Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS: A reference guide for storage and security administrators

Protecting the IBM Storwize V7000
Unified system with Symantec AntiVirus
for NAS
A reference guide for storage and security administrators

Daniel T. Drinnon

IBM Systems and Technology Group ISV Enablement
November 2011

© Copyright IBM Corporation, 2011

Table of contents
Abstract..................................................................................................................................... 1
Executive overview .................................................................................................................. 2
IBM Storwize V7000 Unified system Antivirus Connector – an overview ............................. 4
Symantec AntiVirus for NAS – an overview ........................................................................... 6
Minimum system requirements ............................................................................................... 7
IBM Storwize V7000 Unified system ........................................................................................................ 7
Symantec AntiVirus for NAS .................................................................................................................... 7
Planning for integration of IBM Storwize V7000 Unified system with Symantec AntiVirus
for NAS ...................................................................................................................................... 8
Integration of IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS ...... 10
Installing Symantec AntiVirus for NAS................................................................................................... 10
Installing Symantec AntiVirus for NAS (Windows) ................................................................................ 10
Installing Symantec AntiVirus for NAS (Linux) ...................................................................................... 16
Configuring Symantec AntiVirus for NAS .............................................................................................. 18
Configuring the IBM Storwize V7000 Unified system Antivirus Connector ........................................... 21
Initiating a bulk scan using the IBM Storwize V7000 Unified system Antivirus Connector
................................................................................................................................................. 29
Configuring bulk scan using GUI ........................................................................................................... 29
Initiating a manual bulk scan on a defined scope using CLI.................................................................. 30
Scheduling bulk scan on a defined scope ............................................................................................. 32
Recommendations ................................................................................................................. 34
Summary ................................................................................................................................. 36
Resources ............................................................................................................................... 37
About the author..................................................................................................................... 38
Trademarks and special notices ........................................................................................... 39

Protecting the IBM Storwize V7000 Unified System with Symantec AntiVirus for NAS

Abstract
With today’s continuing explosive growth in information data, comes the need for storing the data
without compromising data integrity from potential threats that might exist in an enterprise network
environment. The IBM Storwize V7000 Unified system has been qualified for interoperability with the
leading antivirus scan engines, such as Symantec AntiVirus for Network Attached Storage (NAS) and
McAfee VirusScan Enterprise for Storage.
This technical paper describes the IBM Storwize V7000 Unified system integration with Symantec
AntiVirus for NAS and guidelines for using the IBM Storwize V7000 Unified system with Symantec
AntiVirus for NAS to protect the overall system and prevent security threats caused by malware.

Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS

1

Executive overview
The IBM® Storwize® V7000 Unified system includes the IBM Storwize V7000 File Module and the IBM
Storwize V7000 Storage system designed to support both file as well as block protocols.

Figure 1 shows pictorial representation of the IBM Storwize V7000 Unified system. The File Module is a
clustered system comprised of two units that provide file systems for use by network-attached storage.
The File Module uses the Storwize V7000 Storage system to provide the File Module with volumes.
Volumes are also provided on the SAN.

The Storwize V7000 Storage system consists of a drive enclosure called the Control Enclosure. Both
regular and solid-state drives (SSDs) are supported. The Control Enclosure contains disk drives and two
Node Canisters that are managed as a single clustered system. Expansion Enclosures contain drives and
are attached to the Control Enclosure. Expansion Canisters include the serial-attached SCSI (SAS)
interface hardware that enables the node hardware to use the drives of the Expansion Enclosures.

Figure 1 : IBM Storwize V7000 Unified system

The IBM Storwize V7000 File Module software within the IBM Storwize V7000 Unified system contains the
Management Node, Storage Node, and Interface Node functions. A Management Node is used for
configuring, administering, and monitoring the system. A Storage Node connects the File Modules to the
Storwize V7000 Storage system Control Enclosure.


2

An Interface Node connects the system to an Internet Protocol (IP) network using the following protocols:
• Common Internet File System (CIFS)
• Network File System (NFS)
• File Transfer Protocol (FTP)
• Hypertext Transfer Protocol Secure (HTTPS)
• Secure Copy Protocol (SCP)

The IBM Storwize V7000 Unified system also supports the following block functions for the host systems
that attach to the Storwize V7000 Unified system. This system:
• Creates a single pool of storage
• Provides logical unit virtualization
• Manages logical volumes
• Mirrors logical volumes
• Provides large scalable cache
• Supports Copy Services
− IBM Tivoli® Storage FlashCopy® Manager (point-in-time copy) function, including thin-
provisioned FlashCopy to make multiple targets affordable
− Metro Mirror (synchronous copy)
− Global Mirror (asynchronous copy)
− Data migration
• Allows space management
− IBM System Storage® Easy Tier™ to migrate the most frequently used data to higher
performing storage
− Metering of service quality when combined with IBM Tivoli Storage Productivity Center
− Thin-provisioned logical volumes

The IBM Storwize V7000 Unified system provides an ability to manage block and file storage through one
single management graphical user interface (GUI) or command line interface (CLI).

The IBM Storwize V7000 Unified system is designed to serve a large number of users connecting to it
using a variety of file-based protocols, such as Network File System (NFS) or Common Internet File
System (CIFS). The data created or accessed using these protocols is vulnerable to the potential threats
of viruses, worms, Trojan horses, and other forms of malware. Computer viruses mostly target Microsoft®
operating systems; however, computers running other operating systems can be directly or indirectly
affected by viruses.

The IBM Storwize V7000 Unified system, when integrated with Symantec AntiVirus for NAS provides a
comprehensive solution to protect all the file data stored on the IBM Storwize V7000 Unified system.


3

IBM Storwize V7000 Unified system Antivirus Connector – an
overview
The IBM Storwize V7000 Unified system Antivirus Connector is a part of the Storwize V7000 Unified
System File Module management software which communicates with enterprise antivirus vendor scan
engines using Internet Content Adaptation Protocol (ICAP). There are two approaches for virus scanning:

On-access scan – It scans all the specified files on IBM Storwize V7000 Unified system File Modules
when accessed or created. This method has the benefit of ensuring that the files are scanned with the
latest antivirus signatures before being accessed. This approach is more effective at detecting viruses
before they are able to compromise data and this method does not generate heavy network traffic
between the IBM Storwize V7000 Unified system File Modules and the Symantec AntiVirus for NAS Scan
Engine. This approach is ideal for customers using Microsoft Windows® clients and CIFS file I/O.
Bulk scan – This allows scanning of all the specified files on a file system or a part of the file system. This
is typically performed at the schedule defined on the IBM Storwize V7000 Unified system. The
disadvantage in using this method is that the files recently updated might not be scanned before being
used. Bulk scans can generate heavy network traffic between the IBM Storwize V7000 Unified system File
Modules and Symantec AntiVirus for NAS Scan Engines and can generate heavy load on a storage
system. Also, the bulk scan can take significant time to complete, depending on the number of files to be
scanned. Storage administrators are likely to use the bulk scan for non-CIFS files (for example, NFS)
protection which are less prone to virus attacks.
The IBM Storwize V7000 Unified system Antivirus Connector provides enterprise antivirus vendors, such
as Symantec AntiVirus for NAS, more complete integration and overall control of antivirus implementations
by deciding strategies suitable for the customer environment. The IBM Storwize V7000 Unified system
Antivirus Connector communicates with the Symantec AntiVirus for NAS Scan Engine using ICAP. The
IBM Storwize V7000 Unified system can be configured with multiple Symantec AntiVirus for NAS Scan
Engines to achieve load balancing and to distribute the workload. The IBM Storwize V7000 Unified system
File Modules select a scan engine from the pool of scan engines at scan time. If a scan engine is not
reachable from the File Modules, it is temporarily removed from the pool and the File Modules select a
different scan engine from the pool of available scan engines. It periodically attempts to reinstate the
removed scan engine back into the pool. Figure 2 describes the workflow of an On-Access scan session
for a single file.

When a user accesses a file from the IBM Storwize V7000 Unified system File Modules over the network,
the system initiates the scan of a file in real time and opens a connection with the Symantec AntiVirus for
NAS Scan Engine. The IBM Storwize V7000 Unified system then passes the file to the Symantec AntiVirus
for NAS Scan Engine for scanning. The Symantec AntiVirus for NAS Scan Engine indicates the scanning
results to the IBM Storwize V7000 Unified system after the file is scanned. If the file is infected, the
Symantec AntiVirus for NAS Scan Engine tries to repair the file and sends the repaired file to the IBM
Storwize V7000 Unified system. The IBM Storwize V7000 Unified system receives the scan results. If the
file is infected and can be cleaned, the infected file is replaced on the IBM Storwize V7000 Unified system
with the repaired file received from the Symantec AntiVirus for NAS Scan Engine. Only the repaired file is
passed to the requesting user.


4

In case a virus is detected and repair of the file is not possible, the IBM Storwize V7000 Unified system
can be configured to quarantine or delete the non-repairable file and the user will be notified with
permission denied type of error message.

Figure 2: Workflow of on-access scanning of a file from the IBM Storwize V7000 Unified system using Symantec
AntiVirus for NAS

The IBM Storwize V7000 Unified system Antivirus Connector also caches antivirus scan information for
each file as extended attributes to determine whether it must be scanned or rescanned by saving the
timestamps of the last scan in addition to the antivirus definition file. This way, a repeat scan might be
avoided if another user tries to access the same file later but the antivirus definitions have not changed.
When new antivirus definitions are received and updated, each file is rescanned before it is made
available to the user requesting access. Bulk scans might be configured to proactively rescan files
periodically (for example every day) during off-peak hours when accesses are minimal to prevent any
potential performance impacts on the IBM Storwize V7000 Unified system or the Symantec AntiVirus for
NAS Scan Engines in the pool.


5

Symantec AntiVirus for NAS – an overview
Symantec AntiVirus for NAS provides remote scanning of the IBM Storwize V7000 Unified system using
ICAP.

The Symantec AntiVirus for NAS Scan Engine scans the files received from the IBM Storwize V7000
Unified system and provides real-time protection for the massive amount of critical information that is
being stored and accessed by the IBM Storwize V7000 Unified system File Modules users. The Symantec
AntiVirus for NAS Scan Engine detects the virus infected files that are being accessed, read, or copied to
and from the IBM Storwize V7000 Unified system File Modules. After detecting an infection in the file, it
automatically cleans the file and provides the repaired file to the IBM Storwize V7000 Unified system File
Modules.

Symantec AntiVirus for NAS provides the following features:
• Advanced anti-virus technology: Symantec’s award winning antivirus technology continuously
blocks a wide range of viruses and malicious code threats, including those hidden in compressed
files.
• Detection of unwanted programs: It finds the unwanted hidden spyware programs that open
security holes.

• Centralized management: Entire Symantec security system can be managed using Symantec’s
central management system, reducing overall cost and providing ease of management.

• Continuous protection: On-access scanning provides real time protection to the data on the IBM
Storwize V7000 Unified system File Modules when the files are accessed or written to the IBM
Storwize V7000 Unified system File Modules unlike traditional on-demand scans.

• Cost effectiveness: It supports connection to more than one IBM Storwize V7000 Unified system
File Modules.
• Rapid notification: Whenever a virus is detected, notification can be sent to the configured
recipients. This enables recipients to react instantly to any possible virus outbreak.


6

Minimum system requirements
A combination of Windows, Linux®, and Solaris platforms are supported as scan engines which scan the
files located on the IBM Storwize V7000 Unified system. Depending on the volume of the data being
scanned and the requirements for accessibility, multiple scan engines can be deployed as needed.

IBM Storwize V7000 Unified system
Software:

• File Modules version 1.3.0.0 or higher

Symantec AntiVirus for NAS
Software:

• Version 5.2 or higher and licenses
Supported operating systems:

• Red Hat Enterprise Linux 5.x (32-bit and 64-bit)

• Red Hat Linux Advanced Server 3 and 4 (32-bit)

• Red Hat Linux Enterprise Server 3 and 4 (32-bit)

• Solaris (SPARC) 9 and 10 (32-bit)

• SUSE Linux Enterprise Server 9 and 10 (32-bit)

• Windows 2000 Server with the latest service pack

• Windows Server 2003 (32-bit and 64-bit), R2 (32-bit)

• Windows Server 2008 (32-bit and 64-bit), R2 (64-bit)
Processor:

• 2.4 GHz Intel® Pentium 4 or 1 GHz SPARC
Memory:

• 1 GB of RAM

Disk space:

• 500 MB hard disk space available
Additional Hardware:

• One network interface card (NIC) running TCP/IP with a static IP address

• Internet connection to update definitions

• 100 Mbps Ethernet link (1 Gbps or faster recommended)


7

Planning for integration of IBM Storwize V7000 Unified system
with Symantec AntiVirus for NAS
Planning is one of the most important areas of consideration before beginning to configure the IBM
Storwize V7000 Unified system with Symantec AntiVirus for NAS. It is important that the security team and
the IBM Storwize V7000 Unified system administrator work together to anticipate the scopes and type of
files for which scanning is required, as well as number of files required to scan and number of Symantec
AntiVirus for NAS Scan Engines that are required. The administrator can define policies or settings for
handling infected files when detected.

The following factors need to be carefully considered during the planning.

Numbers of Symantec AntiVirus for NAS Scan Engines:

Antivirus scanning on the IBM Storwize V7000 Unified system File Modules requires a minimum of one
scan engine configured with Symantec AntiVirus for NAS. However, in order to take full benefit of load
balancing and high availability features of the IBM Storwize V7000 Unified system, a minimum of two scan
engines are recommended. The IBM Storwize V7000 Unified system Antivirus Connector automatically
performs load balancing to make sure that the workload is evenly distributed across the scan engines.
When a scan engine becomes unavailable, the workload is directed to the remaining operational scan
engines. Additional considerations listed below affect the number of scan engines which may be required:

• Total number of files stored on the IBM Storwize V7000 Unified system File Modules which
requires scanning

− Large numbers of files can be scanned by multiple scan engines using the IBM Storwize
V7000 Unified system Antivirus Connector load balancing feature.

• Host processor speed and RAM configuration

− Fewer scan engines might be needed if the processor speed is faster and more RAM is
present on each scan engine.

• Network speed
− Faster network speeds allow for reduced time in transferring larger files to the scan engine for
scanning.

Type of scopes to scan:

In the IBM Storwize V7000 Unified system, antivirus configuration options are defined with scopes. A
scope is a subtree of file namespace, identified by the path to the root of the subtree. All file accesses
within that subtree share a set of antivirus settings. You can configure the following four types of scope for
antivirus scanning in the IBM Storwize V7000 Unified system.

• File systems
• File sets

• Path

• Exported shares


8

Not all scopes are required to be configured for scanning as certain file sets, paths, or file systems are
either static in nature, or are not shared with any users. The administrator needs to ensure that all scopes
that might be vulnerable to potential threats are included in their defined scanning strategy.

Types of files to scan:

In the IBM Storwize V7000 Unified system, the administrator can define the files or the file types that are to
be scanned. The administrator can control and decide whether to scan files by exclusion list or inclusion
list, or whether to scan all the files regardless of extensions. The IBM Storwize V7000 Unified system
Antivirus Connector can be set to scan all scopes to specify which extensions to be included in or
excluded from a scan. The exclusion list specifies the extension the files to be excluded because they are
not likely to contain viruses.
The inclusion / exclusion list defines the following behavior:

• If the include list is empty or not defined, default is that all extensions are included in the scan.

− The exclusion list is created to exclude files with specific file extensions from scanning.

• If an extension is in the include list, only files with that extension are scanned.

• If an extension is in the include list as well as the exclude list, files with that extension are not
scanned.

Careful planning is required to create the include / exclude lists as this plays an important role in improving
performance of the scan process, as not all file extensions need to be scanned due to the nature of the
files and file types, which are unlikely to have viruses.

File processing strategy

It is important to plan for the action that needs to be taken in case an unrecoverable virus file is identified.
The IBM Storwize V7000 Unified system provides the option to quarantine or delete the infected,
unrecoverable file. For this, an optional parameter can be set to quarantine or delete the file at the defined
scope. Optionally, the path by which the file was opened for the current scan can be moved to a
subdirectory created for that purpose. Only the IBM Storwize V7000 Unified system or the security
administrator will have access to that subdirectory and can take appropriate action to manually delete the
unrecoverable virus files. If no strategy is defined, the user is denied access to the file.


9

Integration of IBM Storwize V7000 Unified system with Symantec
AntiVirus for NAS
The scanning process requires two components: The IBM Storwize V7000 Unified system Antivirus
Connector and the external antivirus scan engines running Symantec AntiVirus for NAS. Depending on the
workload determined during the planning stage, multiple scan engines might need to be installed and
configured to the IBM Storwize V7000 Unified system. The minimum software and hardware requirements
are documented in the “Minimum system requirements” section of this guide.
The IBM Storwize V7000 Unified system Antivirus Connector communicates with the Symantec AntiVirus
for NAS using the industry standard ICAP protocol. Remote scanning is performed through the ICAP
protocol when a user requests access to a file residing on an IBM Storwize V7000 Unified system.
Integrating the IBM Storwize V7000 Unified system with a Symantec AntiVirus for NAS Scan Engine
begins with the installation of Symantec AntiVirus for NAS on the identified servers, followed by
configuring both the IBM Storwize V7000 Unified system Antivirus Connector and the Symantec AntiVirus
for NAS Scan Engine.

Installing Symantec AntiVirus for NAS
The installation package for Symantec AntiVirus for NAS is available as an ISO image which contains
Microsoft Windows and Linux versions of the scan engine client, or individual Windows and Linux ZIP file
packages. Installation of the Symantec AntiVirus for NAS Scan Engine can be performed locally at each
individual server or remotely depending on the level of server security implemented. The following
instructions assume that the installer has remote access to identified Symantec AntiVirus for NAS Scan
Engine hardware using the individual ZIP file packages downloaded from Symantec website at:

http://www.symantec.com/business/antivirus-for-network-attached-storage

Installing Symantec AntiVirus for NAS (Windows)
Perform the following steps to install Symantec AntiVirus for NAS (Windows).
1. Copy SymantecAntiVirus_NAS_5.2.x_Win32_IN.zip to a Windows server which has been
identified to function as a Symantec AntiVirus for NAS Scan Engine and extract the ZIP file to a
temporary directory.

Figure 3: Unzipping the ZIP package in a temporary directory


10

2. Verify that a 32-bit Java™ runtime environment (JRE) is installed on the system.

Figure 4: Checking the JRE version

If a 32-bit JRE is not installed on the system, change directory to ToolsJavaWin32 and install a
copy of the Java 6 runtime environment included with the Symantec AntiVirus for NAS ZIP
package.

Figure 5: Installing a copy of the JRE

3. Start the Symantec AntiVirus for NAS installer by entering cdstart.

Figure 6: Starting the Symantec AntiVirus for NAS CD menu

4. Click Install Symantec AntiVirus(TM) 5.2 for NAS.

Figure 7: Menu option to install Symantec AntiVirus for NAS


11

5. Click Next to continue the installation.

Figure 8: Symantec AntiVirus for NAS InstallShield Wizard

6. Accept the terms of the license agreement and click Next to continue.

Figure 9: Symantec AntiVirus for NAS software license agreement

7. Select a folder to install the Symantec AntiVirus for NAS Scan Engine software, or click Next to
continue and use the default folder:


12

Figure 10: Selecting an installation folder

8. Enter a password which will be used to access the Symantec AntiVirus for NAS Scan Engine user
interface, and click Next to continue.

Figure 11: Specifying a password for the administrative interface


13

9. Select the URL filtering and definition downloads (if necessary), and click Next to continue.

Figure 12: Selecting URL filtering and URL definition downloading

10. If satisfied with the previous choices of configuration options, click Install to begin installation.

Figure 13: Symantec AntiVirus for NAS Scan Engine installation confirmation


14

11. Click Finish to complete the installation and return to Windows.

Figure 14: Symantec AntiVirus for NAS Scan Engine installation completed


15

Installing Symantec AntiVirus for NAS (Linux)
Perform the following steps to install Symantec AntiVirus for NAS (Linux).
1. Copy SymantecAntiVirus_NAS_5.2.x_Linux_IN.zip to a Linux server that has been identified to
function as a Symantec AntiVirus for NAS Scan Engine, and extract the ZIP file into a temporary
directory.

Figure 15: Unzipping the ZIP package in a temporary directory

2. At the command prompt, enter rpm -qa | grep sharutils-4.6.1-2.i386.rpm to verify that sharutils-
4.6.1-2.i386.rpm is installed on the system.

Figure 16: Checking for installation of the sharutils package

If the query does not return any output, download a copy of sharutils-4.6.1-2.i386.rpm and install
it by entering rpm --ivh sharutils-4.6.1-2.i386.rpm at the prompt.

Figure 17: Installing the sharutils package

3. Enter rpm -qa | grep jre at the prompt to verify that the Java runtime environment is installed on
the system.

Figure 18: Checking for installation of the JRE

If the query does not return any output, change directory to SAV_NAS/Tools/Java/RedHat and
install a copy of the Java 6 runtime environment included with the Symantec AntiVirus for NAS ZIP
package by entering ./jre-6u21-linux-i586-rpm.bin at the command prompt.

Figure 19: Installing a copy of the JRE


16

4. After sharutils and the JRE are available on the system, change directory to
SAV_NAS/Scan_Engine/RedHat and enter ./ScanEngine.sh to begin installing the Symantec
AntiVirus for NAS Scan Engine.

Figure 20: Launching the Symantec AntiVirus for NAS Scan Engine installation script

5. Read and agree to the license terms by typing y when prompted and press Enter.

Figure 21: Symantec AntiVirus for NAS Scan Engine license agreement

6. Accept the default installation directory by pressing Enter when prompted or type in a complete
path name if another location is required.

Figure 22: Selecting an installation directory

7. Type y and press Enter to run the Symantec AntiVirus for NAS Scan Engine as root, or type n
and enter a different username.

Figure 23: Selecting a user name for the Symantec AntiVirus for NAS Scan Engine

8. Press Enter to select 8004 as the default port used to access the Symantec AntiVirus for NAS
Scan Engine from a web browser or enter a desired port number.

Figure 24: Selecting an administrator web interface port

9. Press Enter to select 8005 as the default secure sockets layer (SSL) port used to access the
Symantec AntiVirus for NAS Scan Engine from a web browser or enter a desired SSL port
number.

Figure 25: Selecting an administrator SSL port


17

10. Enter a password which will be used to access the Symantec AntiVirus for NAS Scan Engine
interface and confirm (Note: the password will not appear on the screen):

Figure 26: Specifying a password for the administrative interface

11. Press Enter if do you not wish to enable URL filtering.

Figure 27: Selecting URL filtering and URL definition downloading

12. The Symantec AntiVirus for NAS Scan Engine will start automatically at the end of a successful
installation. If any problems are encountered during the installation, refer to the
/var/log/SYMCScan-install.log log file for additional information.

Figure 28: Symantec AntiVirus for NAS Scan Engine installation completed

Configuring Symantec AntiVirus for NAS
Configuring the Symantec AntiVirus for NAS Scan Engine is the same across all client platforms, and
therefore, the following directions apply to both Windows and Linux:

1. Using a supported web browser, open a connection to the newly-installed Symantec AntiVirus for
NAS Scan Engine and log in with the password specified during the installation process.


18

Figure 29: Symantec AntiVirus for NAS Scan Engine administrative login screen

2. Under the Tasks subsection, click Install License.

Figure 30: Tasks subsection for license installation

3. Enter the full path and file name to the license file provided by Symantec and then click Install.

Figure 31: Symantec AntiVirus for NAS Scan Engine license installation


19

4. Click the Configuration icon in the left navigation bar and ensure that Protocol is selected under
the Views subsection.

Figure 32: Configuration subsection for protocol configuration

5. Under ICAP configuration, select the Select check box for the IP address to the Symantec
AntiVirus for NAS Scan Engine. In addition, select a scan policy suitable for the environment.

Figure 33: Configuring ICAP and specifying a scan policy

Be sure to click Apply at the upper-left section of the action bar to ensure that all changes for this
page have been saved and applied.

Figure 34: Apply icon

6. Click the Policies icon in the left navigation bar and ensure that Scanning is selected under the
Views subsection.

Figure 35: Policies subsection for configuring scanning options

7. Antivirus Scanning is set to Medium by default, but if maximum detection sensitivity is needed, set
this option to High.

Figure 36: Selecting a virus scanning level


20

The Symantec AntiVirus for NAS Scan Engine is now ready for use with the IBM Storwize V7000 Unified
system. For more information regarding additional options and behaviors that can be customized to
individual organizational requirements, refer to the Symantec AntiVirus for NAS Implementation Guide for
which the link is provided in the “Resources” section of this guide.

Configuring the IBM Storwize V7000 Unified system Antivirus Connector
The IBM Storwize V7000 Unified system GUI or CLI can be used for configuring and displaying the IBM
Storwize V7000 Unified system antivirus parameters. It is configured using the GUI or the cfgav CLI utility,
which is accessed from the management node. This utility controls the scan behavior when files are
accessed by a client as well as during bulk scan requests. The IBM Storwize V7000 Unified system
antivirus configuration can be changed dynamically and it does not require shutdown or restart of the
antivirus service.

Before using the IBM Storwize V7000 Unified system Antivirus Connector to control the scanning
behavior, it must be configured with a pool of Symantec AntiVirus for NAS Scan Engines. Next, you need
to define scopes to the IBM Storwize V7000 Unified system Antivirus Connector along with a set of scan
options specific to each scope. A scope can be an entire file system, specific paths on a file system, a
CIFS export, or a file set.


21

IBM Storwize V7000 Unified system antivirus configuration using GUI
Perform the following steps to configure Storwize V7000 Unified system antivirus using GUI.
1. Login to the IBM Storwize V7000 Unified system GUI using https://<Address>:1081/gui

2. Move the curser to the File icon in the left-hand side and click Services to start the antivirus
configuration.

Figure 37: IBM Storwize V7000 Unified system file services administration

3. Select the Antivirus service and click Configure to start the antivirus configuration.

Figure 38: Antivirus configuration selection


22

4. In the Configure page, select symantec as the Protocol from the list, enter the IP address of the
scan node where Symantec AntiVirus for NAS has been installed, and select the port for ICAP
communication (Default port is 1344). Click the plus ( ) sign to add another scan node. After
adding all the scan nodes, set the global timeout in seconds or leave it as default. Click OK to
configure.

Figure 39: Symantec scan node configuration

5. The antivirus scanner configuration summary is displayed. After verifying the summary, click
Close to complete the Symantec scan node configuration.

Figure 40: Antivirus scan node configuration summary


23

6. After completing the scan node configuration, click New Antivirus Definition to add new scopes
for scanning.

Figure 41: Configuring new antivirus definition

7. In the New Antivirus Definition page, enter the path that needs to be enabled for the scan.
Select the Enable Antivirus Definition check box. In case on-write scanning needs to be
enabled, select the can files on close if file changed (write operation performed) check box.
From the Action to take for infected files list, select one of the options (out of No action, Delete
or Quarantine) to handle the behavior of infected files. Additionally, you can also specify the
include / exclude options to limit the scope of scanning to the files with specified extensions. In
case the files with all the extensions need to be scanned, select Scan all files. After all the
required settings are configured, click OK to continue.


24

Figure 42: New Antivirus Definition configuration

8. A summary page shows the saved antivirus definition. After verifying the saved configuration, click
Close to complete the wizard.

Figure 43: New antivirus definition configuration summary


25

All the scopes will be displayed in the Services page of the Antivirus service.

Figure 44: Configured antivirus definition summary

IBM Storwize V7000 Unified system antivirus configuration using CLI
Log in to IBM Storwize V7000 Unified system File Modules command line interface.

Defining scan engine pool

At least one scan engine must be registered in order to provide virus scanning for each IBM Storwize
V7000 Unified system. However, it is recommended to configure a minimum of two scan engines in a
scan engine pool to avail the load-balancing facility provided by the IBM Storwize V7000 Unified
system used for distributing the scan load. Also, it provides the high-availability feature in case one
scan engine is not available. The IBM Storwize V7000 Unified system tries to contact the failed scan
engine periodically and reinstate it for scanning after it becomes available.

• For defining a scan engine to the connector, use the cfgav CLI.
cfgav --set-scanner symantec:<IP Address 1>:<ICAP Port>

IP Address = IP address of a scan engine

ICAP Port = Port used for ICAP communication (Symantec default is 1344)

Figure 45: Example of set-scanner

• Additional scan engines can be specified at the same time by separating each with a comma.

cfgav --set-scanner symantec:<IP Address 1>:<ICAP Port>,symantec:<IP Address 2>:<ICAP Port>

Figure 46: Example of multiple set-scanner

• To add another scan engine at a later time, use the following command:

cfgav --add-scanner symantec:<IP Address>:<ICAP Port>


26

Figure 47: Example of add-scanner

Defining scopes with scan options

For configuring a scope with scan options:

cfgav --<scope> <scope arg> --<option 1> <option 1 arg> … --<option N> <option N arg>

• scope = fsys (file system), path (file system path), export (CIFS export), or fset (file set)

• scope arg = name or path to a scope

• option = multiple options can be specified together separated by a space

• option arg = specific arguments that apply to each option

Examples:

• Enable antivirus scanning on a list of scopes:

cfgav --export av00a,av01a --scan

• Set a list of extensions to scan on an export:

cfgav --export av00a --set-include exe,dll,xlsx

• Set a timeout value for accessing scan engines:

cfgav --timeout 20

• Enable file system scanning when a file is written:

cfgav --fsys gpfs0 --onwrite

• Deny access to protected files in a file set if scanning cannot occur:

cfgav --fset gpfs0:root --denyonerror

• Add an extension to a path include list:

cfgav --path /ibm/gpfs0 --add-include exe

• Set the include list for an export:

cfgav --export av00a --set-exclude txt

• Enable file quarantine by deletion for an export:

cfgav --export av00a --qdel


27

• Enable file quarantine by moving for an export:

cfgav --export av00a –qmove

Verifying scan options on defined scopes
Current antivirus configuration for all scopes can be listed using the lsav command.

Figure 48: An example of the lsav CLI command

For a complete list of configurable options and their descriptions, refer to the man page for the cfgav utility
by entering man cfgav at the command prompt on the management node. Alternatively, invoking the utility
by entering cfgav --help provides a list of options with abbreviated explanations.


28

Initiating a bulk scan using the IBM Storwize V7000 Unified
system Antivirus Connector
The IBM Storwize V7000 Unified system Antivirus Connector provides a method for administrators to
initiate a full scan on all the files defined within one or more scopes on the IBM Storwize V7000 Unified
system. As previously mentioned, every time a new antivirus definition file is downloaded by the scan
engine(s), all files defined within all scopes must be rescanned prior to access. The bulk scan feature is a
method to proactively scan all of those files during a window when access to the IBM Storwize V7000
Unified system is at a minimum, thereby reducing the load on the system and network during peak usage
times.

The ability to perform a bulk scan is also important when new shares are created but files are copied either
through secure file transfer protocol (SFTP) or secure copy protocol (SCP) from other file systems and are
not scanned automatically. Initiating a bulk scan on these shares ensures that in the future, file accesses
will be faster.

The IBM Storwize V7000 Unified system GUI or CLI can be used for configuring and displaying the IBM
Storwize V7000 Unified system bulk scans.

Configuring bulk scan using GUI
Perform the following steps to configure bulk scan using GUI.
1. Log in to the IBM Storwize V7000 Unified system GUI using https://<Address>:1081/gui

2. In the Services page of Antivirus service, click Batch Scans and then click New Batch Scan to
start configuring bulk scan.

Figure 49: Configuration of Batch scan

3. Enter the frequency and the time of day when bulk scan needs to be run on the system in their
respective fields. Specify paths to scan during the bulk scan. After configuring the paths that need
to be bulk scanned, click OK to continue.


29

Figure 50: Bulk scan configuration details

4. A summary page shows the saved bulk scan configuration. After verifying the saved configuration
click Close to complete the wizard.

Figure 51: Bulk scan configuration summary

Initiating a manual bulk scan on a defined scope using CLI
Manual bulk scans are initiated using the ctlavbulk command line utility, which is accessed from the
management node. This utility follows all settings defined by the cfgav utility, and when called with a scope
will only scan those files which are defined in that scope. If no scopes are provided, all protected files will
be scanned. Only one bulk scan can be run at a time, however, multiple scan processes can be spawned
on each interface node using the --processes option. When the command is issued, it becomes a


30

background process, returning the control to the user. You can check the status of the current bulk scan
by issuing the --status option of the ctlavbulk command.

Starting a bulk scan on one or more defined scopes

Bulk scan can be initiated on one or more defined scopes.

ctlavbulk --<scope 1> <scope 1 arg 1>,<scope 1 arg N> --<scope 2> <scope 2 arg 1>,<scope 2 arg N>


Examples:
• Initiate bulk scan on one scope:

ctlavbulk --export av00a

• Initiate bulk scan on two scopes of the same type:

ctlavbulk --export av00a,av01a

• Initiate bulk scan on two scopes of different types:

ctlavbulk --fsys gpfs0 --export av02a

Starting a bulk scan with multiple processes

Bulk scan can be initiated with multiple processes:

ctlavbulk --<scope 1> <scope 1 arg 1> --processes <processes arg>


• processes arg = number of processes to spawn on each interface node (default = 1)

Examples:
• Initiate bulk scan on one scope with five processes per interface node:

ctlavbulk --export av03a --processes 5

• Initiate bulk scan on four scopes with 10 processes per interface node:

ctlavbulk --export av04a,av05a --fsys gpfs1,gpfs2 --processes 10

Checking the status of a bulk scan
Bulk scan status can be listed using the --status option.

ctlavbulk --status


31

Figure 52: Example of ctlavbulk --status

Note: The * in the column labeled p indicates that the process has started for the displayed node.

Stopping a bulk scan

Bulk scan can be stopped using the --stop option.

ctlavbulk --stop

Figure 53: Example of ctlavbulk --stop

For a complete list of configurable options and their descriptions, refer to the man page for the
ctlavbulk utility by entering man ctlavbulk at the command prompt on the management node.
Alternatively, invoking the utility by entering ctlavbulk --help provides a list of options with abbreviated
explanations.

Scheduling bulk scan on a defined scope
Periodic bulk scans can be scheduled by using the mktask command line utility on the management node
using the CtlAvBulk task name as one of the parameters. Tasks are run on a daily basis. The mktask
command supports additional customizable options, which are completely explained on the man page
available by entering man mktask from the management node CLI.


32

Creating a bulk scan task for a defined scope

New scheduled task for bulk scanning a defined scope can be created using the mktask command.

mktask CtlAvBulk --hour N --minute N --parameter “scope(s)”

• hour N = hour of the day to start the scan (24-hour clock), that is, 10, 12, 15, 20

• minute N = minute of the hour to start the scan

• scope(s) = one or more scopes to bulk scan

Example:

• Schedule a bulk scan for 2:30 a.m. every day on two CIFS exports:
mktask CtlAvBulk --hour 2 --minute 30 --parameter "--export AV1,AV2"


33

Recommendations
Antivirus scanning, particularly bulk scanning of large files can add significant load to several IBM Storwize
V7000 Unified system resources and can cause performance bottlenecks. The following recommendations
can help you minimize performance impact to the system.

• If on-access or bulk scan produces timeout errors, consider increasing timeout value of scans by
using the --timeout parameter of the cfgav command. It is not recommended to increase the
timeout parameter beyond CIFS client timeout value, which can cause files becoming inaccessible
to the user.

• Avoid scanning expensive items (such as scanning inside of archive files or other containers) to
avoid timeout issues.

• Depending on the scanning performance requirements, the number of interface nodes on which
bulk scans are run can be configured using the --nodes option of the ctlavbulk command. If higher
scanning performance is required, consider running scans on additional interface nodes. To
reduce impact to other IBM Storwize V7000 Unified system resources, consider limiting the
number of interface nodes on which bulk scans are run.

• It is recommended to carefully decide file types for scanning. Certain classes of large files are less
likely to be prone to virus attacks. By de-configuring certain types of files using the --add-include|--
rem-include|--set-include|--set-exclude options of the cfgav command, the overall antivirus
scanning performance can be greatly improved.

• Similar consideration has to be given to decide scopes for scanning as some scopes might
contain files that will not be accessed and they are not likely prone to the virus attacks.

• Ensure that the storage backend has adequate capacity for the client and scan traffic. On-access
scans are less likely to add significant load to the storage backend because it is typically scanning
data that has either just been written or is just about to be read by the client and therefore can
take advantage of caching. Bulk scans on the other hand can add significant load to the storage
backend.
• After updating the antivirus signature, it is recommended to scan all protected files during off-peak
hours to minimize the impact of scanning during peak usage.

• Ensure that the network infrastructure, such as routers, switches, and network cards on both IBM
Storwize V7000 Unified system and scan engines has adequate capacity. It is recommended to
use 10 Gigabit Ethernet.

• When the management network and I/O network of the File Modules are configured on different
network speeds and the management network is on a 1 GbE network, then move the
management interface from ethX0 to the higher network speed ethX1 (10 GbE) using the
command: chnwmgt --interface ethX1.

• It is recommended to use a minimum of two scan engines to avail high availability and load-
balancing feature for the scanning.

• Ensure that scan nodes have adequate processor and disk performance.


34

• It is recommended to run bulk scan after a migration either by Hierarchical Storage Management
(HSM) recall or data restoration from backup server.

• While using multiple scan engines to support scanning of IBM Storwize V7000 Unified system,
consider the following factors:

− Configure the setting on each scan engine to be identical.
− Schedule an auto update of all Symantec scan engines to occur at the same time to
ensure that virus definitions are identical.

− Configure virus scan functionality for each identical IBM Storwize V7000 Unified
system that uses a particular scan engine to avoid inconsistency.


35

Summary
The ability to effectively protect shared file data against viruses and other malicious threats is an important
challenge for storage and security administrators who require a trusted and reliable antivirus solution. Not
only must the integrity of the data be constantly maintained, the solution must also be scalable to match
the continually expanding size and volume of data that is retained on a NAS system. The IBM Storwize
V7000 Unified system is designed to improve application availability and resource utilization. The system
offers easy-to-use, efficient, and cost-effective management capabilities for both new and existing storage
resources in your IT infrastructure, and thus addresses the new storage challenges posed by continuing
explosion of data. IBM has thoroughly tested the IBM Storwize V7000 Unified system with Symantec
AntiVirus for NAS confirming their interoperability and compatibility, and is committed to proactively
providing enterprise users with one of the best solutions that can serve to reduce time and mitigate risk
during planned implementations.

The technical content contained herein is intended only as a reference for those customers who wish to
use Symantec AntiVirus for NAS to protect their data on the IBM Storwize V7000 Unified system. It should
not be treated as a definitive implementation or solution document due to the unique configurations and
case-specific scenarios inherent in every customer’s unique environment. For solution-specific designs,
contact an IBM storage representative to arrange a discussion with an antivirus implementation specialist.


36

Resources
The following websites provide useful references to supplement the information contained in this paper:

• System Storage on IBM PartnerWorld®
ibm.com/partnerworld/wps/pub/overview/B8S00

• IBM Publications Center
www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi?CTY=US

• IBM Redbooks®
ibm.com/redbooks

• IBM developerWorks®
ibm.com/developerworks

• IBM Storwize V7000 Unified System documentation
ibm.com/partnerworld/wps/pub/overview/HW26Z

• Symantec Resources

− Symantec AntiVirus for NAS
http://www.symantec.com/business/antivirus-for-network-attached-storage

− Symantec AntiVirus for NAS Support Matrix
http://www.symantec.com/business/support/index?page=content&id=TECH147442

− Symantec AntiVirus for NAS Getting Started Guide
http://www.symantec.com/docs/DOC3402

− Symantec AntiVirus for NAS Integration Guide
http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECH
NICAL_SOLUTION/147000/TECH147442/en_US/SAV_for_NAS_5210.pdf

− Symantec AntiVirus for NAS Implementation Guide
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/network_att
ached_storage/5.2/manuals/Implementation_Guide.pdf


37

About the author
Daniel T. Drinnon is a Network Systems Engineer in the IBM Systems and Technology ISV Enablement
group. He has more than 20 years of experience working with various enterprise-level storage and
systems technologies and infrastructures. You can reach Daniel at ddrinnon@us.ibm.com


38

Trademarks and special notices
© Copyright IBM Corporation 2011. All rights Reserved.
References in this document to IBM products or services do not imply that IBM intends to make them
available in every country.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business
Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked
terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these
symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information
was published. Such trademarks may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or
its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the
United States, other countries, or both.

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States,
other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

All customer examples described are presented as illustrations of how those customers have used IBM
products and the results they may have achieved. Actual environmental costs and performance
characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published
announcement material, or other publicly available sources and does not constitute an endorsement of
such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly
available information, including vendor announcements and vendor worldwide homepages. IBM has not
tested these products and cannot confirm the accuracy of performance, capability, or any other claims
related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the
supplier of those products.
All statements regarding IBM future direction and intent are subject to change or withdrawal without notice,
and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the
full text of the specific Statement of Direction.
Some information addresses anticipated future capabilities. Such information is not intended as a definitive
statement of a commitment to specific levels of performance, function or delivery schedules with respect to
any future products. Such commitments are only made in IBM product announcements. The information is


39

presented here to communicate IBM's current investment and development activities as a good faith effort
to help with our customers' future planning.

Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the
storage configuration, and the workload processed. Therefore, no assurance can be given that an
individual user will achieve throughput or performance improvements equivalent to the ratios stated here.

Photographs shown are of engineering prototypes. Changes may be incorporated in production models.

Any references in this information to non-IBM websites are provided for convenience only and do not in
any manner serve as an endorsement of those websites. The materials at those websites are not part of
the materials for this IBM product and use of those websites is at your own risk.


40

Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS: A reference guide for storage and security administrators

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS: A reference guide for storage and security administrators

Similar to Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS: A reference guide for storage and security administrators (20)

More from IBM India Smarter Computing

More from IBM India Smarter Computing (20)

Protecting the IBM Storwize V7000 Unified system with Symantec AntiVirus for NAS: A reference guide for storage and security administrators