On Demand Anti-Virus Scan on SnapVault Destination?

ONTAP 9.1 introduced VSCAN On-Demand Scan. There might be reasons why you want to run On-Demand scan on your SnapVault destination cluster (perhaps to save processor cycles on your source controller, or as a security check just to see if anything has got past virus scanning on the end-clients and production SVM.) This post demonstrates how to do this.

Setting up Offbox VSCAN

We already have the following components installed on our Anti-Virus scanning server:
- McAfee VirusScan Enterprise

- McAfee VirusScan Enterprise for Storage

- ONTAP AV Connector

We already have:

- Snapvault relation configured

- Have vaulted a known bad file (see here for details of the EICAR file used for Anti-Virus testing)

And we complete the following setup as detailed in the post ‘Offbox Anti-Virus Configuration Super Express Guide’:

1) Connecting up the ONTAP AV Connector

Create user:

security login create -username LAB\AVADMIN -application ontapi -authmethod domain -role readonly -vserver C93B

Connect to the cluster in the ONTAP AV Connector.

Image: Successful ONTAP AV Connector connection

2) Configure Vscan:

vserver vscan scanner-pool create -vserver C93B -scanner-pool POOL1 -hostnames WFA41.lab.priv -privileged-users LAB\AVADMIN

vserver vscan on-access-policy create -vserver C93B -policy-name POL1 -filters scan-ro-volume

vserver vscan scanner-pool apply-policy -vserver VAULT-SVM -scanner-pool POOL1 -scanner-policy primary

vserver vscan on-access-policy disable -vserver VAULT-SVM -policy-name default_CIFS

vserver vscan on-access-policy enable -vserver VAULT-SVM -policy-name POL1

vserver vscan enable -vser VAULT-SVM

Running On-Demand Scan

We need to create an R/W volume for the On-Demand task reports, together with a share so we can access the reports::>

vol create -volume VSCAN_REPORTS  -vserver VAULT-SVM -aggregate data1 -size 10g -space-guarantee none -junction-path /VSCAN_REPORTS -security-style ntfs

cifs share create -share-name VSCAN_REPORTS$ -vserver VAULT-SVM -path /VSCAN_REPORTS

Then we create our on-demand task and run it:

vserver vscan on-demand-task create -vserver VAULT-SVM -task-name ODT -scan-path / -report-directory /VSCAN_REPORTS -schedule ""

vserver vscan on-demand-task run -vserver VAULT-SVM -task-name ODT

Reviewing the Output

The test infected file showed up in the “event log show” output:

12/4/2017 14:54:52 C93-01 ERROR Nblade.vscanVirusDetected: Possible virus detected. Vserver: VAULT-SVM, vscan server IP: 10.0.1.41, file path: \\TEST1_CIFS_volume_dst\EICAR.COM, client IP: -, SID: On-Demand, vscan engine status: 222200002, vscan engine result string: File threatened. The file could not be deleted, the file is still threatened.

There were only 4 files in my test vault SVM. The avod log showed successful virus detection:

===============================================================================

Vserver  : VAULT-SVM

Task Name: ODT

===============================================================================

********************************************************

Traversing  path: /

********************************************************

/TEST1_CIFS_volume_dst/Text Doc 3.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

/TEST1_CIFS_volume_dst/Text Doc 2.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

/TEST1_CIFS_volume_dst/Text Doc 1.txt:   On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

/TEST1_CIFS_volume_dst/EICAR.COM: File scanned successfully by Vscanner: "10.0.1.41", Scan result: "File is infected", Vendor: "mcafee virusscan enterprise for storage", Version: "511579916.8729", Serviced by node: "C93-01", Scan duration in ms: "135", Extended-status: "222200002".

/TEST1_CIFS_volume_dst/EICAR.COM: On-Demand scan failed to set the scan status for the file. Reason: Permission denied.

===============================================================================

Summary:

       Number of Attempted Scans: 5

       Number of Files Skipped from Scanning: 0

       Number of Already Scanned Files: 0

       Number of Successful Scans: 5

       Number of Failed Scans: 0

       Number of Timeout Scans: 0

       Number of Clean Files: 4

       Number of Infected Files: 1

       Number of Internal Error: 4

===============================================================================

Note

You can only have one scheduled on-demand-task per SVM.

Error: command failed: Cannot schedule task "ODT4" because another task "ODT3" is currently scheduled, and only one scheduled task per Vserver is supported. Use the command without the "-schedule" parameter, or use the "vserver vscan on-demand-task unschedule" command to unschedule the task, and then try the command again.