How to configure SAV for NAS 5.x and Protection Engine for NAS 7.x for use with NetApp Filer

Article:TECH89560  |  Created: 2008-01-20  |  Updated: 2014-04-14  |  Article URL http://www.symantec.com/docs/TECH89560
Article Type
Technical Solution


Subject

Issue



Information is sought on configuration for using Symantec Antivirus (SAV) for Network Attached Storage (NAS) 5.x and Symantec Protection Engine for Network Attached Storage 7.x with Network Appliance (NetApp) Filer

Symptoms

Conditions

  • Each NetApp Filer has Data ONTAP™ version 6.1.3R2 or later installed.
  • If the plan is to have a single SAV for NAS or Protection Engine for NAS install to support multiple NetApp Filers, each NetApp Filer has Data ONTAP™ version 6.3.1 or later installed.

 


Solution




For each Scan Engine you seek to register with a NetApp Filer:

  • Adjust TCP stack settings within the operating system
  • Edit the service startup properties for the "Symantec Scan Engine" service to provide service account credentials
  • Set the "Time to extract file meets or exceeds" value to 40 seconds in the Scan Engine web interface
  • Ensure "Container limits" are set accordingly to your environment.
  • Set the HonorReadOnly flag to false
  • Set timeout and abort_timeout settings within the NetApp Filer CLI
  • Edit the service startup properties to provide service account credentials
  • Edit the list of NetApp filers
  • Configure additional settings for RPC protocol
  • Automatically notify NetApp Filer when virus definitions are updated
  • In the NetApp Filer CLI, confirm that Scan Engine registered with NetApp Filer




Please test in a test lab and with limited deployments before proceeding to full production.



To set initial TCP stack settings within the Windows registry

  1. Open the Windows registry
  2. Navigate to \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
  3. If the DWORD value MaxUserPorts does not exist, create it.
  4. Set MaxUserPorts to a decimal value of 60000.
  5. If the DWORD value TcpTimedWaitDelay does not exist, create it.
  6. Set TcpTimedWaitDelay to a decimal value of 30.



To set the "Time to extract file meets or exceeds" value in the Scan Engine web interface

  1. In the console on the primary navigation bar, click Policies.
  2. In the sidebar under Views, click Filtering.
  3. In the content area on the Container Handling tab, under Container File Processing Limits, in the “Time to extract file meets or exceeds” box, type: 40.
  4. Click the Save icon on the navigation bar at the top of the Scan Engine interface



To set the HonorReadOnly flag to false within Symantec Scan Engine 5.x

  1. At the command line, navigate to the installation location of Scan Engine.
  2. At the command line, type the following command:
    java -jar xmlmodifier.jar -s /policies/Misc/HonorReadOnly/@value false policy.xml
  3. Restart the Symantec Scan Engine service to make the change effective




To edit the service startup properties

  1. In the Windows 2000/2003 Control Panel, click Administrative Tools.
  2. Click Services.
  3. In the list of services, right-click Symantec Scan Engine, and then click Properties.
  4. In the Properties dialog box, on the Log On tab, click This Account.
  5. Type the account name and password for the user account that has local administrator rights on the computer that has the scan engine. This account should also have Backup Operator privileges or above on the NetApp Filer. Use the following format for the account name:

    domain\username
  6. Click OK.
  7. Stop and start the Symantec Scan Engine service.

    For more information on stopping and starting the Symantec Scan Engine service, see the Symantec Scan Engine Implementation Guide.



To edit the list of NetApp Filers

  1. On the Symantec Scan Engine administrative interface, in the left pane, click Configuration.
  2. Under Views, click Protocol.
  3. In the right pane, under Select Communication Protocol, click RPC. The configuration settings are displayed for the selected protocol.
  4. In the Manual Restart Required dialog box, click OK.
  5. To add a NetApp Filer to the list of RPC clients, type the IP address of the NetApp Filer for which Symantec Scan Engine should provide scanning services. Type one entry per line.
  6. To delete a NetApp Filer from the list of RPC clients, select and delete the IP address of the NetApp Filer.
  7. On the toolbar, click Save.

    NOTE: Save saves the changes. It is possible to continue to make changes in the administrative interface until ready to apply them.
  8. On the toolbar, click Apply.

    NOTE: Apply applies the changes made. Changes are not implemented until they are applied. A manual restart must be performed for the changes to take place and for a proper connection to the NetApp Filer.
  9. In the Windows services console, right-click on the Scan Engine service. Click Restart.



To configure additional RPC-specific options

  1. On the Symantec Scan Engine administrative interface, in the left pane, click Configuration.
  2. Under Views, click Protocol.
  3. Under RPC Configuration, in the Check RPC connection every box, type how frequently Symantec Scan Engine checks the RPC connection with the NetApp Filer to ensure that the connection is active.

    NOTE: The default interval is 20 seconds.
  4. In the Maximum number of reconnect attempts box, type the maximum number of tries that the Symantec Scan Engine should undertake to reestablish a lost connection with the NetApp Filer.

    NOTE: The default setting is 0. Symantec Scan Engine tries indefinitely to reestablish a connection. Use the default setting if the scan engine provides scanning for multiple NetApp Filers.
  5. In the Antivirus scan policy list, select how Symantec Scan Engine should handle infected files.

    NOTE:
    The default setting is "Scan and repair or delete".
  6. On the toolbar, click Save.
  7. On the toolbar, click Apply.
  8. In the Windows services console, right-click on the Scan Engine service. Click Restart.



To automatically notify NetApp Filer when virus definitions are updated

  1. On the administrative interface, in the left pane, click Configuration.
  2. Under Views, click Protocol.
  3. Under RPC Configuration, check Automatically send AntiVirus update notifications.
  4. On the toolbar, click Save.
  5. On the toolbar, click Apply.
  6. In the Windows services console, right-click on the Scan Engine service. Click Restart.



To confirm that a particular SAV for NAS 5.2 or Protection Engine for NAS 7 registered with NetApp Filer

  • Use the “vscan” command at the command line interface to check the list of registered scan engines.



Note: should a number of "Access Denied" errors be observed from users trying to access files on the Filer, and a number of "Scan Errors" reported by Scan Engine, check the following article to ensure your Container Limits are set properly according to the environment:



References
The Implementation Guide contains additional information about notifying a requesting user that a virus was found, using Protection Engine for NAS with Symantec Central Quarantine, and specifying which embedded files to scan. The Protection Engine for NAS 7 Implementation Guide may be found here:

http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/DOCUMENTATION/6000/DOC6022/en_US/SPE70_For_NAS_ImplementationGuide.pdf


Additional information regarding NetApp Filer configuration is available within the SAVNAS5.1 Integration Guide and within the NetApp Filer documentation provided by Network Appliance.




Technical Information
About Container Handling limits

Most antivirus scanning products contain policies to limit the resources spent on scanning a single file. This prevents denial of service attacks with specially crafted malformed container files.


About 'Time to extract file meets or exceeds'
The timer for the 'Time to extract' setting begins when the actual scan of the file begins. This measure does not include time spent transmitting the scan request to Scan Engine, nor does it contain time spent in moving the file to the Scan Engine from the NetAppFiler or other device. Within the NetAppFiler settings, the scan timeout setting includes:

  1. Time spent sending the scan request to Scan Engine,
  2. Time spent copying the file to the Scan Engine,
  3. Time spent performing the actual scan of the file once it is local to Scan Engine,
  4. Time spent copying a repaired file back to the NetApp Filer or other device.




About 'Maximum extract depth'
This policy setting helps prevent 'zip of death' style denial of service attacks. A 'zip of death' denial of service attack is a .zip archive with directory pointers which form a circular structure, which may result in an attempt to extract the file forever. As this number is lowered, the maximum number of levels scanned within a container file will be lowered, resulting in a more rapid, but possibly less thorough scan. As this number is raised, conversely the maximum number of levels Scan Engine examines within a container will be raised, resulting in a slower, but more thorough scan. For initial testing, 5 to 10 levels will establish basic function. The maximum value for this setting is 1024. Tune this setting to meet the usage patterns of the environment.


About HonorReadOnly
By default, Scan Engine will not repair or delete infected files which have the Read Only file attribute set.


About Window 2003 Server default TCP stack settings
By default, Windows 2003 Server does not have a DWORD registry entry for TcpTimedWaitDelay, which defaults to a value of 420 seconds. When a TCP connection becomes unresponsive, Windows will therefore wait 420 seconds before releasing the connection to use. Also by default, Windows 2003 Server does not have a DWORD registry entry for MaxUserPorts, which defaults to 5000 available ports per user. In a high load environment, adjusting these values makes the server more responsive.

 



Legacy ID



2008052006132654


Article URL http://www.symantec.com/docs/TECH89560


Terms of use for this information are found in Legal Notices