protecting the ibm sonas with mcafee virusscan enterprise for

© Copyright IBM Corporation, 2011

Protecting the IBM SONAS with McAfee VirusScan Enterprise for Storage A reference guide for storage and security administrators

Mandar J. Vaidya IBM Systems and Technology Group ISV Enablement

April 2011

Protecting the IBM SONAS with McAfee VirusScan Enterprise for Storage

Table of contentAbstract ..................................................................................................................................... 1 Executive overview .................................................................................................................. 1 IBM SONAS antivirus connector – an overview ..................................................................... 2 McAfee VirusScan Enterprise for Storage – an overview ...................................................... 3 Minimum system requirements ............................................................................................... 4

IBM SONAS ............................................................................................................................................. 4 McAfee VirusScan Enterprise for Storage ............................................................................................... 4

Planning for integration of IBM SONAS with McAfee VirusScan Enterprise for Storage ... 5 Integration of IBM SONAS with McAfee VirusScan Enterprise for Storage ......................... 7

Installing McAfee VirusScan Enterprise ................................................................................................... 7 Installing McAfee VirusScan Enterprise for Storage ................................................................................ 7 Configuring McAfee VirusScan Enterprise Storage for IBM SONAS ...................................................... 9 Configuring the IBM SONAS antivirus connector .................................................................................. 14

Initiating a bulk scan using the SONAS antivirus connector .............................................. 17 Initiating a manual bulk scan on a defined scope .................................................................................. 17 Scheduling bulk scan on a defined scope ............................................................................................. 19

Recommendations ................................................................................................................. 20 Summary ................................................................................................................................. 22 Resources ............................................................................................................................... 23 About the author..................................................................................................................... 24 Trademarks and special notices ........................................................................................... 25


1

Abstract

With today’s continuing explosive growth in information data, comes the need for storing the data without compromising data integrity from potential threats that may exist in an enterprise network environment. IBM Scale Out Network Attached Storage (IBM SONAS) has been qualified for interoperability with the leading Antivirus scan engines such as Symantec SAV for NAS and McAfee VirusScan Enterprise for Storage. This technical paper describes SONAS integration with McAfee VirusScan Enterprise for Storage, and guidelines for using IBM SONAS with McAfee VirusScan Enterprise for Storage to protect overall system and prevent security threats caused by malware.

Executive overview Enterprises continue to demand storage solutions that can store massive amounts of file-based data with ease of management and that can scale on demand. Often these enterprises, with fast-growing file systems, face limitations of scalability and performance with traditional network-attached storage (NAS) filers because of the requirement to work on millions of active files in parallel. IBM® SONAS is a multipetabyte scale-out NAS storage offering for unstructured information storage. It is designed to scale out to store millions and even billions of active files with superior performance and ease of management.

IBM SONAS is designed to serve large number of users connecting to it using a variety of file-based protocols, such as Network File System (NFS) or Common Internet File System (CIFS). The data created or accessed using these protocols is vulnerable to the potential threats of viruses, worms, Trojan horses, and other forms of malware. Computer viruses mostly target Microsoft® operating systems, however, computers running other operating systems can be directly or indirectly affected by viruses.

IBM SONAS, when integrated with McAfee VirusScan Enterprise for Storage (henceforth called as McAfee scan engines) provides a comprehensive solution to protect all the data stored on the SONAS. IBM SONAS antivirus connector is a part of the SONAS management software which communicates with ISV scan engines using Internet Content Adaptation Protocol (ICAP).There are two approaches for virus scanning:

On-access scan – It scans all the specified files on IBM SONAS when accessed or created. This method has the benefit of ensuring that the files are scanned with the latest virus signature before being accessed. This approach is more effective at detecting viruses before they are able to compromise data and this method does not generate heavy network traffic between IBM SONAS and McAfee scan engines. This approach is ideal for Customers using Windows clients and CIFS file I/O.

Bulk scan – This allows scanning of all the specified files on a file system or a part of file system. This is typically performed at the schedule defined on the IBM SONAS. The disadvantage in using this method is that the files recently updated might not be scanned before being used. Bulk scans can generate heavy network traffic between SONAS and scan engines and can generate heavy load on a storage system. Also, bulk scan can take significant time to complete, depending on the number of files to be scanned. Storage Administrators are likely to use the Bulk scans for non-CIFS files (e.g. NFS) protection which are less prone to Virus attacks.


2

IBM SONAS antivirus connector – an overview IBM SONAS antivirus connector provides enterprise antivirus vendors, such as McAfee VirusScan Enterprise for Storage, tighter integration and overall control of antivirus implementations by deciding strategies suitable for the customer environment. IBM SONAS antivirus connector communicates with McAfee scan engines using Internet Content Adaptation Protocol (ICAP). IBM SONAS can be configured with multiple McAfee scan engines to achieve load balancing and to distribute the work load. SONAS selects a scan engine from the pool of scan engines at scan time. If a scan engine is not reachable from SONAS, it is temporarily removed from the pool and SONAS selects a different scan engine from the pool of available scan engines. It periodically attempts to reinstate the removed scan engine back into the pool. Figure 1 describes the workflow of an On-Access scan session for a single file.

When user accesses a file from IBM SONAS over the network, SONAS initiates the scan of a file in real time and opens a connection with McAfee scan engine. SONAS then passes the file to the scan engine for scanning. The McAfee scan engine indicates the scanning results to SONAS after the file is scanned. In case the file is infected, scan engine tries to repair the file and sends the repaired file to SONAS. SONAS receives the scan results. If the file is infected and can be cleaned, a stored version of the infected file is replaced on SONAS with the repaired file received from the scan engine. Only the repaired file is passed to the requesting user.

User accesses the file on IBM SONAS from the network

SONAS antivirus connector determines the file needs to be scanned and transferred to the McAfee scan engine

McAfee scan engine scans the file and repair the file if file is infected.

Scan results and the repaired file returned to the IBM SONAS.

IBM SONAS replaces the infected file with the repaired file.

User is allowed to access the file

CIFS User IBM SONAS

McAfee Scan Engine

1. 2.

3.

4. 5. 6.

Figure 1: Work flow of on-access scanning of a file from IBM SONAS using McAfee scan engine


3

In case virus is detected and repair of file is not possible, SONAS can be configured to quarantine or delete the nonrepairable file and user will be notified with permission denied type of error message.

The connector also caches antivirus scan information for each file as extended attributes to determine whether it must be scanned or rescanned by saving the timestamps of the last scan in addition to the antivirus definition file. This way, a repeat scan might be avoided if another user tries to access the same file later but the antivirus definitions have not changed. When new antivirus definitions are received and updated, each file is rescanned before it is made available to the user requesting access. Bulk scans might be configured to proactively rescan files periodically (e.g. every day) during off-peak hours when accesses are minimal to prevent any potential performance impacts on the SONAS system or the scan engines in the pool. \

McAfee VirusScan Enterprise for Storage – an overview McAfee VirusScan Enterprise for Storage expands the VirusScan Enterprise capabilities by providing remote scanning of IBM SONAS using the ICAP protocol.

McAfee scan engine scans the files received from IBM SONAS and provides real-time protection for the massive amount of critical information that is being stored and accessed by the IBM SONAS users. McAfee scan engine detects the virus infected files that are being accessed, read, or copied to and from IBM SONAS. After detecting an infection in the file, it automatically cleans the file and provides the repaired file to IBM SONAS.

McAfee VirusScan Enterprise for Storage provides following features:

• Advanced anti-virus technology: McAfee’s award winning anti-virus technology continuously blocks a wide range of viruses and malicious code threats, including those hidden in compressed files.

• Detection of unwanted programs: It finds the unwanted hidden spyware programs that open security holes.

• Centralized management: Entire McAfee security system can be managed using McAfee’s central management system, reducing overall cost and providing ease of management.

• Continuous protection: On-access scanning provides real-time protection to the data on IBM SONAS when the files are accessed or written to the SONAS unlike traditional on-demand scans.

• Cost effectiveness: It supports connection to more than one IBM SONAS.

• Rapid notification: Whenever a virus is detected, notification can be sent to the configured recipients. This enables to react instantly to any possible virus outbreak.


4

Minimum system requirements Depending on the volume of the data being scanned and the requirements for accessibility, multiple scan engines may be deployed as needed.

IBM SONAS Software:

• Version 1.2.0.0 or higher

McAfee VirusScan Enterprise for Storage Software:

• McAfee VirusScan Enterprise 8.7i

• McAfee VirusScan Enterprise for Storage 1.0

Supported operating systems (x86 or x64 platform):

• Windows Server 2003 Standard, with Service Pack 1 or 2.

• Windows Server 2003 Enterprise, with Service Pack 1 or 2.

• Windows Server 2003 R2

• Windows Server 2008

Processor:

• Intel Pentium 4 running at a minimum 2 GHz.

Memory:

• 2 Gb of RAM

Disk space:

• Adequate hard disk space. Minimum 70MB is required for installation.

Additional Hardware:

• 1 network interface card (NIC) running TCP/IP with a static IP address

• Internet connection to update definitions

• 100 Mbits/s Ethernet link (1 Gbits/s or faster recommended)


5

Planning for integration of IBM SONAS with McAfee VirusScan Enterprise for Storage Planning is one of the most important areas of consideration before beginning to configure IBM SONAS with McAfee VirusScan Enterprise for Storage. It is important that security team and IBM SONAS administrator work together to anticipate the scopes and type of files for which scanning is required, as well as number of files required to scan and number of McAfee scan engines that are required. The administrators can define policies or settings for handling infected files when detected.

The following factors need to be carefully considered during the planning.

Numbers of McAfee scan engines:

Antivirus scanning on SONAS requires minimum of one scan engine configured with McAfee scan engine. However in order to take benefit of load-balancing and high-availability feature of IBM SONAS, a minimum of two scan engines are recommended. SONAS antivirus connector automatically performs load balancing to make sure that the workload is evenly distributed across the scan engine. When a scan engine becomes unavailable, the workload is directed to the remaining operational scan engines. You need additional considerations for:

• Total number of files stored on the SONAS, which requires scanning

− Large numbers of files can be scanned by multiple scan engines using the SONAS antivirus connector load balancing feature.

• Host-processor speed and RAM configuration

− Fewer scan engines may be needed if CPU speeds are faster and more RAM is present on each scan engine.

• Network speed

− Faster network speeds allow for reduced time in transferring larger files to the scan engine for scanning.

Type of scopes to scan:

In SONAS, antivirus configuration options are defined on scopes. A scope is a subtree of file name space, identified by the path to the root of the subtree. All file accesses within that subtree share a set of antivirus settings. You can configure the following four types of scope for antivirus scanning in IBM SONAS.

• File systems

• File sets

• Path

• Exported shares

Not all scopes are required to be configured for scanning as certain file sets, paths, or file systems are either static in nature, or are not shared with any users. The administrator needs to ensure all scopes which may be vulnerable to potential threats are included in their defined scanning strategy.


6

Types of files to scan:

In SONAS, the administrator can define which files or file types can be scanned. Administrator can control and decide whether to scan files by exclusion list or inclusion list, or whether to scan all the files regardless of extensions. SONAS antivirus parameter can be set at all the scopes to specify which extensions to be included in or excluded from a scan. The exclusion list specifies the extensions of files to be excluded because they are not likely to contain viruses.

The inclusion / exclusion list defines following behavior:

• If the include list is empty or not defined, default is that all extensions are included in the scan.

− Excluded list is created to exclude files with specific file extensions from scanning.

• If an extension is in the include list, only files with that extension are scanned.

• If an extension is in include as well as exclude list, files with that extension are not scanned.

Careful planning is required to create the include / exclude list as this plays an important role in improving performance of the scan process, as not all file extensions need to be scanned due to the nature of the files and file types, which are unlikely to have viruses.

File processing strategy

It is important to plan for the action that needs to be taken in case an unrecoverable virus file is identified. IBM SONAS provides the option to quarantine or delete the infected, unrecoverable file. For this, optional parameter can be set to quarantine or delete the file at the defined scope. Optionally, the path by which the file was opened for the current scan can be moved to a subdirectory created for that purpose. Only SONAS or security administrator will have access to that subdirectory and can take appropriate action to manually delete the unrecoverable virus files. If no strategy is defined, user is denied access to the file.


7

Integration of IBM SONAS with McAfee VirusScan Enterprise for Storage The scanning process requires two components: the IBM SONAS antivirus connector and the external antivirus scan engine(s) running McAfee VirusScan Enterprise for Storage. Depending on the workload determined during the planning stage, multiple scan engines may need to be installed and configured to the SONAS. The minimum software and hardware requirements are documented in the Minimum system requirements section of this guide.

McAfee VirusScan Enterprise for Storage expands the VirusScan Enterprise capabilities by providing remote scanning of IBM SONAS using ICAP protocol.

Therefore, before installing the McAfee VirusScan Enterprise for Storage, first install VirusScan Enterprise on the identified server.

Installing McAfee VirusScan Enterprise McAfee VirusScan Enterprise is supported on the Microsoft Windows® platform. Before installing the product, review the release notes, requirements of the product.

Later, install and license the VirusScan Enterprise product as per the instructions given in the installation guide from the McAfee website: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20689/en_US/vse_870_installation_guide_en-us.pdf

Installing McAfee VirusScan Enterprise for Storage Before installation of VirusScan Enterprise for Storage, verify that the following tasks are completed.

• Ensure that a licensed version of VirusScan Enterprise is installed.

• Ensure that IBM SONAS is available with minimum release version of 1.2.

• Review the latest product release notes for system requirements, known issues and last minute additions or changes.

• Ensure that the VirusScan Enterprise for Storage software is available.

After verifying the requirements, install the VirusScan Enterprise for Storage as per the instructions given in the installation guide from the McAfee website.

After successful installation of the product, verify that:

• Installation has installed two additional console items, namely: Network Appliance Filer AV Scanner and ICAP AV Scanner to the VirusScan Console.

• Installation will also configure McAfee VirusScan Enterprise for Storage service to the Windows services panel.

• Under the Help About VSE section of VirusScan Console, McAfee VirusScan Enterprise for Storage is listed as an installed and licensed module.


8

Figure 2: Newly-created icons under VirusScan Console

Figure 3: New service added for McAfee VirusScan Enterprise for Storage

Figure 4: McAfee VirusScan Enterprise for Storage added as an installed module


9

Configuring McAfee VirusScan Enterprise Storage for IBM SONAS After successful installation of VirusScan Enterprise and VirusScan Enterprise for Storage, you need to configure VirusScan Enterprise for Storage properly using VirusScan Console to support scanning for IBM SONAS.

Note: If multiple scan engines are used for antivirus scanning with IBM SONAS, each scan engine must be configured identically. Also, make sure that the AutoUpdate feature from McAfee is scheduled to receive updates at the same time to avoid conflict during the scanning.

Following steps needs to be performed from the McAfee VirusScan Console.

1. Launch the McAfee VirusScan Console.

Figure 5: Launching the VirusScan Console

2. In the VirusScan Console, right-click ICAP AV Scanner and click Properties to launch the configuration window.

Figure 6: Configuring ICAP AV Scanner


10

3. Configure the ICAP server settings using bind address and the port number. In case, the server on which McAfee scan engine is running has multiple IPs, enter the appropriate IP address which needs to be used for antivirus scanning. Default port number for ICAP is 1344. If port needs to be changed from the default port, enter the port number greater than 1024, which is not used by any other service.

Figure 7: ICAP server configuration

4. Configure the ICAP client connection lists using SONAS interface nodes external IP addresses. Click Add and enter all the public SONAS IP addresses one by one.

Figure 8: ICAP client IP configuration


11

5. Configure Scan Items to select the files that need to be scanned and other options specific to the files that are scanned. Similar settings can be performed from the IBM SONAS configuration. Due to performance reasons, scanning inside the archives need be avoided as it might take longer to scan archive file and could cause the scanning timeout.

Figure 9: Scan Items settings

6. Configure the appropriate primary and secondary actions under the Actions tab for options: When a threat is found and When an unwanted program is found. If the file is found to be a threat, the action taken depends on the following configuration:

• If the Clean option is selected, any threats found cause an attempt to clean the file.

− If the file is successfully cleaned, scan engine notifies the IBM SONAS that the file was a threat and was successfully cleaned, and scan engine returns the repaired file to the IBM SONAS.

− If the file is not successfully cleaned, scan engine notifies IBM SONAS that the file is a threat and it was unable to clean the file.

• If the Continue scanning option is selected, scan engine notifies IBM SONAS that the file is a threat, and then IBM SONAS blocks the access to the file.


12

Figure 10: Actions tab settings

7. Settings under the Performance tab and the Reports tab can be left as default or changed as per the requirements.

8. After completing the entire configuration, click OK to configure all the settings on the scan engine. You will be prompted for a confirmation to restart the scan engine services so that the new configuration will be activated.

Figure 11: Saving the newly-applied configuration and restarting the service

9. In the VirusScan Console, right-click ICAP AV Scanner and click View log to view the scan results.

10. In the VirusScan Console, right-click ICAP AV Scanner and click Statistics to view the scan statistics.


13

Figure 12: Viewing scan logs from VirusScan Console

The McAfee scan engine is now ready for use with the IBM SONAS system. For more information regarding additional options and behaviors, which may be customized to individual organizational requirements, refer to the McAfee website.


14

Configuring the IBM SONAS antivirus connector IBM SONAS command line interface (CLI) is used for configuring and displaying SONAS antivirus parameters. It is configured using the cfgav command line utility, which is accessed from the management node. This utility controls scan behavior when files are accessed by a client as well as during bulk scan requests. The SONAS antivirus configuration can be changed dynamically and it does not require shutdown or restart of antivirus service.

Before using the connector to control scanning behavior, connector must be configured with a pool of scan engines. Next, you need to define scopes to the connector along with a set of scan options specific to each scope. A scope can be an entire file system, specific paths on a file system, a CIFS export, or a file set.

Defining scan engine pool

At least one scan engine must be registered in order to provide virus scanning for each SONAS. However, it is recommended to configure minimum two scan engines in a scan engine pool to avail the load-balancing facility provided by SONAS, used for distributing the scan load. Also, it provides the high-availability feature, in case one scan engine is not available. SONAS tries to contact the failed scan engine periodically and reinstate it for scanning after it become available.

• For defining a scan engine to the connector, use the cfgav CLI.

cfgav --set-scanner mcafee:<IP Address 1>:<ICAP Port>

IP Address = IP address of a scan engine

ICAP Port = Port used for ICAP communication (McAfee default is 1344)

Figure 13: Example of set-scanner

• Additional scan engines can be specified at the same time by separating each with a comma.

cfgav --set-scanner mcafee:<IP Address 1>:<ICAP Port>,mcafee:<IP Address 2>:<ICAP Port>

Figure 14: Example of multiple set-scanner

• To add another scan engine at a later time, use the following command:

cfgav --add-scanner mcafee:<IP Address>:<ICAP Port>


15

Figure 15: Example of add-scanner

Defining scopes with scan options

For configuring a scope with scan options:

cfgav --<scope> <scope arg> --<option 1> <option 1 arg> … --<option N> <option N arg>

• scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set)

• scope arg = name or path to a scope

• option = multiple options can be specified together, separated by a space

• option arg = specific arguments that apply to each option

Examples:

• Enable antivirus scanning on a list of scopes: cfgav --export av00a,av01a --scan

• Set a list of extensions to scan on an export: cfgav --export av00a --set-include exe,dll,xlsx

• Set a timeout value for accessing scan engines: cfgav --timeout 20

• Enable file system scanning when a file is written: cfgav --fsys gpfs0 --onwrite

• Deny access to protected files in a file set if scanning cannot occur: cfgav --fset gpfs0:root --denyonerror

• Add an extension to a path include list: cfgav --path /ibm/gpfs0 --add-include exe

• Set the include list for an export: cfgav --export av00a --set-exclude txt

• Enable file quarantine by deletion for an export: cfgav --export av00a --qdel


16

• Enable file quarantine by moving for an export: cfgav --export av00a –qmove

Verifying scan options on defined scopes Current antivirus configuration for all scopes can be listed using the lsav CLI.

Figure 16: Example of lsav CLI command

For a complete list of configurable options and their descriptions, consult the man page for the cfgav utility by typing man cfgav at the command prompt on the management node. Alternatively, invoking the utility by typing cfgav --help provides a list of options with abbreviated explanations.


17

Initiating a bulk scan using the SONAS antivirus connector The antivirus connector provides a method for administrators to initiate a full scan on all the files defined within one or more scopes on the SONAS. As previously mentioned, every time a new antivirus definition file is downloaded by the scan engine(s), all files defined within all scopes must be rescanned prior to access. The bulk scan feature is a method to proactively scan all of those files during a window when access to the SONAS is at a minimum, thereby reducing the load on the system and network during peak usage times.

The ability to perform a bulk scan is also important when new shares are created but files are copied either through SSH File Transfer Protocol (SFTP), Secure Copy (SCP) from other file systems and are not scanned automatically. Initiating a bulk scan on these shares ensures that in future, file accesses will be faster.

Initiating a manual bulk scan on a defined scope Manual bulk scans are initiated using the ctlavbulk command line utility, which is accessed from the management node. This utility follows all the settings defined by the cfgav utility, and when called with a scope will only scan those files which are defined in a scope by cfgav. If no scopes are provided, all protected files will be scanned. Only one bulk scan can run at a time, and however, multiple scan processes can be spawned on each interface node using the --processes option. When the command is issued, it becomes a background process, returning the control to the user. You can check the status of the current bulk scan by issuing the --status option of the ctlavbulk command.

Starting a bulk scan on one or more defined scopes

You can initiate bulk scan on one or more defined scopes.

ctlavbulk --<scope 1> <scope 1 arg 1>,<scope 1 arg N> --<scope 2> <scope 2 arg 1>,<scope 2 arg N>



Examples:

• Initiate bulk scan on one scope: ctlavbulk --export av00a

• Initiate bulk scan on two scopes of the same type: ctlavbulk --export av00a,av01a

• Initiate bulk scan on two scopes of different types: ctlavbulk --fsys gpfs0 --export av02a

Starting a bulk scan with multiple processes

You can initiate bulk scan with multiple processes.

ctlavbulk --<scope 1> <scope 1 arg 1> --processes <processes arg>


18



• processes arg = number of processes to spawn on each interface node (default = 1)

Examples:

• Initiate bulk scan on one scope with five processes per interface node: ctlavbulk --export av03a --processes 5

• Initiate bulk scan on four scopes with 10 processes per interface node: ctlavbulk --export av04a,av05a --fsys gpfs1,gpfs2 --processes 10

Checking the status of a bulk scan

You can use the --status option to list the bulk scan status.

ctlavbulk --status

Figure 17: Example of ctlavbulk --status

Note: The * in the column labeled p indicates that the process has started for the displayed node.

Stopping a bulk scan

You can use the --stop option to stop bulk scan.

ctlavbulk --stop

Figure 18: Example of ctlavbulk --stop

For a complete list of configurable options and their descriptions, consult the man page for the ctlavbulk utility by typing man ctlavbulk at the command prompt on the management node. Alternatively, invoking the utility by typing ctlavbulk --help provides a list of options with abbreviated explanations.


19

Scheduling bulk scan on a defined scope Periodic bulk scans can be scheduled using the mktask command line utility on the management node, using the task name CtlAvBulk as one of the parameters. Tasks are run on a daily basis. The mktask command supports additional customizable options, which are completely explained on the man page available by typing man mktask from the management node command line interface.

Creating a bulk scan task for a defined scope

New scheduled task for bulk scanning a defined scope can be created using the mktask command

mktask CtlAvBulk --hour N --minute N --parameter “scope(s)”

• hour N = hour of the day to start the scan (24-hour clock), that is, 10, 12, 15, 20

• minute N = minute of the hour to start the scan

• scope(s) = one or more scopes to bulk scan

Examples:

• Schedule a bulk scan for 2:30 a.m. every day on two CIFS exports: mktask CtlAvBulk --hour 2 --minute 30 --parameter "--export AV1,AV2"


20

Recommendations Antivirus scanning, particularly bulk scanning of large files can add significant load to several IBM SONAS system resources and can cause performance bottlenecks. The following recommendations can help you minimize performance impact to the system.

• If on-access or bulk scan produces timeout errors, consider increasing timeout value of scans by using the --timeout parameter of the cfgav command. It is not recommended to increase the timeout parameter beyond CIFS client timeout value, which can cause files becoming inaccessible to the user.

• Avoid scanning expensive items (such as scanning inside the archive files or other containers) to avoid timeout issues.

• Depending on the scanning performance requirements, the number of interface nodes on which bulk scans are run can be configured using the --nodes option of the ctlavbulk command. If higher scanning performance is desired, consider running scans on additional interface nodes. To reduce impact to other SONAS resources, consider limiting the number of interface nodes on which bulk scans are run.

• It is recommended to carefully decide on the file types for scanning. Certain classes of large files are less likely to be prone to virus attacks. By deconfiguring certain types of files using the --add-include|--rem-include|--set-include|--set-exclude options of the cfgav command, overall antivirus scanning performance can be greatly improved.

• Similar consideration should be given to decide scopes for scanning as some scopes might contain files that will not be accessed and are not likely prone to the virus attacks.

• Ensure that the storage backend has adequate capacity for the client and scan traffic. On-access scans are less likely to add significant load to the storage backend because it is typically scanning data that has either just been written or is just about to be read by the client and therefore can take advantage of caching. Bulk scans on the other hand can add significant load to the storage backend.

• After updating the antivirus signature, it is recommended to scan all protected files during off-peak hours to minimize the impact of scanning during peak usage.

• Ensure that the network infrastructure, such as routers, switches, and network cards on both SONAS and scan engines has adequate capacity. It is recommended to use 10 Gigabit Ethernet.

• It is recommended to use minimum of two scan engines to avail high availability and load-balancing feature for the scanning.

• Ensure that scan nodes have adequate processor and disk performance.

• It is recommended to run bulk scan after a migration either by Hierarchical Storage Management (HSM) recall or data restoration from backup server.

• While using multiple scan engines to support scanning of IBM SONAS, consider the following factors:


21

− Configure the setting on each scan engine to be identical.

− Schedule an auto update of all McAfee scan engines to occur at the same time to ensure that virus definitions are identical.

− On scan engine configure virus scan functionality for each SONAS system identical to avoid inconsistency.


22

Summary The ability to effectively protect shared file data against viruses and other malicious threats is an important challenge for storage and security administrators who require a trusted and reliable antivirus solution. Not only must the integrity of the data be constantly maintained, the solution must also be scalable to match the continually expanding size and volume of data that is retained on a NAS system. The IBM SONAS system is designed as a multipetabyte global storage platform supporting extreme scalability for business infrastructures that demand high performance as well as high availability. IBM has almost thoroughly tested the SONAS system with McAfee VirusScan Enterprise for Storage confirming their interoperability and compatibility, and is committed to proactively providing enterprise users with one of the best solutions that can serve to reduce time and mitigate risk during planned implementations.

The technical content contained herein is intended only as a reference for those customers who wish to use McAfee VirusScan Enterprise for Storage to protect their data on the IBM SONAS system. It should not be treated as a definitive implementation or solution document due to the unique configurations and case-specific scenarios inherent in every customer environment. For solution-specific designs, contact an IBM storage representative to arrange a discussion with an antivirus implementation specialist.


23

Resources The following websites provide useful references to supplement the information contained in this paper:

• System Storage on IBM PartnerWorld® ibm.com/partnerworld/wps/pub/overview/B8S00

• IBM Publications Center

www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi?CTY=US

• IBM Redbooks® ibm.com/redbooks

• IBM developerWorks®

ibm.com/developerworks

• IBM SONAS documentation

− IBM Scale Out Network Attached Storage Concepts ibm.com/redbooks/redpieces/abstracts/sg247874.html?Open

− IBM SONAS Introduction and Planning Guide (GA32-0716)

http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/sonas_ipg.pdf

− IBM SONAS administration and user documentation

http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/index.jsp

− IBM Scale Out Network Attached Storage Administrator's Guide (GA32-0713) http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/sonas_admin_guide.pdf

− IBM SONAS User's Guide (GA32-0714)

http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/sonas_user_guide.pdf

− IBM SONAS Software Configuration Guide (GA32-0718)

http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/configuration_guide.pdf

− IBM SONAS Troubleshooting Guide (GA32-0717)

http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/sonas_pd_guide.pdf


24

• McAfee documentation

− McAfee knowledgebase https://knowledge.mcafee.com

− McAfee VirusScan Enterprise Installation Guide

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20689/en_US/vse_870_installation_guide_en-us.pdf

− McAfee VirusScan Enterprise Product Guide

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20690/en_US/vse_870_product_guide_en-us.pdf

− McAfee VirusScan Enterprise for Storage Implementation Guide

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22000/PD22733/en_US/VSE%20for%20Storage%201.0%20Implementation%20Guide.pdf

− McAfee VirusScan Enterprise for Storage Product Guide

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/20000/PD20803/en_US/vse_sto_100_product_guide_en-us.pdf

About the author Mandar Vaidya is a Staff Software Engineer in IBM SONAS ISV Enablement group. He has more than 10 years of experience working with various storage and systems technologies. Mandar holds Bachelor of Engineering degree from the University of Pune, India. You can reach Mandar at [email protected].


25

Trademarks and special notices © Copyright IBM Corporation 2011. All rights Reserved.

References in this document to IBM products or services do not imply that IBM intends to make them available in every country.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the full text of the specific Statement of Direction.

Some information addresses anticipated future capabilities. Such information is not intended as a definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is

http://www.ibm.com/legal/copytrade.shtml


26

presented here to communicate IBM's current investment and development activities as a good faith effort to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Photographs shown are of engineering prototypes. Changes may be incorporated in production models.

Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk.

protecting the ibm sonas with mcafee virusscan enterprise for

Documents