Virus scanning best practices guide for
HPE 3PAR File Persona
A best practices guide for antivirus software
deployment and configuration
Technical white paper
Technical white paper
Contents
Introduction ...................................................................................................................................................................................................................................................................................................................................................3
Audience....................................................................................................................................................................................................................................................................................................................................................3
Overview ....................................................................................................................................................................................................................................................................................................................................................3
Management interfaces ...............................................................................................................................................................................................................................................................................................................3
Virus scan integration ................................................................................................................................................................................................................................................................................................................... 3
Antivirus scanning process....................................................................................................................................................................................................................................................................................................... 4
Installation and configuration .......................................................................................................................................................................................................................................................................................................4
Virus Scan Engine system requirements ..................................................................................................................................................................................................................................................................... 4
Antivirus software vendor configuration...................................................................................................................................................................................................................................................................... 4
Preparing the Virus Scan Engines .....................................................................................................................................................................................................................................................................................5
Preparing HPE 3PAR StoreServ for antivirus scanning ................................................................................................................................................................................................................................. 5
Virus scan operations ........................................................................................................................................................................................................................................................................................................................... 6
Virus pattern updates.................................................................................................................................................................................................................................................................................................................... 6
Virus Scan Engines .......................................................................................................................................................................................................................................................................................................................... 6
Scan policies ........................................................................................................................................................................................................................................................................................................................................... 8
Virus scan tasks ..................................................................................................................................................................................................................................................................................................................................9
Quarantine management ....................................................................................................................................................................................................................................................................................................... 10
Conclusion .................................................................................................................................................................................................................................................................................................................................................. 11
Technical white paper
Page 3
Introduction
Audience
This best practices guide is intended for the storage administrators, storage architects, and professional service consultants who will design,
deploy, and configure antivirus scan services for HPE 3PAR File Persona. It assumes some basic familiarity with antivirus (AV) software, file
storage administration, and general HPE 3PAR StoreServ administration.
Overview
HPE 3PAR File Persona provides easy, centralized management of user data for home directory consolidation and group or corporate shares
on HPE 3PAR StoreServ storage system. Most storage vendors implement an external dedicated server for running Virus Scan Engine (VSE)
to scan the files stored on the system, and to offload the virus scanning task to an external server. File Persona also integrates with external
antivirus servers running Virus Scan Engine to provide the on-access or on-demand scanning of the files stored in the HPE 3PAR StoreServ
array. This document describes the integration of Virus Scan Engines with HPE 3PAR File Persona as well as provides best practices for VSE
setup and usage.
Management interfaces
HPE 3PAR StoreServ storage system can be managed via a truly converged streamlined management interface called HPE 3PAR StoreServ
Management Console (SSMC) to manage block and file together, as well as a powerful scriptable HPE 3PAR OS CLI. Unless otherwise stated,
all tasks can be performed with both the StoreServ Management Console and the CLI. Refer to the HPE 3PAR StoreServ Management Console
Administrator’s Guide or the HPE 3PAR CLI Administrator’s Manual for the instructions on how to perform the tasks, which are described at a
conceptual level in this guide.
Virus scan integration
Antivirus software cannot be installed natively on enterprise-class storage running a non-Microsoft® operating system. Any files accessed by the
users that require virus scanning are sent over the network to external servers running Microsoft Windows® and a third-party vendor’s antivirus
software designed to offer virus scanning services to storage systems. These servers are referred to as Virus Scan Engines, or simply VSEs. The
HPE 3PAR File Persona supports VSEs from McAfee®, Symantec, Trend Micro software and Sophos software vendors. Only one vendor software
can be configured with the File Persona at a time, but can scale up to 50 VSEs of the same vendor software.
Virus scanning on File Persona can use the VSEs to scan files dynamically as they are opened or closed. This scan is called an on-access scan.
It can also provide scheduled or on-demand scans for a given file store or virtual file server (VFS). In general, both of these optional approaches
can and should be used.
File Persona running on the HPE 3PAR StoreServ system determines which files need to be scanned through scheduled tasks or user actions
such as on “file open” and “file close” from SMB clients, as well as on “file read” from NFS and Object Access application programming interface
(API) clients. It will also record the results of the scan and quarantine any infected files for subsequent review and action by the administrator.
Any file changes and file scans are tracked by the antivirus function of File Persona. After a file has been scanned, it is not scanned again until it
is modified or until the virus definitions have been updated. If no VSEs are available to perform the scan, HPE 3PAR StoreServ can allow or deny
access to the files based on the policy configured for VSE availability.
Technical white paper
Page 4
Antivirus scanning process
Figure 1. The antivirus scanning process
1. The client requests an open (read) or close (write) of a file over SMB, or read of a file over NFS or the Object Access API.
2. The storage system determines if the file needs to be scanned based on the policies that have been set and notifies the VSE server.
3. The VSE scans the file and reports the scan results back to the HPE 3PAR StoreServ system.
4. If no virus is found, then access will be allowed to the file. If a virus found, then there will be an “Access Denied” to an SMB client, a
“Permission Denied” to an NFS client, or “transfer closed” to an Object Access API client. Then the file is quarantined and the scan
messages are logged in /var/log/ade.
Note
If the VSE is unavailable and the policy is set to “Deny Access” then an “Access Denied” will be sent to the SMB client, a “Permission Denied” to an
NFS client, or “transfer closed” to an Object Access API client, and an event will be generated for the VSE server that is unavailable.
Installation and configuration
Virus Scan Engine system requirements
The minimum system requirements for installing and running the Virus Scan Engines (VSEs) are set by the third-party antivirus vendors.
Consult the vendor-specific documentation for their system requirements.
Virtualized VSEs may be used. Consult the vendor-specific documentation for the system requirements when running virtualized scan engines.
The recommendations in this document apply to both physical and virtualized VSEs.
Best practice:
Locate the VSEs physically close to the HPE 3PAR StoreServ systems to reduce network latency and maintain optimum file access time.
Antivirus software vendor configuration
A single antivirus vendor type can be associated with each HPE 3PAR StoreServ system. The vendor type can be managed using the SSMC or
through the HPE 3PAR CLI by issuing the command setfsav pol -scan enable -vendor <VENDOR>. The vendor type configuration is
the first step to configure antivirus scanning with the HPE 3PAR StoreServ system, followed by the configuration for the VSE.
Change the antivirus vendor type
To change a vendor type on the HPE 3PAR StoreServ system, the following steps need to be followed in an order:
1. Set to the vendor type to NA rather instead of a named vendor type using the command setfsav pol -scan enable -vendor NA.
2. Remove all the configured VSEs using the command setfsav pol vse.
3. Add the first VSE for the new vendor type before setting the new vendor type. Use the command setfsav vse +<IP
address>:<port>.
4. Set the new vendor type using the command setfsav pol -scan enable -vendor <VENDOR>.
Technical white paper
Page 5
Best practice:
Use only a single vendor type per StoreServ system at a time.
There are four third-party antivirus software solutions currently supported with HPE 3PAR File Persona:
• McAfee VirusScan Enterprise version 8.8 with McAfee VirusScan Enterprise for Storage 1.0.2
• Symantec Protection Engine 7.5
• Trend Micro ServerProtect for Storage 6.0 Repack 2
• Sophos Network Storage Antivirus 5.3.0
Preparing the Virus Scan Engines
Before a VSE can be configured for the HPE 3PAR StoreServ, the antivirus software along with any optional storage scan modules must be
installed on an external VSE server and verified that the antivirus services are running. The TCP port being used must also match between the
VSE and the HPE 3PAR StoreServ. The HPE 3PAR StoreServ and the VSE communicate via a protocol called Internet Content Adaptation
Protocol (ICAP). By default, ICAP uses port number 1344. This port can be configured directly on the VSE. If the port is changed from the default
setting, the same port number needs to be used when the VSE is added to the File Persona configuration.
Best practice:
Application status and TCP port information are viewed and managed through the user interfaces provided by the antivirus software. The
McAfee, Trend Micro and Sophos antivirus software uses a Windows-based antivirus console; Symantec uses a Java-based management console.
Use these vendor-specific management consoles to configure the VSE port number. Use the same TCP port, when adding the VSE to the
File Persona antivirus Scan Policy (figure 3).
There are three CLI tools built into the Windows operating system that are also useful, the net command, the nbtstat command, and the
netstat command. A net start command can be issued without any additional options at the Windows command prompt to display a list
of running Windows services. To generate a list of TCP ports that are in use by a given Windows machine, use the netstat –and command at
the Windows command prompt. The valid range of ports supported for use with the File Persona is between 1024 and 65535.
Note
In case of Sophos, we need to use physical machine for Sophos VSE with internet connectivity, as suggested by the vendor. For best
performance, in case of Sophos vendor, we need to tune parameters (threadcount, maxqueuedsessions, and allow204) in Sophos SAVDI config
file. The suggested value for threadcount as 32, maxqueuedsessions as 1200 (value between 1024 ~ 1280) and allow204 as YES (enabled).
These parameters were arrived by performing testing (scanning of files with average size of 100 KB) in dual core 48 GB RAM physical machine.
Refer the vendor documents for minimum hardware requirement, configuration, and installation steps.
Preparing HPE 3PAR StoreServ for antivirus scanning
File Persona must be enabled on the HPE 3PAR StoreServ system and configured with a Virtual File Server, which is online prior to adding the
first VSE. A relationship between the Virtual File Server in the File Persona and one or more VSEs is created when antivirus services are
configured for File Persona through a policy.
A list of online Virtual File Servers can be viewed using the StoreServ Management Console (SSMC), under the File Persona menu (figure 2) or
via the HPE 3PAR CLI showvfs command.
Technical white paper
Page 6
Figure 2. VFS antivirus policy
Virus scan policies can be managed via the SSMC GUI or the CLI. Through the SSMC, policy changes are made with the Action Menu for each
virtual file server and with the HPE 3PAR CLI, the setfsav pol command is used to make policy changes.
Virus scan operations
Virus pattern updates
Antivirus software reads a file and then compares it against a locally stored database of known virus patterns resulting in the file tested either
positive or negative for a virus. The databases of virus patterns are referred to as virus pattern files. The pattern files need to be frequently
updated to stay in sync with all of the known virus signatures that are published by the vendors; these updates are scheduled from the
third-party antivirus software. Virus pattern updates can be performed on demand or they can be scheduled to occur at regular intervals. The
interfaces and procedures used to perform this task are vendor-specific. McAfee manages pattern file updates through the AutoUpdate task,
which is listed in the Virus Scan Console. Symantec manages pattern file updates through a Symantec Protection Engine Java application where
a web browser is used to run the application, and the pattern file updates are managed through the LiveUpdate Content view under the
System tab. Trend Micro manages updates through the Update tab in the ServerProtect Management Console. Sophos manages updates
through the Update Managers tab in the Sophos Enterprise Console .Consult the antivirus vendor documentation for more in-depth information.
In addition to the vendor-supplied interfaces, virus pattern file updates can be driven by the StoreServ via the SSMC or the CLI. Updates can be
performed on-demand or they can be scheduled.
Best practice:
Vendors often release multiple updated virus definitions in a given day. Update the virus definitions at least once a day or as frequently
as possible.
Virus Scan Engines
The process for adding Virus Scan Engines (VSEs) to the HPE 3PAR StoreServ system is managed via SSMC and the HPE 3PAR CLI. A single
VSE is generally sufficient to provide virus scan services for a single virtual file server. Hewlett Packard Enterprise recommends adding at least
one additional VSE to increase VSE availability and improve the performance for virus scanning tasks. When multiple VSEs are added to the
cluster, all incoming scan requests are distributed in a round-robin fashion.
Within SSMC (figure 3), VSEs are added and managed by editing the advanced attributes of the Persona Configuration page.
Technical white paper
Page 7
Figure 3. Configure VSEs on File Persona
Use the SSMC or setfsav vse +<IP address>:<port> command to add each VSE. To display a list of VSEs by IP address that
have already been added to the system, including their port numbers, use the showfsav command without any additional options at the
HPE 3PAR CLI.
Caution
Use caution when using just the setfsav vse command (without any options) as this will clear out the list of VSEs.
Best practice:
Configure at least two VSEs for each HPE 3PAR StoreServ system.
The status of the VSEs can be quickly obtained using the SSMC or the showfsav CLI command.
Figure 4. Check VSE status
Technical white paper
Page 8
The CLI output will look like this:
3parebc1 cli% showfsav
Vendor
IpAddress
PortNum
Status
MCAFEE
192.168.47.23
1344
UP
MCAFEE
192.168.47.21
1344
UP
3parebc1 cli%
Scan policies
HPE 3PAR File Persona supports using Scan Policies for on-demand and on-access virus scan. A Scan Policy is also used to enable or disable
on-access and on-demand scans.
With the SSMC GUI (figure 5), the Scan Policy is configured through the Modify antivirus policy action item under the Actions menu for each
virtual file server. Similarly, the Scan Policy can be configured via CLI using the setfsav pol command.
Figure 5. Edit the antivirus Scan Policy
Dynamic scanning
The Dynamic scanning setting enables or disables the on-access virus scanning for each file as it is accessed.
Best practice:
Keep dynamic scanning enabled to provide the highest protection from virus and malware for any file-access operations.
Exclude file extensions
Use the Exclude file extensions option to exclude specific file types from the virus scan. Certain file types are known to propagate computer
viruses. Excluding file extensions, which are not necessary to be scanned, can also help in reducing the latency for file access and for the
on-demand scan, and it can help in reducing the time taken to finish the scanning for the VFS.
Best practice:
Exclude file extensions from the scan for files that cannot propagate viruses. This will reduce the latency introduced by the virus scan process.
Technical white paper
Page 9
Max file scan size
The Max file scan size (MB) parameter can be used to exclude files that exceed the specified size. The size is specified in MB where a value of
zero causes the VSE to scan files of all sizes.
Best practice:
For the highest virus protection, keep Max file scan size setting to zero.
Policy on AV unavailability
The antivirus scanning behavior when none of the VSEs are available can be configured through the Policy on AV unavailability setting.
The configurable options are to allow or deny data access when VSEs are unavailable to perform a scan.
Best practice:
For the highest virus protection, use the Deny data access option in addition to the recommendation to use multiple VSEs for each HPE 3PAR
StoreServ system.
SMB scan settings
The SMB scan setting is used to toggle the behavior of the on-access scanning between scan on open, and scan on open and close. The first
setting is used to scan a file only when it is opened. This way the file is always scanned before access. The second setting is used to scan a file
when it is closed as well as when it is opened. This additional scan on open should detect a virus if the SMB client is infected and trying to infect
new files. Since the file is scanned on close, it need not be re-scanned on a subsequent open. However, the file may be rescanned on subsequent
open if there has been any virus definition updates after the close.
Virus scan tasks
It is not enough to use on-access scanning only. Infrequently accessed files are infrequently scanned, which increases the chances of becoming
infected. To avoid this risk, a scan of the virtual file server can be scheduled to run instantly or scheduled to recur over time. Use the SSMC or the
HPE 3PAR CLI to schedule this on-demand scanning.
In the SSMC (figure 6), a virus scan is scheduled through the Create antivirus scan Action menu item. Through the HPE 3PAR CLI, use the
startfsav scan command to schedule virus scan tasks.
Figure 6. Create antivirus scan tasks
Technical white paper
Page 10
Virus scan tasks generate load on the virtual file server and should be scheduled outside times of peak usage. A maximum of eight virus scan
tasks can run simultaneously at any point in time.
Best practice:
Schedule virus scan tasks periodically in addition to dynamic scans (on-access scans) to increase the antivirus protection. Hewlett Packard
Enterprise recommends scheduling the scan tasks outside of peak usage times.
Tip
Scan statistics can be viewed in the SSMC or via the CLI using the srstatfsav command.
Quarantine management
When a virus is detected in a file by the VSE, the HPE 3PAR StoreServ modifies an extended attribute of the infected file and marks it as
quarantined. It will also prevent access to the file until the storage administrator moves, deletes, or resets the file. The file quarantine can be
managed using the HPE 3PAR CLI or with the SSMC (figure 7).
Figure 7. Managing the antivirus quarantine
Several actions can be taken with the quarantined files such as clean, move, or delete. Selective bulk quarantine operation is also supported. All
quarantine operations are performed at either the VFS or the File Store level. The quarantined files only can be moved to a default location with a
timestamp in the .admin folder of the Virtual File Server or the files can be deleted altogether (figure 8). Additionally, the quarantine flag can be
reset from all of the quarantined files on the Virtual File Server. Other actions can be taken as well, such as to clear the quarantined file count and
to export a list of quarantined files.
Technical white paper
Page 11
Figure 8. Moving quarantined files
Best practice:
Check the quarantine area often and attempt to clean files. Delete files that cannot be cleaned.
Conclusion
The HPE 3PAR File Persona includes optional virus scanning that is tightly integrated with popular third-party antivirus software to help keep
your unstructured data safe. The HPE 3PAR SSMC and CLI simplify the integration process and centralize management of antivirus scanning,
minimizing administrative overhead.
Related documentation
Complete description of HPE 3PAR CLI commands
HPE 3PAR CLI Reference
Overview and explanation of HPE 3PAR technology
HPE 3PAR Concepts Guide
Using the Management Console to configure and administer the system
HPE 3PAR Management Console Administrator’s Guide
Using the CLI to configure and administer the system
HPE 3PAR CLI Administrator’s Manual
Technical overview of the HPE 3PAR File Persona software
Technical white paper on HPE 3PAR File Persona Software Suite
For identifying storage system configuration specifications and compatibility information, go to the HPE Single Point of Connectivity Knowledge
(SPOCK) website at h20272.www2.hpe.com/spock.
Technical white paper
Learn more at
HPE 3PAR File Persona
Sign up for updates
© Copyright 2015–2017 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without
notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard
Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
McAfee is a trademark or registered trademark of McAfee, Inc. in the United States and other countries. Microsoft and Windows are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Java is a registered trademark
of Oracle and/or its affiliates. All other third-party trademark(s) is/are property of their respective owner(s).
4AA5-6079ENW, March 2017, Rev. 2