Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Question/Issue:
You seek configuration information for using Symantec Antivirus (SAV) for Network Attached Storage (NAS) 5.x with Network Appliance (NetApp) Filer

Symptoms:
Conditions

• Each NetApp Filer has Data ONTAP™ version 6.1.3R2 or later installed.
• If you plan to have a single SAVNAS install to support multiple NetApp Filers, each NetApp Filer has Data ONTAP™ version 6.3.1 or later installed.

Solution:

For each Scan Engine you seek to register with a NetApp Filer:

• Adjust TCP stack settings within the operating system
• Edit the service startup properties for the "Symantec Scan Engine" service to provide service account credentials
• Set the "Time to extract file meets or exceeds" value to 40 seconds in the Scan Engine web interface
• Set the HonorReadOnly flag to false
• Set timeout and abort_timeout settings within the NetApp Filer CLI
• Edit the service startup properties to provide service account credentials
• Edit the list of NetApp filers
• Configure additional settings for RPC protocol
• Automatically notify NetApp Filer when virus definitions are updated
• In the NetApp Filer CLI, confirm that Scan Engine registered with NetApp Filer

Please test in a test lab and with limited deployments before proceeding to full production.



To set initial TCP stack settings within the Windows registry

1. Open the Windows registry
2. Navigate to \\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
3. If the DWORD value MaxUserPorts does not exist, create it.
4. Set MaxUserPorts to a decimal value of 60000.
5. If the DWORD value TcpTimedWaitDelay does not exist, create it.
6. Set TcpTimedWaitDelay to a decimal value of 30.

To set the "Time to extract file meets or exceeds" value in the Scan Engine web interface

1. In the console on the primary navigation bar, click Policies.
2. In the sidebar under Views, click Filtering.
3. In the content area on the Container Handling tab, under Container File Processing Limits, in the “Time to extract file meets or exceeds” box, type: 40.
4. Click the Save icon on the navigation bar at the top of the Scan Engine interface

To set the HonorReadOnly flag to false within Symantec Scan Engine 5.x

1. At the command line, navigate to the installation location of Scan Engine.
2. At the command line, type the following command:
   java -jar xmlmodifier.jar -s /policies/Misc/HonorReadOnly/@value false policy.xml
   
3. Restart the Symantec Scan Engine service to make the change effective

To edit the service startup properties

1. In the Windows 2000/2003 Control Panel, click Administrative Tools.
2. Click Services.
3. In the list of services, right-click Symantec Scan Engine, and then click Properties.
4. In the Properties dialog box, on the Log On tab, click This Account.
5. Type the account name and password for the user account that has local administrator rights on the computer that has the scan engine. This account should also have Backup Operator privileges or above on the NetApp Filer. Use the following format for the account name:
   
   domain\username
   
6. Click OK.
7. Stop and start the Symantec Scan Engine service.
   
   For more information on stopping and starting the Symantec Scan Engine service, see the Symantec Scan Engine Implementation Guide.

To edit the list of NetApp Filers

1. On the Symantec Scan Engine administrative interface, in the left pane, click Configuration.
2. Under Views, click Protocol.
3. In the right pane, under Select Communication Protocol, click RPC. The configuration settings are displayed for the selected protocol.
4. In the Manual Restart Required dialog box, click OK.
5. To add a NetApp Filer to the list of RPC clients, type the IP address of the NetApp Filer for which Symantec Scan Engine should provide scanning services. Type one entry per line.
6. To delete a NetApp Filer from the list of RPC clients, select and delete the IP address of the NetApp Filer.
7. On the toolbar, click Save.
   
   NOTE: Save saves your changes. You can continue to make changes in the administrative interface until you are ready to apply them.
   
8. On the toolbar, click Apply.
   
   NOTE: Apply applies your changes. Your changes are not implemented until you apply them. You must perform a manual restart for the changes to take place and for a proper connection to the NetApp Filer.
   
9. In the Windows services console, right-click on the Scan Engine service. Click Restart.

To configure additional RPC-specific options

1. On the Symantec Scan Engine administrative interface, in the left pane, click Configuration.
2. Under Views, click Protocol.
3. Under RPC Configuration, in the Check RPC connection every box, type how frequently Symantec Scan Engine checks the RPC connection with the NetApp Filer to ensure that the connection is active.
   
   NOTE: The default interval is 20 seconds.
   
4. In the Maximum number of reconnect attempts box, type the maximum number of tries that the Symantec Scan Engine should undertake to reestablish a lost connection with the NetApp Filer.
   
   NOTE: The default setting is 0. Symantec Scan Engine tries indefinitely to reestablish a connection. Use the default setting if the scan engine provides scanning for multiple NetApp Filers.
   
5. In the Antivirus scan policy list, select how you want Symantec Scan Engine to handle infected files.
   
   NOTE: The default setting is "Scan and repair or delete".
   
6. On the toolbar, click Save.
7. On the toolbar, click Apply.
8. In the Windows services console, right-click on the Scan Engine service. Click Restart.

To automatically notify NetApp Filer when virus definitions are updated

1. On the administrative interface, in the left pane, click Configuration.
2. Under Views, click Protocol.
3. Under RPC Configuration, check Automatically send AntiVirus update notifications.
4. On the toolbar, click Save.
5. On the toolbar, click Apply.
6. In the Windows services console, right-click on the Scan Engine service. Click Restart.

To confirm that a particular SAVNAS5.x registered with NetApp Filer

• Use the “vscan” command at the command line interface to check the list of registered scan engines.

Technical Information:
About Container Handling limits
Most antivirus scanning products contain policies to limit the resources spent on scanning a single file. This prevents denial of service attacks with specially crafted malformed container files.


About 'Time to extract file meets or exceeds'
The timer for the 'Time to extract' setting begins when the actual scan of the file begins. This measure does not include time spent transmitting the scan request to Scan Engine, nor does it contain time spent in moving the file to the Scan Engine from the NetAppFiler or other device. Within the NetAppFiler settings, the scan timeout setting includes:

1. Time spent sending the scan request to Scan Engine,
2. Time spent copying the file to the Scan Engine,
3. Time spent performing the actual scan of the file once it is local to Scan Engine,
4. Time spent copying a repaired file back to the NetApp Filer or other device.

About 'Maximum extract depth'
This policy setting helps prevent 'zip of death' style denial of service attacks. A 'zip of death' denial of service attack is a .zip archive with directory pointers which form a circular structure, which may result in an attempt to extract the file forever. As you lower this number, you lower the maximum number of levels scanned within a container file, resulting in a more rapid, but possibly less thorough scan. As you raise this number, you also raise the maximum number of levels Scan Engine examines within a container, resulting in a slower, but more thorough scan. For initial testing, 5 to 10 levels will establish basic function. The maximum value for this setting is 1024. Tune this setting to meet the usage patterns of your environment.


About HonorReadOnly
By default, Scan Engine will not repair or delete infected files which have the Read Only file attribute set.


About Window 2003 Server default TCP stack settings
By default, Windows 2003 Server does not have a DWORD registry entry for TcpTimedWaitDelay, which defaults to a value of 420 seconds. When a TCP connection becomes unresponsive, Windows will therefore wait 420 seconds before releasing the connection to use. Also by default, Windows 2003 Server does not have a DWORD registry entry for MaxUserPorts, which defaults to 5000 available ports per user. In a high load environment, adjusting these values makes the server more responsive.




References:
The Symantec Antivirus for Network Attached Storage 5.1 Integration Guide contains additional information about notifying a requesting user that a virus was found, using SAVNAS5.1 with Symantec Central Quarantine, and specifying which embedded files to scan. The SAVNAS5.1 Integration Guide may be found here:
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/network_attached_storage/5.1/manuals/SAVNAS51_IG.pdf


Additional information regarding NetApp Filer configuration is available within the SAVNAS5.1 Integration Guide and within the NetApp Filer documentation provided by Network Appliance.

Document ID: 2008052006132654
Last Modified: 08/11/2009
Date Created: 05/20/2008
Product(s): Symantec AntiVirus for Network Attached Storage 5.1, Symantec Scan Engine 5.1, Symantec Scan Engine 5.2
Release(s): NAS 5.1, NAS 5.1.7

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements