Best Practices for initial installation and testing of Symantec Scan Engine 5.x and Protection Engine 7.x in a CAVA 3.6.x environment
|Article:TECH89267|||||Created: 2008-01-02|||||Updated: 2013-06-03|||||Article URL http://www.symantec.com/docs/TECH89267|
You seek information regarding best practices for implementing Symantec Antivirus (SAV) for Network Attached Storage (NAS) with EMC Celerra Anti-Virus Agent (CAVA) 3.6.x.
NOTE: Before beginning, verify that each machine where you plan to install SAV for NAS 5.x or Protection Engine for NAS 7.x meets the System Requirements for the build you plan to install. Symantec always recommends installation in a test environment to identify performance issues before deployment to production systems.
NOTE: Prior to SAV for NAS 5.2.11, Symantec provided a 32-bit version of the API library. Starting with build 5.2.11 of SAV for NAS and 7.0.1 of Protection Engine for NAS, Symantec also provides a 64-bit API library as well. The 64-bit API library supports using the 64-bit version of the EMC Event Enabler (ex CAVA agent) with SAV for NAS. Windows does not allow a 64-bit process, like the 64-bit version of EMC Event Enabler, to load a 32-bit dll. If a 64-bit version of EMC Event Enabler is used, please check with EMC support to confirm that it includes the 64-bit Symantec API library.
- Install and license the latest build of SAV for NAS 5.x or Protection Engine 7.x for NAS on at least two computers which meet the system requirements.
- Assign virus checking rights.
- On each machine where you installed SAV for NAS or Protection Engine 7.x for NAS, remove the Email Tools component of Symantec Antivirus Corporate Edition or Symantec Enterprise Protection, if present.
- On each machine where you installed SAV for NAS or Protection Engine 7.x for NAS, exclude the temporary file scanning directory for Scan Engine 5.x from local filesystem utilities such as antivirus, backup, patch management, and other local filesystem utilities.
- On each machine where you installed SAV for NAS or Protection Engine 7.x for NAS, perform initial configuration of Symantec Scan Engine 5.x. (See below.)
- On each machine where you installed SAV for NAS or Protection Engine 7.x for NAS, install CAVA on the same machine or machines where you installed Scan Engine 5.x.
- On each machine where you installed SAV for NAS or Protection Engine 7.x for NAS, configure CAVA for a Scan Engine 5.x environment.
- Before placing into production, test the SAV for NAS or Protection Engine 7.x for NAS and CAVA by attempting to access files which are representative of typical usage in your productions environment.
- Based upon test results, tune SAV for NAS or Protection Engine 7.x for NAS settings for best performance and/or policy compliance.
To identify the current location of the temporary scanning directory of SAV for NAS
- In the Scan\Protection Engine interface, click Configuration> Resources
The folder which Scan\Protection Engine uses as a temporary folder for scanning appears in the field labeled 'Temporary directory for scanning:'
To perform initial configuration of Symantec Scan Engine 5.x or Protection Engine 7.x for NAS
- Click Configuration > Protocol
- Click ICAP
- In the 'Port number' field, type: 1344
- Click Policies > Filtering > Container Handling
- In the 'Time to Extract file meets or exceeds' field, type: 30
- In the 'Maximum extract depth', type: 5
- Click Allow access to the file and generate a log entry
- Uncheck 'Deny partial containers'
- Uncheck 'Block malformed containers'
- Uncheck 'Delete encrypted containers'
- Click Policies> Files
- Uncheck 'Block files with the following names (one per line):'
- Uncheck 'Block files with the following sizes (one per line):'
- At the command line, navigate to the installation location of Scan/Protection Engine.
- At the command line, type the following command:
java -jar xmlmodifier.jar -s /policies/Misc/HonorReadOnly/@value false policy.xml
- Restart the Symantec Scan/Protection Engine service to make the changes effective.
System requirements for Symantec Scan Engine 5.1 on Windows
EMC support site
Symantec is not responsible for content available on web sites maintained by other organizations or individuals.
About Container Handling limits
Most antivirus scanning products contain policies to limit the resources spent on scanning a single file. This prevents denial of service attacks with specially crafted malformed container files.
About 'Time to extract file meets or exceeds'
The timer for the 'Time to extract' setting begins when the actual scan of the file begins. This measure does not include time spent transmitting the scan request to Scan/Protection Engine, nor does it contain time spent in moving the file to the Scan/Protection Engine from the EMC Celerra server or other device. Within the EMC or CAVA settings, the scan timeout setting includes:
1. time spent sending the scan request to Scan/Protection Engine,
2. time spent copying the file to the Scan/Protection Engine,
3. time spent performing the actual scan of the file once it is local to Scan/Protection Engine,
4. and time spent copying a repaired file back to the EMC Celerra server or other device.
To accommodate the difference in what these timeout values actually measure, the timeout value within EMC and/or CAVA should be three times the value of the 'Time to extract file...' setting within the Scan/Protection Engine interface.
About 'Maximum extract depth'
This policy setting helps prevent 'zip of death' style denial of service attacks. A 'zip of death' denial of service attack is a .zip archive with directory pointers which form a circular structure, which may result in an attempt to extract the file forever. As you lower this number, you lower the maximum number of levels scanned within a container file, resulting in a more rapid, but possibly less thorough scan. As you raise this number, you also raise the maximum number of levels Scan Engine examines within a container, resulting in a slower, but more thorough scan. For initial testing, 5 to 10 levels will establish basic function. The maximum value for this setting is 1024. Tune this setting to meet the usage patterns of your environment.
Behavior of block actions specified within Scan Engine 5.x
CAVA sends a FILEMOD command, a policy of 'ScanRepairDelete', and a UNC path and filename to Scan Engine 5.x. Scan Engine adheres to the policy provided by the CAVA connector, which overrides the policy in the Scan Engine web interface on the Configuration> Protocol screen. The FILEMOD command of the ICAP protocol directs Scan Engine to scan the file and directly modify it in its current location. Returning a block access response is not possible for Scan Engine 5.x in these circumstances. Scan Engine 5.x will therefore directly delete the file and report the results of the scan to CAVA.
For this reason, Symantec recommends that all Block actions be disabled within the Scan Engine 5.x interface for each Scan Engine 5.x supporting a CAVA 3.6 connector.
About compatibility with Symantec Antivirus Corporate Edition or Symantec Enterprise Protection
Note the following:
The Email Tools component of Symantec Antivirus Corporate Edition or Symantec Enterprise Protection is not recommended for Windows Server operating systems. For more, see:
Compatibility of Symantec AntiVirus email plug-ins with Microsoft Windows Server operating systems
Article URL http://www.symantec.com/docs/TECH89267