Best Practice for Symantec AntiVirus for Network Attached Storage 5.x with EMC Celerra Filer
|Article:TECH132270|||||Created: 2010-01-06|||||Updated: 2012-04-13|||||Article URL http://www.symantec.com/docs/TECH132270|
Best Practice guide for using Symantec AntiVirus for Network Attached Storage 5.x with EMC Celerra Filer.
Below are some suggestions/best practices we advise to customers,
1. General hardware requirements are 1GB of RAM, and over 10GB of free disk space. If possible we would recommend giving each scanner 2GB of RAM and 20+GB of free disk space. Symantec Scan Engine reads the files into its temp folder, so under sufficient load Scan Engine can temporarily utilize a lot of disk space.
Performance Scan Engine Settings:
- In the Symantec Scan Engine GUI set Configuration > Resources > “Max RAM used for in-memory file system” from 16MB to 512MB. Scanning files in memory is always faster then reading the file from the Scan Engine temp folder. Also for scanning purposes, Scan Engine manages its own file system, so while we normally say you can set this parameter up to half the amount of memory the Server has. Symantec does typically not recommended going over 512MB. Due to the overhead of managing the in memory file-system.
- Set Configuration > Resources > “Max file size stored within in-memory file system” from 3MB to 10-20MB.
- Under Resources, Scanning Resources, note that when the threshold number of queued requests is reached, Scan Engine will gracefully reject any new connections until our number of queued requests have dropped back under 100. As far as recommended value for this parameter, leave it at 100.
General Scan Engine Settings:
- Make sure Policies > Filtering > Container Handling > “Time to extract file” (our container timeout) is set to a value that is half 1/2 to 2/3 the value of the EMC Celerra timeout value. The EMC Celerra/CAVA timeout parameter is named “reqTimeout”. This is to prevent the Filer and scanner from getting into a retry loop with each other. I believe EMC has a recommended timeout value for their parameter, just set our value accordingly.
- Under Polices > Filtering > Container Handling, please take a look at all of the settings in there. We do not have any specific recommendations for the rest of the container settings, just be aware of how we handle files (for example by default be will delete encrypted container files).
- Monitors > Logging > Local logging level, we recommend keeping this parameter at the Default Warning. Setting local logging to Verbose is fine, it is just mainly used for troubleshooting. As it can consume a significant amount of disk space over time.
- For Liveupdate, we have three options, Shadow ui (share defs with desktop AV), Java Liveupdate, or Rapid Release. Using any one of these virus definition update methods is fine, we do not recommend using multiple ones at the same time.
- By default Scan Engine honors read only files. Therefore if we catch an infected file that is also read only, will not delete this infected file. This setting can be changed.
- Disable the Symantec Scan Engine parameter, HonorReadOnly. By default if Scan Engine catches an infected file we will not delete the file, if it is read only. The CAVA agent will not sync-up with Scan Engine unless this parameter has been disabled. To disable this parameter,
- In Services stop the Scan Engine service.
- Open a command prompt, and change directories to the Scan Engine install directory, by default this is in the \Program Files\Symantec\Scan Engine\ folder.
- Run the command, “java –jar xmlmodifier.jar –s /policies/Misc/HonorReadOnly/@value false policy.xml”. It is case sensitive.
- Start the Scan Engine service back up.
Under a lot of load, the machine that the CAVA agent and Symantec Scan Engine are running on can run out of TCP ports fairly quickly, since the default value is 5000 for the machine. The steps to increase this are,
a. To set initial TCP stack settings within Windows registry
b. Open the Windows registry
c. Navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
d. If the DWORD value "MaxUserPort" does not exist, create it.
e. Set "MaxUserPort" to a decimal value of 60000.
f. If the DWORD value TcpTimedWaitDelay does not exist, create it.
g. Set TcpTimedWaitDelay to a decimal value of 30.
h. Reboot the Server for these changes to take effect.
For more info on this change please view this KB, http://www.symantec.com/docs/TECH93003
For recommended exclusions please refer to this KB, www.symantec.com/business/support/index
To address questions, or for more information please contact Support.
Article URL http://www.symantec.com/docs/TECH132270