Protection Engine for Cloud Services

 View Only

  • 1.  Scan Engine - How to Know it's Working

    Posted Jan 16, 2012 12:46 PM

    Hello All,

    I recently had Cava installed and setup to work with Scan Engine. As people are still reporting viruses on our NAS, I wanted to make sure this thing is working, so I have a few questions I hope someone doesn't mind answering. 

    - In my scan engine home under Recent Activities, I have all zero's. (number of viruses found, repaired, quarantined, etc.) but if I browse to a folder where users are reporting an infection, I get the SEP pop up that the file was quarantined or deleted. (although above Recent Activities, it does say over 200,000 files have been scanned so far. Just curious if that's how it should look or if I should be seeing numbers here. 

    -The date of my Symantec URL definitions has never updated, although CAIC URL defs do update. Is this something I need to be concerned about?

    -Will this scan engine only scan files on their way into the NAS? I want to be able to tell users why they are still getting reports of viruses on their machines from  files on the nas. As I understand it, the files are scanned on their way in and deleted (as I have set) if a threat is detected. However, the hundreds of thousands of files that were already on the NAS prior to this Scan Engine/Cava being implemented may be sitting their dormant and infected, and when they are opened, they will not be scanned by the server, but instead by their client av. I was told users won't see the infection cleaned pop ups when the server removes them, but they will see them when their local machine rremoves them, which is why I'm assuming this is how it works. Am I correct? And if I am correct, is there nothing to do about those countless files until they are opened by a user?

    Thanks for taking the time to check out my post. Hope someone doesn't mind helping. :)

     

    Thanks,

    Selym



  • 2.  RE: Scan Engine - How to Know it's Working

    Broadcom Employee
    Posted Jan 16, 2012 01:26 PM

    Scan Engine is never involved in the decision to scan a file or not. That is completely up to CAVA.

    I would suggest copying a malware test file to the NAS and see what the result is. You can download this file from: http://eicar.org

    SEP will detect it, so you may need to either download the multi-zipped version or use a computer that SEP is not running on.



  • 3.  RE: Scan Engine - How to Know it's Working

    Posted Jan 16, 2012 04:13 PM

    Hi TSE-JDavis-

    Thanks for the reply. Yes, I have run that and it is detected, but what I don't quite understand is this: Is it the AV running on my client that's detecting it, or the scan engine? I was told that if the scan engine/cava server finds and removes a threat, the user would never see the Symantec pop up about the file being removed because it was done on the server side. 

    Is that incorrect? Will the user only see a threat removal window if its their client machine av removing it? I guess if someone is moving a virus infected file on to the nas, it might be safe to say their local client av isn't working anyway, but what about that zipped file? My computer av is working, I move the zipped file to the nas, unpacked it on the nas, and as far as I can tell it was my local computer av that popped up and removed it. 

    Just trying to figure out how all this works. It helps to at least sound like I know what I'm talking about when other operational teams and users come to me with complaints/issues/symantec threat removal popup concerns, etc. 

     

    EDIT: And also...is this scan engine/cava implementation simply a gatekeeper and only removes what threats it finds on its way in, therefore not affective if it does not detect on its way in like the zip file? 

    Thanks,
    Sel



  • 4.  RE: Scan Engine - How to Know it's Working

    Broadcom Employee
    Posted Jan 16, 2012 05:11 PM

    If Scan Engine detects an infection, you would not see anything on the client.

    Your questions about when CAVA sends a file to Scan Engine would need to be addressed by EMC. As far as I know, CAVA is supposed to pass a file to Scan Engine every time the file is accessed. Once you uploaded the file to the NAS, Scan Engine should have detected it and deleted it. If you were able to upload it, then unpack it, then Scan Engine never saw it.

     

    You should run a detailed report in Scan Engine and check the box for Infection Found. If you don't see a detection for EICAR in the report, we never saw it and CAVA may not be set up correctly.



  • 5.  RE: Scan Engine - How to Know it's Working

    Posted Jan 18, 2012 11:01 AM

    Thanks again TSE-JDavis

    I have reached out to EMC for help. We initially set it to scan on first read, which makes sense to me for files already on our nas, but that setting is confusing for files being copied over to it. Yep, I unpacked the Eicar file on the nas and my client av removed it because I have automatic file protect enabled. 

    A detailed report for "infections found" for the month this server has been up yields nothing, just an empty report. Now, I don't know if that's because I did not set up auditing or not on the cava side, but I am assuming since I can see how many total requests and files/data scanned via the Scan Engine console, that I would also see something listed under Recent Activities such as viruses found, removed, etc. 

    The part that stinks with a setup like this is having to deal with two different companies and not knowing who I should be getting answers from for which part. Sorry if I end up asking questions here that should be more suitable for EMC. I'm still familiarizing myself with it all. 

     

    Sel