Video Screencast Help
Security Community Blog

Symantec Protection Engine Traffic Monitor - The hint in getting your SPE infrastructure sized accordingly

Created: 11 Jun 2013 • 1 comment
toby's picture
+2 2 Votes
Login to vote

The Symantec Protection Engine (SPE) Traffic Monitor is a command line tool coming with the installation sources of SPE and can be used for a correct sizing and configuration of a SPE environment.

 

When having a NAS environment (f.e. NetApp) and thinking about protecting it with SPE via RPC, you always have the questions about how many scan servers you may need, with what particular configuration.

 

The SPE Traffic Monitor is helping you to determine statistics that you should be aware of when planning the correct sizing and configuration of SPE and therefore you should consider it in every case. You can also re-run periodically the SPE Traffic Monitor to verify whether your sizing is still adequate for the scan requests that you need to deal with.

 

Technically the Traffic Monitor simulates the SPE and therefore on your NAS System you would need to create still a virus scan configuration. This helps in addition to apply the configuration that you would have in your environment to protect, to have the exact flow that you would have under real conditions.

 

Now you may think, that you therefore have an impact on your flow when applying the tool for the evaluation phase. As the tool will retrieve in accordance to the usual scan progress the request to scan the file, the difference is that the tool always responds with ‘Clean file’ and so the requesting client can access the file immediately. But behind the scenes the Traffic Monitor will get the information from the scan request like as follows:

  • Time
  • Requests in Time Window
  • Total File Size in MB
  • Maximum File Size in MB
  • Minimum File Size in MB
  • Average File Size in MB
  • MB per second
  • Number of Files between 0 to 3 MB
  • Number of Files between 4 to 7 MB
  • Number of Files Between 8 to 11 MB
  • Number of Files between 12 to 16 MB
  • Number of Files Above 16 MB

To execute the tool please copy the tool in a %Directory% on your system and execute it via following command:

"SPE Traffic Monitor.exe" 192.168.1.100 1 60 8

This command will start the tool and accepts from ‘192.168.1.100’ (in case you have more filers connecting seperate them via semmicolon f.e. '192.168.1.100;192.168.1.101') connections for RPC scanning. The statisitc will be logged to the file every 1 minute for a period of 60 minutes. To simulate also the scan cache refresh after the defintions update you can put an interval in hours in, what will be 8 hours in our test case.

If the tool wont accept scan requests or fail to start, please make sure you have considered the pre-requisites:

  • It is mandatory to run this utility on a machine which belongs to same or trusted domain as storage system does.
  • It should run with according storage 'backup operator/administrator' privileges or equivalent. In case use the runas command:

runas /user:username@yourdomain.com "SPE Traffic Monitor.exe" 192.168.1.100 1 60 8
  • The utility currently supports RPC integrations between storage systems and Symantec Protection Engine, so make sure nothing is blocking the connection.
  • The user that runs the Traffic Monitor has read/write access to the filer and can access the registry of the system that it sits on.
  • After the tool is running make sure that on the filer side you can see the scan system f.e. on NetApp type 'vscan scanners'.

The outcome will be logged into a file in the same directory (%Directory%) .

To stop the tool you can either wait for the timeout like in the example above 60 minutes or enter "stop".

Comments 1 CommentJump to latest comment

Tariq Naik's picture

This tool will be very helpful

 

0
Login to vote