ONTAP 9.1 introduced VSCAN On-Demand Scan. There might be reasons why you want to run
On-Demand scan on your SnapVault destination cluster (perhaps to save processor
cycles on your source controller, or as a security check just to see if
anything has got past virus scanning on the end-clients and production SVM.)
This post demonstrates how to do this.
Setting up Offbox VSCAN
We already have the following components installed on our
Anti-Virus scanning server:
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise for Storage
- ONTAP AV Connector
We already have:
- Snapvault relation configured
- Have vaulted a known bad file (see here
for details of the EICAR file used for Anti-Virus testing)
And we complete the following setup as detailed in the
post ‘Offbox
Anti-Virus Configuration Super Express Guide’:
1) Connecting up
the ONTAP AV Connector
Create user:
security
login create -username LAB\AVADMIN -application ontapi -authmethod domain -role
readonly -vserver C93B
Connect to the cluster in the ONTAP AV Connector.
Image: Successful
ONTAP AV Connector connection
2) Configure
Vscan:
vserver
vscan scanner-pool create -vserver C93B -scanner-pool POOL1 -hostnames WFA41.lab.priv
-privileged-users LAB\AVADMIN
vserver
vscan on-access-policy create -vserver C93B -policy-name POL1 -filters scan-ro-volume
vserver
vscan scanner-pool apply-policy -vserver VAULT-SVM -scanner-pool POOL1
-scanner-policy primary
vserver
vscan on-access-policy disable -vserver VAULT-SVM -policy-name default_CIFS
vserver
vscan on-access-policy enable -vserver VAULT-SVM -policy-name POL1
vserver
vscan enable -vser VAULT-SVM
Running On-Demand Scan
We need to create an R/W volume for the On-Demand task reports,
together with a share so we can access the reports::>
vol
create -volume VSCAN_REPORTS -vserver
VAULT-SVM -aggregate data1 -size 10g -space-guarantee none -junction-path
/VSCAN_REPORTS -security-style ntfs
cifs
share create -share-name VSCAN_REPORTS$ -vserver VAULT-SVM -path /VSCAN_REPORTS
Then we create our on-demand task and run it:
vserver
vscan on-demand-task create -vserver VAULT-SVM -task-name ODT -scan-path /
-report-directory /VSCAN_REPORTS -schedule ""
vserver
vscan on-demand-task run -vserver VAULT-SVM -task-name ODT
Reviewing the Output
The test infected file showed up in the “event log show”
output:
12/4/2017 14:54:52
C93-01 ERROR Nblade.vscanVirusDetected:
Possible virus detected.
Vserver: VAULT-SVM, vscan server IP: 10.0.1.41, file path:
\\TEST1_CIFS_volume_dst\EICAR.COM,
client IP: -, SID: On-Demand, vscan engine status: 222200002, vscan engine
result string: File threatened. The file could not be deleted, the file is
still threatened.
There were only 4 files in my test vault SVM. The avod
log showed successful virus detection:
===============================================================================
Vserver : VAULT-SVM
Task
Name: ODT
===============================================================================
********************************************************
Traversing path: /
********************************************************
/TEST1_CIFS_volume_dst/Text
Doc 3.txt: On-Demand scan failed to set
the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text
Doc 2.txt: On-Demand scan failed to set
the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text
Doc 1.txt: On-Demand scan failed to set
the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/EICAR.COM: File scanned successfully by Vscanner:
"10.0.1.41", Scan result: "File is infected", Vendor: "mcafee
virusscan enterprise for storage", Version: "511579916.8729",
Serviced by node: "C93-01", Scan duration in ms: "135",
Extended-status: "222200002".
/TEST1_CIFS_volume_dst/EICAR.COM: On-Demand scan failed to set the scan status
for the file. Reason: Permission denied.
===============================================================================
Summary:
Number of Attempted Scans: 5
Number of Files Skipped from Scanning: 0
Number of Already Scanned Files: 0
Number of Successful Scans: 5
Number of Failed Scans: 0
Number of Timeout Scans: 0
Number of Clean Files: 4
Number of Infected Files: 1
Number of Internal Error: 4
===============================================================================
Note
You can only have one scheduled on-demand-task per
SVM.
Error: command
failed: Cannot schedule task "ODT4" because another task
"ODT3" is currently scheduled, and only one scheduled task per Vserver is supported.
Use the command without the "-schedule" parameter, or use the
"vserver vscan on-demand-task unschedule" command to unschedule the
task, and then try the command again.
Comments
Post a Comment