Protecting the IBM SONAS with Symantec AntiVirus for NAS

© Copyright IBM Corporation, 2011
ProtectingtheIBMSONASwith
SymantecAntiVirusforNAS
Areference guide for storage and security administrators
Howard Jiang
IBM Systems and Technology Group ISVEnablement
May 2011

Protecting the IBM SONAS with Symantec AntiVirus for NAS
Table of contents
Abstract.....................................................................................................................................1
Executive overview ..................................................................................................................1
IBM SONAS antivirus connector – an overview .....................................................................2
Symantec AntiVirus for NAS – an overview ...........................................................................3
Minimum system requirements...............................................................................................4
IBM SONAS ............................................................................................................................................. 4
Symantec AntiVirus for NAS.................................................................................................................... 4
Planning for integration of IBM SONAS with Symantec AntiVirus for NAS .........................5
Integration of IBM SONAS with Symantec AntiVirus for NAS...............................................7
Installing Symantec AntiVirus for NAS..................................................................................................... 7
Installing Symantec AntiVirus for NAS (Windows) .................................................................................. 7
Installing Symantec AntiVirus for NAS (Linux) ......................................................................................12
Configuring Symantec AntiVirus for NAS ..............................................................................................15
Configuring the IBM SONAS antivirus connector ..................................................................................17
Initiating a bulk scan using the SONAS antivirus connector ..............................................20
Initiating a manual bulk scan on a defined scope..................................................................................20
Scheduling bulk scan on a defined scope .............................................................................................22
Recommendations .................................................................................................................23
Summary.................................................................................................................................25
Resources...............................................................................................................................26
About the author.....................................................................................................................27
Trademarks and special notices ...........................................................................................28

1
Abstract
With today’s continuing explosive growth in information data, comes the need for storing the data
without compromising data integrity from potential threats that may exist in an enterprise network
environment. IBM Scale Out Network Attached Storage (IBM SONAS) has been qualified for
interoperability with the leading AntiVirus scan engines such as Symantec SAV for NAS and McAfee
Total Protection Enterprise VirusScan This technical paper describes IBM SONAS integration with
Symantec AntiVirus for network-attached storage (SAV for NAS), and guidelines for using IBM
SONAS with Symantec AntiVirus for NAS to protect the overall system and prevent security threats
caused by malware.
Executive overview
Enterprises continue to demand storage solutions that can store massive amounts of file-based data with
ease of management and that can scale on demand. Often these enterprises with fast-growing file
systems, face limitations of scalability and performance with traditional network-attached storage (NAS)
filers because of the requirement to work on millions active files in parallel. IBM® SONAS is a multi-
petabyte scale-out NAS storage offering for unstructured information storage. It is designed to scale out to
store millions and even billions of active files with superior performance and ease of management.
The IBM SONAS is designed to serve large number of users connecting to it using a variety of file-based
protocols, such as Network File System (NFS) or Common Internet File System (CIFS). The data which is
created or accessed using these protocols is vulnerable to the potential threats of viruses, worms, Trojan
horses, and other forms of malware. Computer viruses mostly target Microsoft® operating systems,
however, computers running other operating systems can be directly or indirectly affected by viruses.
IBM SONAS, when integrated with Symantec AntiVirus for NAS (henceforth called as Symantec scan
engines) provides a comprehensive solution to protect all the data stored on the SONAS. IBM SONAS
antivirus connector is a part of the SONAS management software which communicates with ISV scan
engines using Internet Content Adaptation Protocol (ICAP). There are two approaches for virus scanning:
On-access scan – It scans all the specified files on IBM SONAS when accessed or created. This method
has the benefit of ensuring that the files are scanned with the latest virus signature before being accessed.
This approach is more effective at detecting viruses before they are able to compromise data and this
method does not generate heavy network traffic between IBM SONAS and Symantec scan engines. This
approach is ideal for Customers using Windows clients and CIFS file I/O.
Bulk scan – This allows scanning of all the specified files on a file system or a part of file system. This is
typically performed at the schedule defined on the IBM SONAS. The disadvantage in using this method is
that the files recently updated might not be scanned before being used. Bulk scans can generate heavy
network traffic between SONAS and scan engines and can generate heavy load on a storage system.
Also, bulk scan can take significant time to complete, depending on the number of files to be scanned.
Storage Administrators are likely to use the Bulk scans for non-CIFS files (e.g. NFS) protection which are
less prone to Virus attacks.

2
IBM SONAS antivirus connector – an overview
IBM SONAS antivirus connector provides enterprise antivirus vendors such, as Symantec AntiVirus for
NAS, tighter integration and overall control of antivirus implementations by deciding strategies suitable for
the customer environment. IBM SONAS antivirus connector communicates with Symantec scan engines
using Internet Content Adaptation Protocol (ICAP). IBM SONAS can be configured with multiple Symantec
scan engines to achieve load balancing and to distribute the work load. SONAS selects a scan engine
from the pool of scan engines at scan time. If a scan engine is not reachable from SONAS, it is temporarily
removed from the pool and SONAS selects a different scan engine from the pool of available scan
engines. It periodically attempts to reinstate the removed scan engine back into the pool. Figure 1
describes the workflow of an On-Access scan session for a single file.
When user accesses a file from IBM SONAS over the network, SONAS initiates the scan of a file in real
time and opens a connection with Symantec scan engine. SONAS then passes the file to the scan engine
for scanning. The Symantec scan engine indicates the scanning results to SONAS after the file is
scanned. In case the file is infected, scan engine tries to repair the file and sends the repaired file to
SONAS. SONAS receives the scan results. If the file is infected and can be cleaned, a stored version of
the infected file is replaced on SONAS with the repaired file received from the scan engine. Only the
repaired file is passed to the requesting user.
In case virus is detected and repair of file is not possible, SONAS can be configured to quarantine or
delete the non-repairable file and user will be notified with permission denied type of error message.
User accesses
the file on IBM
SONAS from the
network
SONAS antivirus
connector
determines the
file needs to be
scanned and
transferred to
the Symantec
scan engine
Symantec scan
engine scans the
file and repair
the file if file is
infected.
Scan results and
the repaired file
returned to the
IBM SONAS.
IBM SONAS
replaces the
infected file
with the
repaired file.
User is
allowed to
access the file
CIFS User IBM
SONAS
Symantec
Scan Engine
1. 2.
3.
4.
5.
6.
Figure 1: Work flow of on-access scanning of a file from IBM SONAS using Symantec scan engine

3
The connector also caches antivirus scan information for each file as extended attributes to determine
whether it must be scanned or rescanned by saving the timestamps of the last scan in addition to the
antivirus definition file. This way a repeat scan might be avoided if another user tries to access the same
file later but the antivirus definitions have not changed. When new antivirus definitions are received and
updated, each file is rescanned before it is made available to the user requesting access. Bulk scans
might be configured to proactively rescan files periodically (e.g. every day) during off-peak hours when
accesses are minimal to prevent any potential performance impacts on the SONAS system or the scan
engines in the pool.
Symantec AntiVirus for NAS – an overview
Symantec AntiVirus for NAS provides remote scanning of IBM SONAS using the ICAP protocol.
Symantec scan engine scans the files received from IBM SONAS and provides real-time protection for the
massive amount of critical information that is being stored and accessed by the IBM SONAS users.
Symantec scan engine detects the virus infected files that are being accessed, read, or copied to and from
IBM SONAS. After detecting an infection in the file, it automatically cleans the file and provides the
repaired file to the IBM SONAS.
Symantec AntiVirus for NAS provides following features:
• Advanced anti-virus technology: Symantec’s award winning anti-virus technology continuously
blocks a wide range of viruses and malicious code threats, including those hidden in compressed
files.
• Detection of unwanted programs: It finds the unwanted hidden spyware programs that open
security holes.
• Centralized management: Entire Symantec security system can be managed using Symantec’s
central management system, reducing overall cost and providing ease of management.
• Continuous protection: On-access scanning provides real time protection to the data on IBM
SONAS when the files are accessed or written to the SONAS unlike traditional on-demand scans.
• Cost effectiveness: It supports connection to more than one IBM SONAS.
• Rapid notification: Whenever a virus is detected, notification can be sent to the configured
recipients. This enables recipients to react instantly to any possible virus outbreak.

4
Minimum system requirements
A combination of Windows, Linux, and Solaris platforms are supported as scan engines which scan the
files located on the SONAS system. Depending on the volume of the data being scanned and the
requirements for accessibility, multiple scan engines may be deployed as needed.
IBM SONAS
Software:
• Version 1.2.0.0 or higher
Symantec AntiVirus for NAS
Software:
• Version 5.2 or higher and license(s)
Supported operating systems:
• Red Hat Enterprise Linux 5.x (32-bit & 64-bit)
• Red Hat Linux Advanced Server 3 & 4 (32-bit)
• Red Hat Linux Enterprise Server 3 & 4 (32-bit)
• Solaris (SPARC) 9 & 10 (32-bit)
• SuSE Linux Enterprise Server 9 & 10 (32-bit)
• Windows 2000 Server with the latest service pack
• Windows Server 2003 (32-bit & 64-bit), R2 (32-bit)
• Windows Server 2008 (32-bit & 64-bit), R2 (64-bit)
Processor:
• 2.4 GHz Intel Pentium 4 or 1 GHz SPARC
Memory:
• 1 Gb of RAM
Disk space:
• 500 Mb hard disk space available
Additional Hardware:
• 1 network interface card (NIC) running TCP/IP with a static IP address
• Internet connection to update definitions
• 100 Mbits/s Ethernet link (1 Gbits/s or faster recommended)

5
Planning for integration of IBM SONAS with Symantec AntiVirus
for NAS
Planning is one of the most important areas of consideration before beginning to configure IBM SONAS
with Symantec AntiVirus for NAS. It is important that the security team and IBM SONAS administrators
work together to anticipate the scopes and type of files for which scanning is required, as well as the
number of files required to scan and number of Symantec scan engines that are required. The
administrators must define policies or settings for handling of infected files when they are detected by
configuring both the SONAS antivirus connector as well as the Symantec scan engine. In addition, the
Symantec AntiVirus for NAS Integration Guide found in the Resources section should be consulted for
SONAS specific integration information.
The following factors need to be carefully considered before integrating IBM SONAS with Symantec
AntiVirus.
Numbers of Symantec scan engines:
Antivirus scanning on SONAS requires a minimum of one scan engine configured with Symantec AntiVirus
for NA0053. However, in order to take full benefit of load balancing and high availability feature of IBM
SONAS, a minimum of two scan engines are recommended. SONAS antivirus connector automatically
performs load balancing to make sure that the workload is evenly distributed across the scan engines.
When a scan engine becomes unavailable, the workload is directed to the remaining operational scan
engines. Additional considerations listed below affect the number of scan engines which may be required:
• Total number of files stored on the SONAS requiring scanning
− Large numbers of files can be scanned by multiple scan engines using the SONAS antivirus
connector load balancing feature.
• Host processor speed and RAM configuration
− Fewer scan engines may be needed if CPU speeds are faster and more RAM is present on
each scan engine.
• Network speed
− Faster network speeds allow for reduced time in transferring larger files to the scan engine for
scanning.
Type of scopes to scan:
In SONAS, antivirus configuration options are defined on scopes. A scope is a subtree of file namespace,
identified by the path to the root of the subtree. All file accesses within that subtree share a set of antivirus
settings. You can configure the following four types of scope for antivirus scanning in IBM SONAS.
• File systems
• File sets
• Path
• Exported shares

6
Not all scopes are required to be configured for scanning as certain file sets, paths, or file systems are
either static in nature, or are not shared with any users. The administrator needs to ensure all scopes
which may be vulnerable to potential threats are included in their defined scanning strategy.
Types of files to scan:
In SONAS, the administrator can define which files or file types are to be scanned. Administrator can
control and decide whether to scan files by exclusion list or inclusion list, or whether to scan all the files
regardless of extensions. SONAS antivirus parameter can be set at all the scopes to specify which
extensions to be included in or excluded from a scan. The exclusion list specifies the extensions of files to
be excluded because they are not likely to contain viruses.
The inclusion / exclusion list defines following behavior:
• If the include list is empty or not defined, default is that all extensions are included in the scan.
− Excluded list is created to exclude files with specific file extensions from scanning by the
Symantec scan engine.
− Excluded list is created to exclude files with specific file extensions from scanning by the
• If an extension is in the include list, only files with that extension are scanned.
• If an extension is in include as well as exclude list, files with that extension are not scanned.
Careful planning is required to create the include / exclude list as this plays an important role in improving
performance of the scan process, as not all file extensions need to be scanned due to the nature of the
files and file types, which are unlikely to have viruses.
File processing strategy
It is important to plan for the action that needs to be taken in case of unrecoverable virus file is identified.
IBM SONAS provides the option to quarantine or delete the infected, unrecoverable file. For this, optional
parameter can be set to quarantine or delete the file at the defined scope. Optionally, the path by which
the file was opened for the current scan can be moved to a subdirectory created for that purpose. Only the
SONAS or Security administrator will have access to that subdirectory and can take appropriate action to
manually delete the unrecoverable virus files. If no strategy is defined, user is denied the access to the file.

7
Integration of IBM SONAS with Symantec AntiVirus for NAS
The scanning process requires two components: the IBM SONAS antivirus connector and the external
antivirus scan engine(s) running Symantec AntiVirus for NAS. Depending on the workload determined
during the planning stage, multiple scan engines may need to be installed and configured to the SONAS.
The minimum software and hardware requirements are documented in the “Minimum system
requirements” section of this guide.
SONAS antivirus connector communicates with Symantec AntiVirus for NAS using the industry standard
ICAP protocol. Remote scanning is performed via the ICAP protocol when a user requests access to a file
residing on a SONAS share as illustrated in Figure 2: Work flow of on-access scanning of a file from IBM
SONAS using Symantec scan engine.
Integrating SONAS with a Symantec scan engine begins with the installation of Symantec AntiVirus for
NAS on the identified server(s), followed by configuring both the SONAS antivirus connector and the
Installing Symantec AntiVirus for NAS
The installation package for Symantec AntiVirus for NAS is available as an ISO image which contains
Microsoft Windows® and Linux® versions of the scan engine client, or individual Windows and Linux ZIP
file packages. Installation of the scan engine can be performed locally at each individual server or remotely
depending on the level of server security implemented. The following instructions assumes that the
installer has remote access to identified scan engine hardware using the individual ZIP file packages
downloaded from Symantec website:
http://www.symantec.com/business/antivirus-for-network-attached-storage
Installing Symantec AntiVirus for NAS (Windows)
1. Copy SymantecAntiVirus_NAS_5.2.x_Win32_IN.zip to a Windows server which has been
identified to function as a scan engine and extract the ZIP file to a temporary directory.
Figure 2: Unzipping the ZIP package in a temporary directory

8
2. Verify that a 32-bit Java™ runtime environment (JRE) is installed on the system.
Figure 3: Checking the JRE version
If a 32-bit JRE is not installed on the system, change directory to ToolsJavaWin32 and install a
copy of the Java 6 runtime environment included with the Symantec AntiVirus for NAS ZIP
package.
Figure 4: Installing a copy of the JRE
3. Start the Symantec AntiVirus for NAS installer by typing cdstart.
Figure 5: Starting the Symantec AntiVirus for NAS CD menu
4. Click Install Symantec AntiVirus(TM) 5.2 for NAS.
Figure 6: Menu option to install Symantec AntiVirus for NAS

9
5. Click Next to continue the installation.
Figure 7: Symantec scan engine InstallShield Wizard
6. Accept the terms of the license agreement and click Next to continue.
Figure 8: Symantec scan engine software license agreement

10
7. Select a folder to install the scan engine software into, or click Next to continue and use the
default folder:
Figure 9: Selecting an installation folder
8. Enter a password which will be used to access the scan engine user interface, and click Next to
continue.
Figure 10: Specifying a password for the administrative interface

11
9. Select the URL filtering and definition downloads if desired, and click Next to continue.
Figure 11: Selecting URL filtering and URL definition downloading
10. If satisfied with the previous choices of configuration options, click Install to begin installation.
Figure 12: Scan engine installation confirmation

12
11. Click Finish to complete the installation and return to Windows.
Figure 13: Scan engine installation completed
Installing Symantec AntiVirus for NAS (Linux)
Perform the following steps to install Symantec AntiVirus for NAS (Linux).
1. Copy SymantecAntiVirus_NAS_5.2.x_Linux_IN.zip to a Linux server that has been identified to
function as a scan engine, and extract the ZIP file into a temporary directory.
Figure 14: Unzipping the ZIP package in a temporary directory
2. At the command prompt, type rpm -qa | grep sharutils-4.6.1-2.i386.rpm to verify that sharutils-
4.6.1-2.i386.rpm is installed on the system.
Figure 15: Checking for installation of the sharutils package

13
If the query does not return any output, download a copy of sharutils-4.6.1-2.i386.rpm and install
it by typing rpm --ivh sharutils-4.6.1-2.i386.rpm at the prompt.
Figure 16: Installing the sharutils package
3. Type rpm -qa | grep jre at the prompt to verify that the Java runtime environment is installed on
the system.
Figure 17: Checking for installation of the JRE
If the query does not return any output, change directory to SAV_NAS/Tools/Java/RedHat and
install a copy of the Java 6 runtime environment included with the Symantec AntiVirus for NAS ZIP
package by typing ./jre-6u21-linux-i586-rpm.bin at the prompt.
Figure 18: Installing a copy of the JRE
4. After sharutils and the JRE are available on the system, change directory to
SAV_NAS/Scan_Engine/RedHat and type ./ScanEngine.sh to begin installing the Symantec
Scan Engine.
Figure 19: Launching the scan engine installation script
5. Read and agree to the license terms by typing y when prompted.
Figure 20: Scan engine license agreement

14
6. Accept the default installation directory by pressing Enter when prompted or type in a complete
path name if another location is desired.
Figure 21: Selecting an installation directory
7. Type y and press Enter to run the scan engine as root, or type n and enter a different username.
Figure 22: Selecting a user name for the scan engine
8. Press Enter to select 8004 as the default port used to access the scan engine from a web browser
or enter a desired port number.
Figure 23: Selecting an administrator web interface port
9. Press Enter to select 8005 as the default secure sockets layer (SSL) port used to access the scan
engine from a web browser or enter a desired SSL port number.
Figure 24: Selecting an administrator SSL port
10. Enter a password which will be used to access the scan engine interface and confirm (Note: the
password will not appear on the screen):
Figure 25: Specifying a password for the administrative interface
11. Press Enter if do you not wish to enable URL filtering.
Figure 26: Selecting URL filtering and URL definition downloading
12. The scan engine will start automatically at the end of a successful installation. If any problems are
encountered during the installation, refer to the /var/log/SYMCScan-install.log log file for
additional information.

15
Figure 27: Scan engine installation completed
Configuring Symantec AntiVirus for NAS
Configuring the Symantec scan engine is the same across all client platforms, and therefore, the following
directions apply to both Windows and Linux:
1. Using a supported web browser, open a connection to the newly-installed scan engine and log in
with the password specified during the installation process.
Figure 28: Scan engine administrative log in screen
2. Under the Tasks subsection, click Install License.
Figure 29: Tasks subsection for license installation

16
3. Enter the full path and filename to the license file provided by Symantec and then click Install.
Figure 30: Scan engine license installation
4. Click the Configuration icon in the left navigation bar and ensure that Protocol is selected under
the Views subsection.
Figure 31: Configuration subsection for protocol configuration
5. Under ICAP configuration, check the Select check box for the IP address to the scan engine. In
addition, select a scan policy suitable for the environment.
Figure 32: Configuring ICAP and specifying a scan policy
Be sure to click Apply at the upper-left section of the action bar to ensure that all changes for this

17
page have been saved and applied.
Figure 33: Apply icon
6. Click the Policies icon in the left navigation bar and ensure that Scanning is selected under the
Views subsection.
Figure 34: Policies subsection for configuring scanning options
7. Antivirus Scanning is set to Medium by default, but if maximum detection sensitivity is needed, set
this option to High.
Figure 35: Selecting a virus scanning level
The scan engine is now ready for use with the SONAS system. For more information regarding additional
options and behaviors that can be customized to individual organizational requirements, refer to the
Symantec Scan Engine Implementation Guide for which the link is provided in the “Resources” section of
this guide.
Configuring the IBM SONAS antivirus connector
IBM SONAS command line interface (CLI) is used for configuring and displaying SONAS antivirus
parameters. It is configured using the cfgav command line utility which is accessed from the management
node. This utility controls scan behavior when files are accessed by a client as well as during bulk scan
requests. The SONAS antivirus configuration can be changed dynamically and it does not require
shutdown or restart of the antivirus service.
Before using the connector to control scanning behavior, the connector must be configured with a pool of
scan engines. Next, you need to define scopes to the connector along with a set of scan options specific
to each scope. A scope can be an entire file system, specific paths on a filesystem, a CIFS export, or a
file set.
Defining scan engine pool
At least one scan engine must be registered in order to provide virus scanning for each SONAS.
However, it is recommended to configure minimum two scan engines in a scan engine pool to avail the
load-balancing facility provided by SONAS, used for distributing the scan load. Also, it provides the
high-availability feature in case one scan engine is not available. SONAS tries to contact the failed
scan engine periodically and reinstate it for scanning after it become available.

18
• For defining a scan engine to the connector, use the cfgav CLI.
cfgav --set-scanner symantec:<IP Address 1>:<ICAP Port>
IP Address = IP address of a scan engine
ICAP Port = Port used for ICAP communication (Symantec default is 1344)
Figure 36: Example of set-scanner
• Additional scan engines can be specified at the same time by separating each with a comma.
cfgav --set-scanner symantec:<IP Address 1>:<ICAP Port>,symantec:<IP Address 2>:<ICAP Port>
Figure 37: Example of multiple set-scanner
• To add another scan engine at a later time, use the following command:
cfgav --add-scanner symantec:<IP Address>:<ICAP Port>
Figure 38: Example of add-scanner
Defining scopes with scan options
For configuring a scope with scan options:
cfgav --<scope> <scope arg> --<option 1> <option 1 arg> … --<option N> <option N arg>
• scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set)
• scope arg = name or path to a scope
• option = multiple options can be specified together separated by a space
• option arg = specific arguments that apply to each option
Examples:
• Enable antivirus scanning on a list of scopes:
cfgav --export av00a,av01a --scan
• Set a list of extensions to scan on an export:
cfgav --export av00a --set-include exe,dll,xlsx

19
• Set a timeout value for accessing scan engines:
cfgav --timeout 20
• Enable file system scanning when a file is written:
cfgav --fsys gpfs0 --onwrite
• Deny access to protected files in a file set if scanning cannot occur:
cfgav --fset gpfs0:root --denyonerror
• Add an extension to a path include list:
cfgav --path /ibm/gpfs0 --add-include exe
• Set the include list for an export:
cfgav --export av00a --set-exclude txt
• Enable file quarantine by deletion for an export:
cfgav --export av00a --qdel
• Enable file quarantine by moving for an export:
cfgav --export av00a –qmove
Verifying scan options on defined scopes
Current antivirus configuration for all scopes can be listed using the lsav command.
Figure 39: Example of lsav CLI command
For a complete list of configurable options and their descriptions, consult the man page for the cfgav utility
by typing man cfgav at the command prompt on the management node. Alternatively, invoking the utility
by typing cfgav --help provides a list of options with abbreviated explanations.

20
Initiating a bulk scan using the SONAS antivirus connector
The antivirus connector provides a method for administrators to initiate a full scan on all the files defined
within one or more scopes on the SONAS. As previously mentioned, every time a new antivirus definition
file is downloaded by the scan engine(s), all files defined within all scopes must be rescanned prior to
access. The bulk scan feature is a method to proactively scan all of those files during a window when
access to the SONAS is at a minimum, thereby reducing the load on the system and network during peak
usage times.
The ability to perform a bulk scan is also important when new shares are created but files are copied either
through secure file transfer protocol (SFTP) or secure copy protocol (SCP) from other file systems and are
not scanned automatically. Initiating a bulk scan on these shares ensures that in the future, file accesses
will be faster.
Initiating a manual bulk scan on a defined scope
Manual bulk scans are initiated using the ctlavbulk command line utility, which is accessed from the
management node. This utility follows all settings defined by the cfgav utility, and when called with a scope
will only scan those files which are defined in that scope. If no scopes are provided, all protected files will
be scanned. Only one bulk scan can be run at a time, however multiple scan processes can be spawned
on each interface node using the --processes option. When the command is issued, it becomes a
background process, returning the control to the user. You can check the status of the current bulk scan
by issuing the --status option of the ctlavbulk command.
Starting a bulk scan on one or more defined scopes
Bulk scan can be initiated on one or more defined scopes.
ctlavbulk --<scope 1> <scope 1 arg 1>,<scope 1 arg N> --<scope 2> <scope 2 arg 1>,<scope 2 arg N>
Examples:
• Initiate bulk scan on one scope:
ctlavbulk --export av00a
• Initiate bulk scan on two scopes of the same type:
ctlavbulk --export av00a,av01a
• Initiate bulk scan on two scopes of different types:
ctlavbulk --fsys gpfs0 --export av02a
Starting a bulk scan with multiple processes
Bulk scan can be initiated with multiple processes:
ctlavbulk --<scope 1> <scope 1 arg 1> --processes <processes arg>

21
• processes arg = number of processes to spawn on each interface node (default = 1)
Examples:
• Initiate bulk scan on one scope with five processes per interface node:
ctlavbulk --export av03a --processes 5
• Initiate bulk scan on four scopes with 10 processes per interface node:
ctlavbulk --export av04a,av05a --fsys gpfs1,gpfs2 --processes 10
Checking the status of a bulk scan
Bulk scan status can be listed using the --status option.
ctlavbulk --status
Figure 40: Example of ctlavbulk --status
Note: The * in the column labeled p indicates the process has started for the displayed node.
Stopping a bulk scan
Bulk scan can be stopped using the --stop option.
ctlavbulk --stop
Figure 41: Example of ctlavbulk --stop
For a complete list of configurable options and their descriptions, consult the man page for the ctlavbulk
utility by typing man ctlavbulk at the command prompt on the management node. Alternatively, invoking
the utility by typing ctlavbulk --help provides a list of options with abbreviated explanations.

22
Scheduling bulk scan on a defined scope
Periodic bulk scans can be scheduled using the mktask command line utility on the management node
using the task name CtlAvBulk as one of the parameters. Tasks are run on a daily basis. The mktask
command supports additional customizable options, which are completely explained on the man page
available by typing man mktask from the management node command line interface.
Creating a bulk scan task for a defined scope
New scheduled task for bulk scanning a defined scope can be created using the mktask command
mktask CtlAvBulk --hour N --minute N --parameter “scope(s)”
• hour N = hour of the day to start the scan (24-hour clock), that is, 10, 12, 15, 20
• minute N = minute of the hour to start the scan
• scope(s) = one or more scopes to bulk scan
Example:
• Schedule a bulk scan for 2:30 a.m. every day on two CIFS exports:
mktask CtlAvBulk --hour 2 --minute 30 --parameter "--export AV1,AV2"

23
Recommendations
Antivirus scanning, particularly bulk scanning of large files can add significant load to several IBM SONAS
system resources and can cause performance bottlenecks. The following recommendations can help you
minimize performance impact to the system.
• If on-access or bulk scan produces timeout errors, consider increasing timeout value of scans by
using the --timeout parameter of the cfgav command. It is not recommended to increase the
timeout parameter beyond CIFS client timeout value, which can cause files becoming inaccessible
to the user.
• Avoid scanning expensive items (such as scanning inside the archive files or other containers) to
avoid timeout issues.
• Depending on the scanning performance requirements, the number of interface nodes on which
bulk scans are run can be configured using the --nodes option of the ctlavbulk command. If higher
scanning performance is desired, consider running scans on additional interface nodes. To reduce
impact to other SONAS resources, consider limiting the number of interface nodes on which bulk
scans are run.
• It is recommended to carefully decide file types for scanning. Certain classes of large files are less
likely to be prone to virus attacks. By de-configuring certain types of files using the --add-include|--
rem-include|--set-include|--set-exclude options of the cfgav command, overall antivirus scanning
performance can be greatly improved.
• Similar consideration should be given to decide scopes for scanning as some scopes might
contain files that will not be accessed and they are not likely prone to the virus attacks.
• Ensure that the storage backend has adequate capacity for the client and scan traffic. On-access
scans are less likely to add significant load to the storage backend because it is typically scanning
data that has either just been written or is just about to be read by the client and therefore can
take advantage of caching. Bulk scans on the other hand can add significant load to the storage
backend.
• After updating the antivirus signature, it is recommended to scan all protected files during off-peak
hours to minimize the impact of scanning during peak usage.
• Ensure that the network infrastructure, such as routers, switches, and network cards on both
SONAS and scan engines has adequate capacity. It is recommended to use 10 Gigabit Ethernet.
• It is recommended to use minimum of two scan engines to avail high availability and load-
balancing feature for the scanning.
• Ensure that scan nodes have adequate processor and disk performance.
• It is recommended to run bulk scan after a migration either by Hierarchical Storage Management
(HSM) recall or data restoration from backup server.
• While using multiple scan engines to support scanning of IBM SONAS, consider the following
factors:
− Configure the setting on each scan engine to be identical.

24
− Schedule an auto update of all Symantec scan engines to occur at the same time to
ensure that virus definitions are identical.
− Configure virus scan functionality for each identical SONAS system that uses a
particular scan engine to avoid inconsistency.

25
Summary
The ability to effectively protect shared file data against viruses and other malicious threats is an important
challenge for storage and security administrators who require a trusted and reliable antivirus solution. Not
only must the integrity of the data be constantly maintained, the solution must also be scalable to match
the continually expanding size and volume of data that is retained on a NAS system. The IBM SONAS
system is designed as a multipetabyte global storage platform supporting extreme scalability for business
infrastructures that demand high performance as well as high availability. IBM has thoroughly tested the
SONAS system with Symantec AntiVirus for NAS confirming their interoperability and compatibility, and is
committed to proactively providing enterprise users with one of the best solutions that can serve to reduce
time and mitigate risk during planned implementations.
The technical content contained herein is intended only as a reference for those customers who wish to
use Symantec AntiVirus for NAS to protect their data on the IBM SONAS system. It should not be treated
as a definitive implementation or solution document due to the unique configurations and case-specific
scenarios inherent in every customer’s unique environment. For solution-specific designs, contact an IBM
storage representative to arrange a discussion with an antivirus implementation specialist.

26
Resources
The following websites provide useful references to supplement the information contained in this paper:
• System Storage on IBM PartnerWorld®
ibm.com/partnerworld/wps/pub/overview/B8S00
• IBM Publications Center
www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi?CTY=US
• IBM Redbooks®
ibm.com/redbooks
• IBM developerWorks®
ibm.com/developerworks
• IBM SONAS documentation
− IBM Scale Out Network Attached Storage Concepts
http://ibm.com/redbooks/redpieces/abstracts/sg247874.html?Open
− IBM SONAS Introduction and Planning Guide (GA32-0716)
http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/sonas
_ipg.pdf
− IBM SONAS administration and user documentation
http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/index.jsp
− IBM Scale Out Network Attached Storage Administrator's Guide (GA32-0713)
_admin_guide.pdf
− IBM SONAS User's Guide (GA32-0714)
_user_guide.pdf
− IBM SONAS Software Configuration Guide (GA32-0718)
http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/topic/com.ibm.sonas.doc/config
uration_guide.pdf
− IBM SONAS Troubleshooting Guide (GA32-0717)
_pd_guide.pdf

27
• Symantec Resources
− Symantec AntiVirus for NAS
http://www.symantec.com/business/antivirus-for-network-attached-storage
− Symantec AntiVirus for NAS Support Matrix
http://www.symantec.com/business/support/index?page=content&id=TECH147442
− Symantec AntiVirus for NAS Getting Started Guide
http://www.symantec.com/docs/DOC3402
− Symantec AntiVirus for NAS Integration Guide
http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECH
NICAL_SOLUTION/147000/TECH147442/en_US/SAV_for_NAS_5210.pdf
− Symantec AntiVirus for NAS Implementation Guide
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/network_att
ached_storage/5.2/manuals/Implementation_Guide.pdf
− Symantec AntiVirus for NAS with IBM SONAS Configuration Document
http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECH
NICAL_SOLUTION/147000/TECH147442/en_US/IBM%20Scale%20Out%20Network%20
Attached%20Storage.PDF
About the author
Howard Jiang is a Storage Technical Consultant in the IBM SONAS ISV Enablement group. He has more
than 12 years of experience working with various storage and systems technologies. Howard holds a
Bachelor of Science degree in Management Information Systems from the University of Arizona in Tucson,
Arizona. You can reach Howard at hjiang@us.ibm.com.

28
Trademarks and special notices
© Copyright IBM Corporation 2011. All rights Reserved.
References in this document to IBM products or services do not imply that IBM intends to make them
available in every country.
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked
terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these
symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information
was published. Such trademarks may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.
Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States,
other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.
Other company, product, or service names may be trademarks or service marks of others.
Information is provided "AS IS" without warranty of any kind.
All customer examples described are presented as illustrations of how those customers have used IBM
products and the results they may have achieved. Actual environmental costs and performance
characteristics may vary by customer.
Information concerning non-IBM products was obtained from a supplier of these products, published
announcement material, or other publicly available sources and does not constitute an endorsement of
such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly
available information, including vendor announcements and vendor worldwide homepages. IBM has not
tested these products and cannot confirm the accuracy of performance, capability, or any other claims
related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the
supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice,
and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the
full text of the specific Statement of Direction.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive
statement of a commitment to specific levels of performance, function or delivery schedules with respect to
any future products. Such commitments are only made in IBM product announcements. The information is

29
presented here to communicate IBM's current investment and development activities as a good faith effort
to help with our customers' future planning.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the
storage configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve throughput or performance improvements equivalent to the ratios stated here.
Photographs shown are of engineering prototypes. Changes may be incorporated in production models.
Any references in this information to non-IBM websites are provided for convenience only and do not in
any manner serve as an endorsement of those websites. The materials at those websites are not part of
the materials for this IBM product and use of those websites is at your own risk.

Protecting the IBM SONAS with Symantec AntiVirus for NAS

Recommended

Recommended

More Related Content

Similar to Protecting the IBM SONAS with Symantec AntiVirus for NAS

Similar to Protecting the IBM SONAS with Symantec AntiVirus for NAS (20)

Recently uploaded

Recently uploaded (20)

Protecting the IBM SONAS with Symantec AntiVirus for NAS