Monday, 4 December 2017

On Demand Anti-Virus Scan on SnapVault Destination?

ONTAP 9.1 introduced VSCAN On-Demand Scan. There might be reasons why you want to run On-Demand scan on your SnapVault destination cluster (perhaps to save processor cycles on your source controller, or as a security check just to see if anything has got past virus scanning on the end-clients and production SVM.) This post demonstrates how to do this.

Setting up Offbox VSCAN

We already have the following components installed on our Anti-Virus scanning server:
- McAfee VirusScan Enterprise
- McAfee VirusScan Enterprise for Storage
- ONTAP AV Connector

We already have:
- Snapvault relation configured
- Have vaulted a known bad file (see here for details of the EICAR file used for Anti-Virus testing)

And we complete the following setup as detailed in the post ‘Offbox Anti-Virus Configuration Super Express Guide’:

1) Connecting up the ONTAP AV Connector

Create user:

security login create -username LAB\AVADMIN -application ontapi -authmethod domain -role readonly -vserver C93B

Connect to the cluster in the ONTAP AV Connector.

Image: Successful ONTAP AV Connector connection

2) Configure Vscan:

vserver vscan scanner-pool create -vserver C93B -scanner-pool POOL1 -hostnames WFA41.lab.priv -privileged-users LAB\AVADMIN
vserver vscan on-access-policy create -vserver C93B -policy-name POL1 -filters scan-ro-volume
vserver vscan scanner-pool apply-policy -vserver VAULT-SVM -scanner-pool POOL1 -scanner-policy primary
vserver vscan on-access-policy disable -vserver VAULT-SVM -policy-name default_CIFS
vserver vscan on-access-policy enable -vserver VAULT-SVM -policy-name POL1
vserver vscan enable -vser VAULT-SVM

Running On-Demand Scan

We need to create an R/W volume for the On-Demand task reports, together with a share so we can access the reports::>

vol create -volume VSCAN_REPORTS  -vserver VAULT-SVM -aggregate data1 -size 10g -space-guarantee none -junction-path /VSCAN_REPORTS -security-style ntfs
cifs share create -share-name VSCAN_REPORTS$ -vserver VAULT-SVM -path /VSCAN_REPORTS

Then we create our on-demand task and run it:

vserver vscan on-demand-task create -vserver VAULT-SVM -task-name ODT -scan-path / -report-directory /VSCAN_REPORTS -schedule ""
vserver vscan on-demand-task run -vserver VAULT-SVM -task-name ODT

Reviewing the Output

The test infected file showed up in the “event log show” output:

12/4/2017 14:54:52 C93-01 ERROR Nblade.vscanVirusDetected: Possible virus detected. Vserver: VAULT-SVM, vscan server IP:, file path: \\TEST1_CIFS_volume_dst\EICAR.COM, client IP: -, SID: On-Demand, vscan engine status: 222200002, vscan engine result string: File threatened. The file could not be deleted, the file is still threatened.

There were only 4 files in my test vault SVM. The avod log showed successful virus detection:

Vserver  : VAULT-SVM
Task Name: ODT

Traversing  path: /

/TEST1_CIFS_volume_dst/Text Doc 3.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 2.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/Text Doc 1.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.
/TEST1_CIFS_volume_dst/EICAR.COM: File scanned successfully by Vscanner: "", Scan result: "File is infected", Vendor: "mcafee virusscan enterprise for storage", Version: "511579916.8729", Serviced by node: "C93-01", Scan duration in ms: "135", Extended-status: "222200002".
/TEST1_CIFS_volume_dst/EICAR.COM: On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

       Number of Attempted Scans: 5
       Number of Files Skipped from Scanning: 0
       Number of Already Scanned Files: 0
       Number of Successful Scans: 5
       Number of Failed Scans: 0
       Number of Timeout Scans: 0
       Number of Clean Files: 4
       Number of Infected Files: 1
       Number of Internal Error: 4


You can only have one scheduled on-demand-task per SVM.

Error: command failed: Cannot schedule task "ODT4" because another task "ODT3" is currently scheduled, and only one scheduled task per Vserver is supported. Use the command without the "-schedule" parameter, or use the "vserver vscan on-demand-task unschedule" command to unschedule the task, and then try the command again.

1 comment: