Mandar J. Vaidya. IBM Systems and Technology Group ISV Enablement May 2013

Transcription

1 Protecting the IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage A reference guide for storage and security administrators Mandar J. Vaidya IBM Systems and Technology Group ISV Enablement May 2013 Copyright IBM Corporation, 2013

2 Table of Contents Abstract... 1 Executive overview... 1 Intended audience... 1 Scope... 1 Prerequisites... 2 IBM Storwize V7000 Unified system overview... 2 IBM Storwize V7000 Unified system antivirus connector an overview... 4 McAfee VirusScan Enterprise for Storage an overview... 6 Planning for integration of IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage... 6 Planning for integration of IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage... 7 Integration of IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage... 9 Installing McAfee VirusScan Enterprise... 9 Installing McAfee VirusScan Enterprise for Storage... 9 Configuring McAfee VirusScan Enterprise Storage for IBM Storwize V7000 Unified system Configuring the IBM Storwize V7000 Unified system antivirus connector Storwize V7000 Unified system antivirus configuration using GUI Storwize V7000 Unified system antivirus configuration using CLI Initiating a bulk scan using the Storwize V7000 Unified system antivirus connector Configuring bulk scan using GUI Initiating a manual bulk scan on a defined scope using CLI Scheduling bulk scan on a defined scope Recommendations Summary Resources About the author Trademarks and special notices... 31

3 Abstract With today s continuing explosive growth in information data, comes the need for storing the data without compromising data integrity from potential threats that might exist in an enterprise network environment. IBM Storwize V7000 Unified system has been qualified for interoperability with the leading antivirus scan engines, such as Symantec AntiVirus for Network Attached Storage (NAS) and McAfee VirusScan Enterprise for Storage. This technical paper describes the IBM Storwize V7000 Unified system integration with McAfee VirusScan Enterprise for Storage, and provides guidelines for using the IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage to protect the overall system and prevent security threats caused by malware. Executive overview IBM Storwize V7000 Unified system is designed to serve a large number of users connecting to it using a variety of file-based protocols, such as Network File System (NFS) or Common Internet File System (CIFS). The data created or accessed using these protocols is vulnerable to the potential threats of viruses, worms, Trojan horses, and other forms of malware. Computer viruses mostly target Microsoft operating systems. However, computers running other operating systems can be directly or indirectly affected by viruses. McAfee VirusScan Enterprise for Storage expands the VirusScan Enterprise capabilities by providing remote scanning of IBM Storwize V7000 Unified system file modules using the Internet Content Adaptation Protocol (ICAP). The IBM Storwize V7000 Unified system, when integrated with McAfee VirusScan Enterprise for Storage (henceforth called McAfee scan engines) provides a comprehensive solution to protect all the file data stored on the Storwize V7000 Unified system. Intended audience This technical report is intended for: Customers and prospects looking to protect the IBM Storwize V7000 Unified system using McAfee VirusScan Enterprise for Storage. Users and management seeking detailed information to implement McAfee antivirus solution on IBM Storwize V7000 Unified system using ICAP protocol. Scope This technical report provides: Detailed McAfee VirusScan Enterprise for Storage solution implementation on the IBM Storwize V7000 Unified system using ICAP. Detailed antivirus protection implementation guide and configuration best practices. This technical report does not: Discuss any performance impact and analysis from a user perspective Replace any official manuals and documents from IBM and McAfee on the products used in the antivirus solutions. 1

4 Prerequisites This technical paper assumes familiarity with the following prerequisites. Basic knowledge of IBM Storwize V7000 Unified system. Basic knowledge McAfee VirusScan Enterprise and McAfee VirusScan Enterprise for Storage. The IBM Storwize V7000 Unified system must have Storwize V7000 file module software version 1.3 GA or higher. IBM Storwize V7000 Unified system overview Figure 1 : IBM Storwize V7000 Unified system The IBM Storwize Unified system is a virtualized storage system to complement virtualized server environments that provides unmatched performance, availability, advanced functions, and highly-scalable capacity never seen before in midrange disk systems. This powerful midrange disk system has been designed to be easy to use and enable rapid deployment without additional resources. The Storwize V7000 Unified system consolidates block and file workloads into a single storage system for simplicity of management and reduced cost, and offers greater efficiency and flexibility through built-in solid state drive (SSD) optimization and thin-provisioning technologies. The advanced functions of this storage system also enable nondisruptive migration of data from existing storage, simplifying implementation and minimizing impact to users. The Storwize V7000 Unified system enables virtualization and reuse of existing disk 2

5 systems, supporting a greater potential return on investment (ROI). The system includes IBM Active Cloud Engine, which is designed to deliver policy-based management of files to reduce costs through use of tiered storage and improve data governance. The IBM Storwize V7000 Unified system includes the IBM Storwize V7000 file module and the IBM Storwize V7000 storage system designed to support both file as well as block protocols. Figure 1 shows pictorial representation of the IBM Storwize V7000 Unified system. The file module is a clustered system comprised of two units that provide file systems for use by NAS. The file module uses the Storwize V7000 storage system to provide the file module with volumes. Volumes are also provided on the SAN. The Storwize V7000 storage system consists of a drive enclosure called the control enclosure. Both regular and SSDs are supported. The control enclosure contains disk drives and two node canisters that are managed as a single-clustered system. Expansion enclosures contain drives and are attached to the control enclosure. Expansion canisters include the serial-attached SCSI (SAS) interface hardware that enables the node hardware to use the drives of the expansion enclosures. The IBM Storwize V7000 File Module software within the Storwize V7000 Unified system contains the interface node, storage node and management node functions. A management node is used for configuring, administering, and monitoring a system. An interface node connects a system to an Internet Protocol (IP) network using the following protocols. Common Internet File System (CIFS) Network File System (NFS) File Transfer Protocol (FTP) Hypertext Transfer Protocol Secure (HTTPS) Secure Copy Protocol (SCP) The Storwize V7000 Unified system also supports the following block functions for the host systems that attach to the Storwize V7000 Unified system. The system: Creates a single pool of storage Provides logical unit virtualization Manages logical volumes Mirrors logical volumes Provides large cache Supports Copy Services IBM Tivoli Storage FlashCopy Manager (point-in-time copy) function, including thinprovisioned FlashCopy to make multiple targets affordable Metro Mirror (synchronous copy) Global Mirror (asynchronous copy) Data migration Allows space management IBM System Storage Easy Tier to migrate the most frequently used data to higher performing storage Metering of service quality when combined with IBM Tivoli Storage Productivity Center Thin-provisioned logical volumes 3

6 Provides external virtualization of existing disk systems The Storwize V7000 Unified system provides the ability to manage block and file storage through a single management graphical user interface (GUI) or command line interface (CLI). IBM Storwize V7000 Unified system antivirus connector an overview Figure 2 : Workflow of on-access scanning of a file from the IBM Storwize V7000 Unified system using McAfee scan engine IBM Storwize V7000 Unified system antivirus connector is a part of the Storwize V7000 Unified system file module management software which communicates with independent software vendor (ISV) scan engines using ICAP. There are two approaches for virus scanning, On-access scan It scans all the specified files on the IBM Storwize V7000 Unified system file modules when accessed or created. This method has the benefit of ensuring that the files are scanned with the latest virus signature before being accessed. This approach is more effective at detecting viruses before they are able to compromise data and this method does not generate heavy network traffic between IBM Storwize V7000 Unified system file modules and McAfee scan engines. This approach is ideal for customers using Microsoft Windows clients and CIFS file I/O. 4

7 \ Bulk scan This allows scanning of all the specified files on a file system or a part of file system. This is typically performed at the schedule defined on the IBM Storwize V7000 Unified system. The disadvantage in using this method is that the files recently updated might not be scanned before being used. Bulk scans can generate heavy network traffic between Storwize V7000 Unified system file modules and scan engines and can generate heavy load on a storage system. Also, bulk scan can take significant time to complete, depending on the number of files to be scanned. Storage administrators are likely to use the bulk scans for non-cifs files (for example NFS) protection, which are less prone to virus attacks. IBM Storwize V7000 Unified system antivirus connector provides enterprise antivirus vendors, such as McAfee VirusScan Enterprise for Storage that enables tighter integration and overall control of antivirus implementations by deciding strategies suitable for the customer environment. The IBM Storwize V7000 Unified system antivirus connector communicates with McAfee scan engines using ICAP. IBM Storwize V7000 Unified system can be configured with multiple McAfee scan engines to achieve load balancing and to distribute the workload. Storwize V7000 Unified system file modules select a scan engine from the pool of scan engines at scan time. If a scan engine is not reachable from file modules, it is temporarily removed from the pool and file modules select a different scan engine from the pool of available scan engines. It periodically attempts to reinstate the removed scan engine back into the pool. Figure 2 describes the workflow of an On-Access scan session for a single file. When a user accesses a file from the IBM Storwize V7000 unified system file modules over the network, the system initiates the scan of a file in real time and opens a connection with the McAfee scan engine. The Storwize V7000 Unified system then passes the file to the scan engine for scanning. The McAfee scan engine indicates the scanning results to the Storwize V7000 Unified system after the file is scanned. In case the file is infected, the scan engine tries to repair the file and sends the repaired file to the Storwize V7000 Unified system. Storwize V7000 Unified system receives the scan results. If the file is infected and can be cleaned, a stored version of the infected file is replaced on the Storwize V7000 Unified system with the repaired file received from the scan engine. Only the repaired file is passed to the requesting user. In case a virus is detected and repair of file is not possible, the Storwize V7000 Unified system can be configured to quarantine or delete the non-repairable file and the user will be notified with the permission denied type of error message. The connector also caches antivirus scan information for each file as extended attributes to determine whether it must be scanned or rescanned by saving the time stamps of the last scan in addition to the antivirus definition file. This way, a repeat scan might be avoided if another user tries to access the same file later but the antivirus definitions might have not changed. When new antivirus definitions are received and updated, each file is rescanned before it is made available to the user requesting access. Bulk scans might be configured to proactively rescan files periodically (for example every day) during off-peak hours when accesses are minimal to prevent any potential performance impacts on the Storwize V7000 Unified system or the scan engines in the pool. 5

8 McAfee VirusScan Enterprise for Storage an overview McAfee VirusScan Enterprise for Storage expands the VirusScan Enterprise capabilities by providing remote scanning of IBM Storwize V7000 Unified system file modules using ICAP. McAfee scan engine scans the files received from the IBM Storwize V7000 Unified system file modules and provides real-time protection for the massive amount of critical information that is being stored and accessed by the IBM Storwize V7000 Unified system file modules users. McAfee scan engine detects the virus infected files that are being accessed, read, or copied to and from IBM Storwize V7000 Unified system file modules. After detecting an infection in the file, it automatically cleans the file and provides the repaired file to the IBM Storwize V7000 Unified system file modules. McAfee VirusScan Enterprise for Storage provides following features: Advanced antivirus technology: McAfee s award winning antivirus technology continuously blocks a wide range of viruses and malicious code threats, including those hidden in compressed files. Detection of unwanted programs: It finds the unwanted hidden spyware programs that open security holes. Centralized management: An entire McAfee security system can be managed using McAfee s central management system, reducing overall cost and providing ease of management. Continuous protection: On-access scanning provides real-time protection to the data on IBM Storwize V7000 Unified system file modules when the files are accessed or written to the Storwize V7000 Unified system file modules unlike traditional on-demand scans. Cost effectiveness: It supports connection to more than one Storwize V7000 Unified system file modules. Rapid notification: Whenever a virus is detected, notification can be sent to the configured recipients. This enables to react instantly to any possible virus outbreak. 6

9 Planning for integration of IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage Planning is one of the most important areas of consideration before beginning to configure IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage. It is important that the security team and the IBM Storwize V7000 Unified system administrator work together to anticipate the scopes and type of files for which scanning is required, as well as number of files required to scan and the number of McAfee scan engines that are required. The administrators can define policies or settings for handling infected files when detected. The following factors need to be carefully considered during the planning. Numbers of McAfee scan engines: Antivirus scanning on Storwize V7000 Unified system file modules requires a minimum of one scan engine configured with McAfee scan engine. However, in order to take benefit of load-balancing and highavailability features of the IBM Storwize V7000 Unified system, a minimum of two scan engines are recommended. Storwize V7000 Unified system antivirus connector automatically performs load balancing to make sure that the workload is evenly distributed across the scan engine. When a scan engine becomes unavailable, the workload is directed to the remaining operational scan engines. You need additional considerations for: Total number of files stored on the Storwize V7000 Unified system file modules, which requires scanning Large numbers of files can be scanned by multiple scan engines using the Storwize V7000 Unified system antivirus connector load balancing feature. Host-processor speed and RAM configuration Fewer scan engines might be needed if the processor speed is faster and more RAM is present on each scan engine. Network speed Faster network speeds allow for reduced time in transferring larger files to the scan engine for scanning. Type of scopes to scan: In the Storwize V7000 Unified system, antivirus configuration options are defined on scopes. A scope is a subtree of the file name space, identified by the path to the root of the subtree. All file accesses within that subtree share a set of antivirus settings. You can configure the following four types of scope for antivirus scanning in the IBM Storwize V7000 Unified system. File systems File sets Path Exported shares 7

10 Not all scopes are required to be configured for scanning as certain file sets, paths, or file systems are either static in nature, or are not shared with any users. The administrator needs to ensure that all scopes that might be vulnerable to potential threats are included in their defined scanning strategy. Types of files to scan: In the Storwize V7000 Unified system, the administrator can define the files or the file types that can be scanned. An administrator can control and decide whether to scan files by exclusion list or inclusion list, or whether to scan all the files regardless of extensions. The Storwize V7000 Unified system antivirus parameter can be set at all the scopes to specify which extensions to be included in or excluded from a scan. The exclusion list specifies the extension of the files to be excluded because they are not likely to contain viruses. The inclusion / exclusion list defines the following behavior. If the include list is empty or not defined, default is that all extensions are included in the scan. The exclusion list is created to exclude files with specific file extensions from scanning. If an extension is in the include list, only files with that extension are scanned. If an extension is in include as well as exclude list, files with that extension are not scanned. Careful planning is required to create the include / exclude list as this plays an important role in improving performance of the scan process, as not all file extensions need to be scanned due to the nature of the files and file types, which are unlikely to have viruses. File processing strategy It is important to plan for the action that needs to be taken in case an unrecoverable virus file is identified. IBM Storwize V7000 Unified system provides the option to quarantine or delete the infected, unrecoverable file. For this, an optional parameter can be set to quarantine or delete the file at the defined scope. Optionally, the path by which the file was opened for the current scan can be moved to a subdirectory created for that purpose. Only the Storwize V7000 Unified system or security administrator will have access to that subdirectory and can take appropriate action to manually delete the unrecoverable virus files. If no strategy is defined, the user is denied access to the file. 8

11 Integration of IBM Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage The scanning process requires two components: The IBM Storwize V7000 Unified system antivirus connector and the external antivirus scan engines running McAfee VirusScan Enterprise for Storage. Depending on the workload determined during the planning stage, multiple scan engines might need to be installed and configured to the Storwize V7000 Unified system file modules. McAfee VirusScan Enterprise for Storage expands the VirusScan Enterprise capabilities by providing remote scanning of the IBM Storwize V7000 Unified system using ICAP. Therefore, before installing the McAfee VirusScan Enterprise for Storage, first install VirusScan Enterprise on the identified server. Installing McAfee VirusScan Enterprise McAfee VirusScan Enterprise is supported on the Microsoft Windows platform. Before installing the product, review the release notes and the requirements of the product. Later, install and license the VirusScan Enterprise product as per the instructions given in the installation guide from the McAfee website at: 944/en_US/vse_880_installation_guide_en-us.pdf Installing McAfee VirusScan Enterprise for Storage Before installation of VirusScan Enterprise for Storage, verify that the following tasks are completed. Ensure that a licensed version of VirusScan Enterprise is installed. Ensure that the IBM Storwize V7000 Unified system file modules are available with minimum release version of 1.3 Review the latest product release notes for system requirements, known issues, and last minute additions or changes. Ensure that the VirusScan Enterprise for Storage software is available. After verifying the requirements, install the VirusScan Enterprise for Storage as per the instructions given in the installation guide from the McAfee website. After successful installation of the product, verify that: The installation has installed two additional console items, namely: Network Appliance Filer AV Scanner and ICAP AV Scanner to the VirusScan Console. (Refer to Figure 3). The installation also configures McAfee VirusScan Enterprise for Storage service to the Windows services panel. Under the Help About VSE section of VirusScan Console, McAfee VirusScan Enterprise for Storage is listed as an installed and licensed module. 9

12 Figure 3 : Newly-created icons under VirusScan Console Figure 4: New service added for McAfee VirusScan Enterprise for Storage Figure 5: McAfee VirusScan Enterprise for Storage added as an installed module 10

13 Configuring McAfee VirusScan Enterprise Storage for IBM Storwize V7000 Unified system After successful installation of VirusScan Enterprise and VirusScan Enterprise for Storage, you need to configure VirusScan Enterprise for Storage properly using VirusScan Console to support scanning for IBM Storwize V7000 Unified system. Note: If multiple scan engines are used for antivirus scanning with IBM Storwize V7000 Unified system, each scan engine must be configured identically. Also, make sure that the AutoUpdate feature from McAfee is scheduled to receive updates at the same time to avoid conflict during the scanning. Following steps need to be performed from the McAfee VirusScan Console. 1. Launch the McAfee VirusScan Console. Figure 6: Launching the VirusScan Console 2. In the VirusScan Console, right-click ICAP AV Scanner and click Properties to launch the configuration window. Figure 7: Configuring ICAP AV Scanner 11

14 3. Configure the ICAP server settings using bind address and the port number. If the server on which McAfee scan engine is running has multiple IPs, enter the appropriate IP address that needs to be used for antivirus scanning. The default port number for ICAP is If the port needs to be changed from the default, enter a port number greater than 1024, which is not used by any other service. Figure 8: ICAP server configuration 4. Configure the ICAP client connection lists using Storwize V7000 Unified system file modules external IP addresses. Click Add and enter all the public Storwize V7000 Unified system file modules IP addresses one by one. Figure 9: ICAP client IP configuration 12

15 5. Configure the options in the Scan Items tab to select the files that need to be scanned and other options specific to the files that are scanned. Similar settings can be performed from the IBM Storwize V7000 Unified system configuration. Due to performance reasons, scanning inside the archives need be avoided as it might take longer to scan an archive file and cause the scanning timeout. Figure 10: Settings in the Scan Items tab 6. Configure the appropriate primary and secondary actions under the Actions tab for options: When a threat is found and When an unwanted program is found. If the file is found to be a threat, the action taken depends on the following configuration: If the Clean option is selected, any threats found cause an attempt to clean the file. If the file is successfully cleaned, scan engine notifies the IBM Storwize V7000 Unified system that the file was a threat and was successfully cleaned, and scan engine returns the repaired file to the IBM Storwize V7000 Unified system. If the file is not successfully cleaned, scan engine notifies IBM Storwize V7000 Unified system that the file is a threat and it was unable to clean the file. If the Continue scanning option is selected, scan engine notifies the IBM Storwize V7000 Unified system that the file is a threat, and then IBM Storwize V7000 Unified system blocks the access to the file. 13

16 Figure 11: Actions tab settings 7. Settings under the Performance tab and the Reports tab can be left as default or changed as per the requirements. 8. After completing the entire configuration, click OK to configure all the settings on the scan engine. You will be prompted for a confirmation to restart the scan engine services so that the new configuration will be activated. Figure 12: Saving the newly-applied configuration and restarting the service 9. In the VirusScan Console, right-click ICAP AV Scanner and click View log to view the scan results. 10. In the VirusScan Console, right-click ICAP AV Scanner and click Statistics to view the scan statistics. 14

17 Figure 13: Viewing scan logs from VirusScan Console The McAfee scan engine is now ready for use with the IBM Storwize V7000 Unified system. For more information regarding additional options and behaviors (which may be customized to individual organizational requirements) refer to the McAfee website. Configuring the IBM Storwize V7000 Unified system antivirus connector IBM Storwize V7000 Unified system CLI or GUI can be used for configuring and displaying Storwize V7000 Unified system antivirus parameters. It is configured using the cfgav command line utility, which is accessed from the management node. This utility controls scan behavior when files are accessed by a client as well as during bulk scan requests. The Storwize V7000 Unified system antivirus configuration can be changed dynamically and it does not require shutdown or restart of antivirus service. Before using the connector to control the scanning behavior, the connector must be configured with a pool of scan engines. Next, you need to define scopes to the connector along with a set of scan options specific to each scope. A scope can be an entire file system, specific paths on a file system, a CIFS export, or a file set. Storwize V7000 Unified system antivirus configuration using GUI Perform the following steps to configure Storwize V7000 Unified system antivirus using GUI. 1. Log in to the Storwize V7000 Unified system GUI using 2. Click the File icon in the left-hand side and click Services to start antivirus configuration. 15

18 Figure 14 : Storwize V7000 Unified system File Services administration 3. Select the Antivirus service and click Configure to start antivirus configuration. Figure 15 : Antivirus configuration selection 4. In Configure page, select mcafee from the Protocol list, enter the IP address (where McAfee VirusScan for Enterprise for Storage has been installed) in the Scan Node field, and select the port for ICAP communication (default port is 1344). Click the + sign ( ) to add another scanner details. After adding all the scanners, select global timeout in seconds or leave it as default. Click OK to configure. 16

19 Figure 16 : McAfee scanners configuration 5. Antivirus scanner configuration summary will be displayed. After verifying the summary, click Close to complete the McAfee scanner configuration. Figure 17 : Antivirus scanner configuration summary 6. After completing the scanner configuration, click New Antivirus Definition to add new scopes for scanning. 17

20 Figure 18 : Configuring new antivirus definition 7. In New Antivirus Definition page, enter the path that needs to be enabled for the scan. Select the Enable Antivirus Definition check box. In case on-write scanning needs to be enabled, select the Scan files on close if file changed (write operation performed) check box. From the Action to take for infected files list (with the No action, Delete, and Quarantine options) select an appropriate action to handle the behavior of infected files. Additionally, you can also specify include / exclude options to limit the scope of scanning to the files with specified extensions. In case the files with all the extensions need to be scanned, select Scan all files. After all the required settings are configured, click OK to continue. Figure 19 : New Antivirus Definition configuration 8. A summary page shows the saved antivirus definition. After verifying the saved configuration, click Close to complete the wizard. 18

21 Figure 20 : New Antivirus Definition configuration summary All the scopes will be displayed in the Services page of the Antivirus service. Figure 21 : Configured antivirus definition summary Storwize V7000 Unified system antivirus configuration using CLI Log in to the Storwize V7000 Unified system file module s CLI. Defining scan engine pool At least one scan engine must be registered in order to provide virus scanning for each Storwize V7000 Unified system. However, it is recommended to configure a minimum of two scan engines in a scan engine pool to avail the load-balancing facility provided by the Storwize V7000 Unified system, used for distributing the scan load. Also, it provides the high-availability feature, in case one scan engine is not available. Storwize V7000 Unified system tries to contact the failed scan engine periodically and reinstate it for scanning after it becomes available. For defining a scan engine to the connector, use the cfgav CLI. cfgav --set-scanner mcafee:<ip Address 1>:<ICAP Port> IP Address = IP address of a scan engine ICAP Port = Port used for ICAP communication (McAfee default is 1344) 19

22 Figure 22: Example of set-scanner Additional scan engines can be specified at the same time by separating each with a comma. cfgav --set-scanner mcafee:<ip Address 1>:<ICAP Port>,mcafee:<IP Address 2>:<ICAP Port> Figure 23: Example of multiple set-scanner To add another scan engine at a later time, use the following command: cfgav --add-scanner mcafee:<ip Address>:<ICAP Port> Figure 24: Example of add-scanner Defining scopes with scan options For configuring a scope with scan options: cfgav --<scope> <scope arg> --<option 1> <option 1 arg> --<option N> <option N arg> scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set) scope arg = name or path to a scope option = multiple options can be specified together, separated by a space option arg = specific arguments that apply to each option Examples Enable antivirus scanning on a list of scopes: cfgav --export av00a,av01a --scan Set a list of extensions to scan on an export: cfgav --export av00a --set-include exe,dll,xlsx Set a timeout value for accessing scan engines: cfgav --timeout 20 20

23 Enable file system scanning when a file is written: cfgav --fsys gpfs0 --onwrite Deny access to protected files in a file set, if scanning cannot occur: cfgav --fset gpfs0:root --denyonerror Add an extension to a path include list: cfgav --path /ibm/gpfs0 --add-include exe Set the include list for an export: cfgav --export av00a --set-exclude txt Enable file quarantine by deletion for an export: cfgav --export av00a --qdel Enable file quarantine by moving for an export: cfgav --export av00a qmove Verifying scan options on defined scopes Current antivirus configuration for all scopes can be listed using the lsav CLI. Figure 25: An example of the lsav CLI command For a complete list of configurable options and their descriptions, refer to the man page for the cfgav utility by entering man cfgav at the command prompt on the management node. Alternatively, invoking the utility by entering cfgav --help provides a list of options with abbreviated explanations. 21

24 Initiating a bulk scan using the Storwize V7000 Unified system antivirus connector The antivirus connector provides a method for administrators to initiate a full scan on all the files defined within one or more scopes on the Storwize V7000 Unified system. As previously mentioned, every time a new antivirus definition file is downloaded by the scan engine(s), all files defined within all scopes must be rescanned prior to access. The bulk scan feature is a method to proactively scan all of those files during a window when access to the system is at a minimum, thereby reducing the load on the system and network during peak usage times. The ability to perform a bulk scan is also important when new shares are created but files are copied either through SSH File Transfer Protocol (SFTP), Secure Copy (SCP) from other file systems and are not scanned automatically. Initiating a bulk scan on these shares ensures that in future, file accesses will be faster. IBM Storwize V7000 Unified system GUI or CLI can be used for configuring and displaying Storwize V7000 Unified system bulk scans. Configuring bulk scan using GUI Perform the following steps to configure bulk scan using GUI. 1. Log in to Storwize V7000 Unified system GUI using 2. In the Services page of Antivirus service, click Batch Scans and then click New Batch Scan to start configuring bulk scan. Figure 26 : Configuration of batch scan 3. Enter the frequency and time of day when bulk scan needs to be run on the system in the respective fields. Specify the paths to scan during the bulk scan. After configuring the paths that need to be bulk scanned, click OK to continue. 22

25 Figure 27 : Bulk scan configuration details 4. A summary page shows the saved bulk scan configuration. After verifying the saved configuration, click Close to complete the wizard. Figure 28 : Bulk scan configuration summary Initiating a manual bulk scan on a defined scope using CLI Manual bulk scans are initiated using the ctlavbulk command line utility of the Storwize V7000 Unified system. This utility follows all the settings defined by the cfgav utility, and when called with a scope, scans only those files which are defined in a scope by cfgav. If no scopes are provided, all protected files are scanned. Only one bulk scan can run at a time, and however, multiple scan processes can be spawned on each file module using the --processes option. When the command is issued, it becomes a background process, returning the control to the user. You can check the status of the current bulk scan by issuing the --status option of the ctlavbulk command. 23

26 Starting a bulk scan on one or more defined scopes You can initiate bulk scan on one or more defined scopes. ctlavbulk --<scope 1> <scope 1 arg 1>,<scope 1 arg N> --<scope 2> <scope 2 arg 1>,<scope 2 arg N> scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set) scope arg = name or path to a scope Examples: Initiate bulk scan on one scope: ctlavbulk --export av00a Initiate bulk scan on two scopes of the same type: ctlavbulk --export av00a,av01a Initiate bulk scan on two scopes of different types: ctlavbulk --fsys gpfs0 --export av02a Starting a bulk scan with multiple processes You can initiate bulk scan with multiple processes. ctlavbulk --<scope 1> <scope 1 arg 1> --processes <processes arg> scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set) scope arg = name or path to a scope processes arg = number of processes to spawn on each file module (default = 1) Examples: Initiate bulk scan on one scope with five processes per file module: ctlavbulk --export av03a --processes 5 Initiate bulk scan on four scopes with 10 processes per file module: ctlavbulk --export av04a,av05a --fsys gpfs1,gpfs2 --processes 10 Checking the status of a bulk scan You can use the --status option to list the bulk scan status. ctlavbulk --status 24

27 Figure 29: Example of ctlavbulk --status Stopping a bulk scan You can use the --stop option to stop bulk scan. ctlavbulk --stop Figure 30: Example of ctlavbulk --stop For a complete list of configurable options and their descriptions, refer to the man page for the ctlavbulk utility by entering man ctlavbulk at the command prompt on the management node. Alternatively, invoking the utility by entering ctlavbulk --help provides a list of options with abbreviated explanations. Scheduling bulk scan on a defined scope Periodic bulk scans can be scheduled by using the mktask command line utility of the Storwize V7000 Unified system, using the CtlAvBulk task name as one of the parameters. Tasks are run on a daily basis. The mktask command supports additional customizable options, which are completely explained on the man page available by entering man mktask at the management node CLI. Creating a bulk scan task for a defined scope New scheduled task for bulk scanning a defined scope can be created using the mktask command. mktask CtlAvBulk --hour N --minute N --parameter scope(s) hour N = hour of the day to start the scan (24-hour clock), that is, 10, 12, 15, 20 minute N = minute of the hour to start the scan scope(s) = one or more scopes to bulk scan Examples: Schedule a bulk scan for 2:30 a.m. every day on two CIFS exports: mktask CtlAvBulk --hour 2 --minute 30 --parameter "--export AV1,AV2" 25

28 Recommendations Antivirus scanning, particularly bulk scanning of large files can add significant load to several IBM Storwize V7000 Unified system resources and can cause performance bottlenecks. The following recommendations can help you minimize performance impact to the system. If on-access or bulk scan produces timeout errors, consider increasing timeout value of scans by using the --timeout parameter of the cfgav command. It is not recommended to increase the timeout parameter beyond CIFS client timeout value, which can cause files becoming inaccessible to the user. Avoid scanning expensive items (such as scanning inside the archive files or other containers) to avoid timeout issues. Depending on the scanning performance requirements, the number of file modules on which bulk scans are run can be configured using the --nodes option of the ctlavbulk command. If higher scanning performance is required, consider running scans on both the file modules. To reduce impact to other Storwize V7000 Unified system resources, consider limiting the number of file modules on which bulk scans are run. It is recommended to carefully decide on the file types for scanning. Certain classes of large files are less likely to be prone to virus attacks. By deconfiguring certain types of files using the --add-include --rem-include --set-include --set-exclude options of the cfgav command, the overall antivirus scanning performance can be greatly improved. Similar consideration has to be given to decide scopes for scanning as some scopes might contain files that will not be accessed and are not likely prone to the virus attacks. Ensure that the storage backend has adequate capacity for the client and scan traffic. On-access scans are less likely to add significant load to the storage backend because it is typically scanning data that has either just been written or is just about to be read by the client, and therefore, can take advantage of caching. Bulk scans on the other hand can add significant load to the storage backend. After updating the antivirus signature, it is recommended to scan all protected files during off-peak hours to minimize the impact of scanning during peak usage. Ensure that the network infrastructure, such as routers, switches, and network cards on both Storwize V7000 Unified system and scan engines has adequate capacity. It is recommended to use 10 Gigabit Ethernet. When the management network and I/O network of the file modules are configured on different network speeds and the management network is on a 1 GbE network, then move the management interface from ethx0 to the higher network speed ethx1 (10 GbE) using the command: chnwmgt --interface ethx1. It is recommended to use a minimum of two scan engines to avail high-availability and load-balancing feature for the scanning. Ensure that scan nodes have adequate processor and disk performance. 26

29 It is recommended to run bulk scan after a migration either by HSM recall or data restoration from backup server. While using multiple scan engines to support scanning of IBM Storwize V7000 Unified system, consider the following factors: Configure the setting on each scan engine to be identical. Schedule an auto update of all McAfee scan engines to occur at the same time to ensure that virus definitions are identical. Configure virus scan functionality for each identical IBM Storwize V7000 Unified system that uses a particular scan engine to avoid inconsistency. 27

30 Summary The ability to effectively protect shared file data against viruses and other malicious threats is an important challenge for storage and security administrators who require a trusted and reliable antivirus solution. Not only must the integrity of the data be constantly maintained, the solution must also be scalable to match the continually expanding size and volume of data that is retained on a NAS system. The IBM Storwize V7000 Unified system is designed to improve application availability and resource utilization. The system offers easy-to-use, efficient, and cost-effective management capabilities for both new and existing storage resources in your IT infrastructure, and thus addresses the new storage challenges posed by continuing explosion of data. IBM has thoroughly tested the Storwize V7000 Unified system with McAfee VirusScan Enterprise for Storage confirming their interoperability and compatibility, and is committed to proactively providing enterprise users with one of the best solutions that can serve to reduce time and mitigate risk during planned implementations. The technical content contained herein is intended only as a reference for those customers who wish to use McAfee VirusScan Enterprise for Storage to protect their data on the IBM Storwize V7000 Unified system. It should not be treated as a definitive implementation or solution document due to the unique configurations and case-specific scenarios inherent in every customer environment. For solution-specific designs, contact an IBM storage representative to arrange a discussion with an antivirus implementation specialist. 28

31 Resources The following websites provide useful references to supplement the information contained in this paper: System Storage on IBM PartnerWorld ibm.com/partnerworld/wps/pub/overview/b8s00 IBM Publications Center IBM Redbooks ibm.com/redbooks IBM developerworks ibm.com/developerworks IBM Storwize V7000 Unified system documentation IBM Storwize V7000 Unified system Information Center IBM Scale Out Network Attached Storage (SONAS) documentation IBM SONAS Information Center McAfee documentation McAfee knowledgebase McAfee VirusScan Enterprise Installation Guide ATION/22000/PD22944/en_US/vse_880_installation_guide_en-us.pdf McAfee VirusScan Enterprise Product Guide ATION/22000/PD22941/en_US/vse_880_product_guide_en-us.pdf McAfee VirusScan Enterprise for Storage Implementation Guide ATION/22000/PD22733/en_US/VSE_for_Storage_1_0_Implementation_Guide.pdf McAfee VirusScan Enterprise for Storage Product Guide ATION/20000/PD20803/en_US/vse_sto_100_product_guide_en-us.pdf 29

32 About the author Mandar Vaidya is a Senior Staff Software Engineer in IBM Systems and Technology (ISV Enablement) group. He has several years of experience working with various storage and systems technologies and developing best practices on various storage solutions. Mandar holds a Bachelor of Engineering degree from the University of Pune, India. You can reach Mandar at mandar.vaidya@in.ibm.com. 30

33 Trademarks and special notices Copyright IBM Corporation References in this document to IBM products or services do not imply that IBM intends to make them available in every country. IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at ibm.com/legal/copytrade.shtml. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Linux is a trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. Information is provided "AS IS" without warranty of any kind. Any references in this information to non-ibm websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. 31