Offbox Anti-Virus Configuration Super Express Guide (8.3.2)

This guide covers a configuration on the NetApp cluster for Offbox Anti-Virus, with a view to a non-multi-tenancy/non-service-provider environment where we’ll configure just one scanner-pool and an on-access-policy on the cluster/admin SVM, and use these for any Data SVM requiring Vscan.

Part 1) Cluster Build

1.1) Create a security login for the Anti-Virus user::>

security login create -username LAB\AVUSER -application ontapi -authmethod domain -role readonly -vserver CLUSTERNAME

1.2) Create a scanner pool::>

vserver vscan scanner-pool create -vserver CLUSTERNAME -scanner-pool POOLNAME -servers VSCAN_SERVER_IPADDRESSES -privileged-users LAB\AVUSER

1.3) Create an on-access-policy (or use the default default_CIFS on-access-policy)::>

vserver vscan on-access-policy create -vserver CLUSTERNAME -policy-name POLICYNAME -filters FILTERS

{Configure your on-access-policy as per requirements}

Table: Vscan on-access-policy settings and defaults
Part 2) SVM Build

2.1) Apply the scanner-pool to the Data SVM::>

vserver vscan scanner-pool apply-policy -vserver DATASVM -scanner-pool POOLNAME -scanner-policy primary

2.2) Disable the default_CIFS on-access-policy (if not using), and enable the desired on-access-policy::>

vserver vscan on-access-policy disable -vserver DATASVM -policy-name default_CIFS
vserver vscan on-access-policy enable -vserver DATASVM -policy-name POLICYNAME

2.3) Enable Vscan on the SVM::>

vserver vscan enable -vserver DATASVM

2.4) Configure shares with the -vscan-fileop-profile to enable scanning::>

::> cifs share modify -vscan-fileop-profile ?
no-scan     = Virus scans are never triggered for accesses to this share.
standard    = Virus scans can be triggered by open, close, and rename operations.
Strict      = Virus scans can be triggered by open, read, close, and rename operations.
writes-only = Virus scans can be triggered only when a file that has been modified is closed.

Part 3) Vscan Infrastructure Build

See the NetApp Interoperability Matrix for infrastructure components and Anti-Virus vendors documentation.

As an example with McAfee:

- A very rough rule of thumb is that you’ll need one AV server for every 6000 CIFS IO/s (please check but 2 CPUs and 8GB RAM is a reasonable server spec)
- Vscan Server’s O/S = Windows Server 2008 or better (not Server 2016 yet)
- McAfee VirusScan Enterprise for Storage 1.2.0
- Clustered Data ONTAP 8.3.2
- Clustered Data ONTAP Antivirus Connector 1.0.3
- McAfee Vscan timeout needs to be set to 25s (want McAfee to timeout before ONTAP)