphic viruses 18
editing service startup properties 30
Network File System 26
overview of virus scanning 26, 102, 112
Q
protocol 26, 102 quarantine
protocol and supported version 14 antivirus scan policy 32
quarantine 27, 102, 112 how 127
quarantining infected files 36 irreparable file 27, 36, 102, 103, 112, 113
rollback 43 procedure 37, 92
software components 25, 101, 111 RPC scan policy 37, 91
specify file extensions 43 Symantec Central Quarantine 36
specifying files to scan 37 unrepairable file 28, 91
Symantec AntiVirus supported 13 quarantining infected files
system requirements 29 BlueArc Storage System and Hitachi High-
unresponsive scan engines 44 performance NAS Platform 91
user notification of infection found 28, 35, 103 NetApp Filer 36
verify scan engine registration 42
vscan 42 R
vscan extensions exclude add 43 Rapid Release
vscan extensions exclude remove 43 automatic update 41, 59, 76, 96, 135
vscan extensions include add 43 rollback
vscan extensions include remove 43 vscan extensions include reset 43
vscan extensions include reset 43 RPC
vscan off 43 Antivirus scan policy 32
vscan on 43 client list 31
vscan options mandatory_scan 44 configure 31, 87
vscan options timeout 44 handling infected files 28, 84, 103, 113
wildcard extension 43 reconnect attempts 31
Network Appliance Filer 13, 25 RPC client list 31, 104, 114
144 Index
RPC options protocol 66

antivirus scan policy 88 registering Symantec Scan Engine 78
automatically send antivirus update scanning overview 66
notifications 88 software components 66
check RPC connection 87 specify file types 67
maximum number of reconnect attempts 88 specifying files to scan 72
RPC client list 87 Symantec AntiVirus support 13
RPC protocol system requirements 66
NetApp Filer 26, 102 virus scan functionality 79
options 31, 87 VSCAN 66
Sun StorageTek 5000 NAS Appliance
caching 49
S Common Internet File System (CIFS) 48
scan and repair files 32 configure AntiVirus setup screen 61
scan and repair or delete 32 configure virus scanning 60, 61
scan only 32 configuring scan engine 52, 128
scan policy file scanning 48
notification message 35 handling infected files 51
scan and delete 51, 68, 127 ICAP 48
scan and repair files 51, 68, 127 known issues 63, 140
scan and repair or delete 51, 68, 127 NAS Anti Virus Agent 48
scan only 51, 68, 127 protocol 48
specify 51, 68 registering Symantec Scan Engine 60
scan-on-read 125 scanning overview 48
server_viruschk 125 software components 48
service startup properties specify file types 49
BlueArc Storage System and Hitachi High- specifying files to scan 55
performance NAS Platform 86 Symantec AntiVirus supported 13
edit for RPC 30, 86 system requirements 48, 124
NetApp Filer 30 virus scan functionality 61
software components Symantec AntiVirus for Network Attached Storage
about 12 documentation 14
BlueArc Storage System and Hitachi High- integration guide 15
performance NAS Platform 82 software components 12
NetApp Filer 25, 101, 111 supported devices 13
Solaris Symantec antivirus technology
system requirements 20 Bloodhound 18
Striker 18 examples 18
Sun NAVEX 18
Storage 7000 Series 13 Striker 18
StorageTek 5000 NAS Appliance 13 Symantec Central Quarantine 36, 91
Sun Storage 7000 Series Symantec Quarantine Server 127
caching 67 Symantec Scan Engine
configure virus scanning 78 about 12
configuring scan engine 69 administrative interface 30
file scanning 66 change protocol 30, 86
firmware version 66 configure 30
handling infected files 68 configure ICAP 52, 69
ICAP 66
known issues 80
Index 145
configuring for BlueArc Storage System and virus

Hitachi High-performance NAS Platform 86 definition date 85
configuring for EMC Celerra Network heuristically detected 36, 91
Server 128 notification 28, 84, 103
configuring for NetApp Filer 30, 103, 113 user identification 28, 84, 103
configuring for Sun Storage 7000 Series 69 virus checker configuration file 126
configuring for Sun StorageTek 5000 NAS virus definition
Appliance 52 automatic notification 34
container handling limits 57, 75, 133 automatic update 40, 58, 75, 95, 134
default list 56, 74, 132 manual notification 35, 108, 118
documentation 15 new 36, 91
enable Windows messenger logging 36, 91 notify NetApp Filer 34
file extension exclusion list 38 on updating 34
file type exclusion list 39 Rapid Release definitions 41, 59, 76, 96, 135
ICAP 30 virus definition date 29
ICAP options 52, 69 virus protection
infected files 28, 103, 113 description 17
installation 18 for network attached storage 16
Linux system requirements 21, 102, 112 why 16
LiveUpdate 40, 58, 75, 95, 134 virus scan functionality 61, 79
post-installation tasks 22 virus scan policy 11
protocols 13 virus scanning
quarantine 27, 51, 102, 112, 127 add 12
Rapid Release 41, 59, 76, 96, 135 vscan off 43
scan all files 38, 93 vscan on 43
scan policy 51, 68, 126, 127 viruschecker.conf 126, 137
Solaris system requirements 20, 102, 112 viruschecker.conf file parameters 138
specify file types 50, 67 virus-checking client
virus protection 17 about 124
Windows system requirements 19 specify file types 126
Symantec Scan Engine Implementation Guide virus-checking rights 136
about 15 VSCAN 66
Symantec Security Response vscan 42
about 18 vscan off 43
infected files 36, 91 vscan on 43
website 18 vscan options mandatory_scan 44
vscan options timeout 44
vscan reset 27
T
trojan horses 17
W
wildcard extension
U ??? 43
unrepairable files 28 Windows messenger service 35
unrepairable infected file 36, 91 Windows service startup properties 30, 86
unresponsive scan engines 44
V
VC client 137
146 Index

Symantec Integration Guide

Uploaded by

Copyright:

Available Formats

Symantec Integration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Symantec Integration Guide

Uploaded by

Copyright:

Available Formats

Symantec AntiVirus™ for

Network Attached Storage

Symantec AntiVirus™ for Network Attached Storage

Documentation version 5.2.8

All rights reserved.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED

The Licensed Software and Documentation are deemed to be commercial computer

Symantec Technical Support maintains support centers globally. Technical

Contacting Technical Support

Licensing and registration

Support agreement resources

Asia-Pacific and Japan [email protected]

North America and Latin America [email protected]

Chapter 2 Configuring Symantec™ AntiVirus for NetApp® Filer™

Chapter 3 Configuring Symantec AntiVirus™ for Sun StorageTek™

Chapter 4 Configuring Symantec AntiVirus™ for Sun Storage 7000

Chapter 5 Configuring Symantec™ AntiVirus for BlueArc® Storage

About specifying the file extensions to be scanned on the NAS Server 98

Chapter 6 Configuring Symantec™ AntiVirus for Hitachi® Essential

Chapter 7 Configuring Symantec™ AntiVirus for ONStor EverON

Chapter 8 Configuring Symantec AntiVirus™ for EMC® Celerra™

About specifying container handling limits ..........................................133

n About Symantec AntiVirus for Network Attached Storage

n Supported storage devices

n How to use the Symantec AntiVirus for Network Attached Storage

n Why you need virus protection in a network attached storage environment

n About preparing for installation

About Symantec AntiVirus for Network Attached

About software components

About Symantec Scan Engine

About the connector

Supported storage devices

Table 1-1 Supported storage devices and protocols

Storage device Protocol used Supported version

Network Appliance™ (NetApp) Filer™ RPC Data ONTAP™ version

Sun Storage 7000 Series ICAP Sun Storage 7xxx version

BlueArc® Storage System RPC 4.0 or later

Hitachi® High-performance NAS RPC 4.0 or later

Hitachi® Essential NAS Platform™ ICAP 6.2 or later

ONStor EverON ICAP 4.0 or later

EMC Celerra® Network Server ICAP CAVA 4.5 or later

How to use the Symantec AntiVirus for Network

The manufacturer of the NAS device develops the connector to integrate

About the Symantec Scan Engine Implementation Guide

About the Symantec AntiVirus for Network Attached Storage

General information on how Virus scanning functionality can differ depending on

Information on configuring the This section discusses any configuration options on

Why you need virus protection in a network

Dedicated antivirus protection for a NAS system should be part of a

How the scan engine protects against viruses

About Symantec Security Response

About preparing for installation

Windows system requirements

Processor Pentium 4 processor 1 GHz or higher

Memory 1 GB of RAM or higher

Disk space 500 MB of hard disk space

Hardware n 1 network interface card (NIC) running TCP/IP with a static IP

Software n J2SE Runtime Environment (JRE) 5.0 (update 13 or later) or

Solaris system requirements

Operating system Solaris 9 and 10