Off-box Anti-Virus Scanning in Clustered Data ONTAP 8.2.1 with McAfee - Quick Install Guide

Off-box Anti-Virus is available for Clustered Data ONTAP in 8.2.1. There are a few providers who support this solution (McAfee, Trend, Symantec ...) - here I’m going to focus on McAfee. This intention of this post is a quick install guide - enough to get it up and running in a lab so we can configure it with CDOT.

The 5 Components of the Solution*

1) Microsoft Windows Server 2008 SP2 / 2008 R2 SP1 / 2012 / 2012 R2
2) Clustered Data ONTAP 8.2.1
3) McAfee VirusScan Enterprise for Storage 1.1.0** (VSEfS)
4) Clustered Data ONTAP Antivirus Connector 1.0.0.10
5) SMB 1.0*** / 2.0 / 2.1 / 3.0

**And for completeness - Symantec Antivirus for Network Attached Storage 7.5.0, Symantec Protection Engine for Cloud Service 7.5.0, Trend Micro Server Protect for NetApp Filers 5.8 SP1
***CDOT AV Connector uses an SMB 2.0 connection to CDOT, hence why Windows 2003 (SMB 1.0 only) is ruled out as an O/S for the VSCAN server.

Image: NetApp IMT -> Storage Solution -> Protocol -> Off-Box AV for CDOT

Installing the Solution 

Part 1: McAfee VirusScan Enterprise for Storage 1.1.0

“You can use McAfee VirusScan Enterprise for Storage in two ways:
1) As a standalone product
2) As a managed production, using McAfee ePolicy Orchestrator (McAfee ePO) to install, manage, and enforce policies ...” Source [1]

Installation

Requirements:

Minimum System Requirements: 2 CPU cores, 4 GB RAM, 70 MB to install the software + 5GB for ICAP scanner files and temp files

+McAfee VirusScan Enterprise 8.8
+McAfee ePolicy Orchestrator 4.5.7-5.0.x (not required for standalone install)
+McAfee Agent 4.6 path 3 and later (not required for standalone install)

 Install VSEfS 1.1.0 - Source [1]

 Download the software package from McAfee
This will contain:

VSESTOR_version_LML_build_number.zip (Contains standalone installer and ePO deployment package files)
VSESTOMD_version_extension_build_number.zip (Contains these policies: VSEfS 1.1.0 NetApp Filer Policy & VSEfS 1.1.0 ICAP Policy)

 Installing the software on a standalone system
IMPORTANT: VSE 8.8 must already be installed
Double-click the setup.exe file and follow the prompts to install the software.

Note: VSEfS can also be installed from the command line, or deployed using ePO.

IMPORTANT: The rest of this document only considers a standalone install of VSEfS with the purpose of testing this out in a lab. Read this for configuration information with ePO.

Part 2: Installing Clustered Data ONTAP Antivirus Connector Software

Download the Clustered Data ONTAP Antivirus Connector 1.0RC1 from here:

Simple Installation Instructions (from the download page):
i. Run the .exe file.
ii. Follow the onscreen prompts to complete your installation.

Part 3: Configuring NetApp filers scan settings - Source [1]

IMPORTANT: CDOT AV Connector must already be installed

1) Log on to the VSCAN server as an administrator
2) Windows taskbar - right-click the McAfee menulet > Select VirusScan Console
3) VirusScan Console - double-click Network Appliance Filer AV Scanner
4) Network Appliance Filers tab, define these options:
- Specify which filers this server protects > Click Add, type the loop-back IP (127.0.0.1), then click OK
- Settings Apply to all filers
- Administrative Accounts
5) Scan Items tab, define types of files, options, and heuristics for a scan
6) Exclusions tab, define files to be excluded from scanning
7) Performance tab, define the scan time, AV Scan threads for a scan
8) Actions tab, define primary and second actions to take for threat detections
9) Reports tab, define these options:
- Enable activity login and accept the default location for the log file or specify a new location
- Limit the size of log file
- Log file format
10) OK to save the configuration

Part 4: Configure the ICAP settings - Source [1]

1) Log on to the VSCAN server as an administrator
2) Windows taskbar - right-click the McAfee menulet > Select VirusScan Console
3) VirusScan Console - right-click the ICAP AV Scanner, then select Properties
4) Connections and Server tab, define:
- Connection list > Specify the ICAP server configuration and the list of IP addresses for which connections can be accepted
- Bind address > Type the IP address of the computer where VSEfS is installed
- Port number > Type the default port number as 1344
5) Scan Items tab, define:
- File types to scan
- Options
- Heuristics
6) Performance tab, define:
- Scan time
- AV Scan threads (Default = 100 threads)
7) Actions tab, define the primary and secondary actions:
- When the threat is found
- When an unwanted program is found
8) Reports tab, define:
- Enable activity login and accept the default location for the log file or specify a new location
- Limit the size of log file
- Log file format drop-down list, select as appropriate
- What to log, in addition to scanning activity
9) Click OK to save the configuration.

The McAfee VirusScan Enterprise for Storage 1.1.0 Product Guide continues from this point with assigning “Static IP address for scanners” and “Configure the service dependency”...

Part 5: Configure Clustered Data ONTAP for Anti-Virus Scanning

We should now have the entire infrastructure in place to test CDOT Off-Box AV. To configure CDOT for Off-Box AV see:

Further Reading


Additional Links


*There is a free trial of VSE 8.8 and VSEfS 1.1 here. To test this solution in a lab you’ll need a CDOT 8.2.1 SIM, the AV Connector for CDOT, VSEfS 1.1, VSE 8.8, and Windows 2008 SP2 or better.

Comments

  1. Is there a difference in implementing on 8.3?

    ReplyDelete
    Replies
    1. Hello Chris. I'm pretty sure not much has changed. Cheers, VC

      Delete

Post a Comment