configuring symantec protection engine for network attached … · 2020. 6. 15. · page 5 of 16 1....

Configuring Symantec Protection Engine™ for Network Attached Storage

Nutanix Files

of 16

Contents Abstract .............................................................................................................................. 2

About software components .................................................................................................. 2

Installing Symantec Protection Engine ..................................................................................... 2

About the centralized cloud console ........................................................................................ 2

Configuring Symantec Protection Engine .................................................................................. 3

Configuring the ICAP-specific options ................................................................................... 3

About specifying which file types to scan on the protection engine........................................... 4

Specifying which file types to scan ....................................................................................... 4

About specifying container handling limits ............................................................................ 6

Scheduling LiveUpdate to update virus definitions automatically.............................................. 6

Configuring Rapid Release updates to occur automatically ...................................................... 7

Configuring antivirus scanning for Nutanix Files......................................................................... 9

Files AV Requirements ....................................................................................................... 9

Overview ......................................................................................................................... 9

Antivirus File State............................................................................................................. 9

Glossary ..........................................................................................................................10

Antivirus Details ...............................................................................................................10

ICAP Servers ....................................................................................................................11

Reports...........................................................................................................................12

Quarantined Files .............................................................................................................12

Unquarantined Files .........................................................................................................12

Configuring antivirus scanning............................................................................................13

Managing Antivirus Scanning .............................................................................................14

of 16

Abstract This document explains how to configure Nutanix Files and Symantec Protection Engine for antivirus scanning capabilities. This document is meant for users who are using Nutanix Files with Symantec Protection Engine version 8.0.

About software components Symantec™ Protection Engine for Network Attached Storage provides virus scanning and repair capabilities for Nutanix Files devices.

Configure the following components to add antivirus scanning to Nutanix Files NAS devices:

Symantec™ Protection Engine for Network Attached Storage version 8.0 Provides the virus scanning and repair services.

Refer to the Online Help (UHS) or Implementation Guide for information on system requirements, installation, and configuration.

Nutanix Files

o Nutanix Files 2.2.3





Installing Symantec Protection Engine The computer on which you plan to install Symantec Protection Engine must meet the system requirements that are listed in the Implementation Guide or Online Help (UHS).

After you have installed Symantec Protection Engine, configure the virus scanning functionality on FluidFS.

About the centralized cloud console Symantec Protection Engine 8.0 introduces the centralized console along with the existing web-based interface, where you can manage multiple Symantec Protection Engine installations. You can manage scanners and scan policies, create assets and alerts, and view the dashboards and events on the centralized console.

You can initialize the on-boarding process to centralized console by using the cloud management utility cloudmgmtutil that is available in the installation directory.

After the on-boarding process is complete, you must enroll all your Symantec Protection Engine scanners that you want to manage from the centralized console.

https://help.symantec.com/home/spe_8_0?locale=EN_US

https://support.symantec.com/en_US/article.DOC11061.html



of 16

For more information, see Online Help (UHS).

See Quick-start checklist of tasks to perform in the centralized console

See Onboarding to a centralized cloud console

See Video - Onboarding and scanner enrollment

Configuring Symantec Protection Engine You must configure several settings on each Symantec Protection Engine that is used to support scanning for FluidFS.

Note: If you use multiple protection engines to support scanning, the configuration settings on each protection engine must be identical. LiveUpdate must scheduled to occur at the same time on all protection engines so that virus definitions are consistent at all times.

The protection engine must be configured to use ICAP as the communication protocol. ICAP is the default protocol at installation. After you have selected ICAP, you must configure the ICAP-specific options.

Configuring the ICAP-specific options If you select ICAP, you must configure certain options specific to ICAP. You must also configure the ICAP client to work with Symantec Protection Engine.

For more information, see the Implementation Guide or Online Help (UHS).

Table 1 describes the protocol-specific options for ICAP.

Table 1: Protocol-specific options for ICAP

Option Description

Bind address Symantec Protection Engine detects all the available IP addresses that are installed on the host. By default, Symantec Protection Engine accepts scanning requests on (binds to) all of the scanning IP addresses that it detects. You can configure up to 64 IP addresses as scanning IP addresses.

You can specify whether you want Symantec Protection Engine to bind to all of the IP addresses that it detects, or you can restrict access to one or more interfaces. If you do not specify at least one IP address, Symantec Protection Engine binds to all of the scanning IP addresses that it detects.

If Symantec Protection Engine fails to bind to any of the selected IP addresses, an event is written to the log as a critical error. Even if Symantec Protection Engine is unable to bind to any IP address, you can access the console. However, scanning functionality is unavailable.

Note: You can use 127.0.0.1 (the loopback interface) to let only the clients that are running on the same computer connect to Symantec Protection Engine.


https://help.symantec.com/cs/SPE_8_0/SPE/v127681228_v126096469/Quick-start-checklist-of-tasks-to-perform-in-the-centralized-console?locale=EN_US

https://help.symantec.com/cs/SPE_8_0/SPE/v127905194_v126096469/Onboarding-to-a-centralized-cloud-console?locale=EN_US

https://help.symantec.com/cs/SPE_8_0/SPE/v129870350_v126096469/Video---Onboarding-and-scanner-enrollment?locale=EN_US



of 16

Port number The port number must be exclusive to Symantec Protection Engine. For ICAP, the default port number is 1344. If you change the port number, use a number greater than 1024 that is not in use by any other program or service.

To configure the ICAP-specific options:

1. On the Symantec Protection Engine administrative interface, in the left pane, click Configuration.

2. Under Views, click Protocol.

3. In the right pane, under Select Communication Protocol, click ICAP. The configuration settings are displayed for the selected protocol. If you change the protocol setting from RPC to ICAP through the Symantec Protection Engine administrative interface, you must manually stop and start the service.

4. Under ICAP Configuration, in the Bind address box, select the scanning IP addresses that you want to bind to Symantec Protection Engine. Check Select All to select every IP address in the Bind address table. By default, Symantec Protection Engine binds to all interfaces.

5. In the Port number box, type the TCP/IP port number that the NAS service uses to pass files to Symantec Protection Engine for scanning. The default setting for ICAP is port 1344.

6. In the Scan policy list, select how you want Symantec Protection Engine to handle infected files. The default setting is Scan and repair or delete.

7. On the toolbar, select one of the following:

Click Save to save your changes. You can continue to make changes in the administrative interface until you are ready to apply them.

Click Apply to apply your changes. Your changes are not implemented until you apply them.

About specifying which file types to scan on the protection engine The settings on Symantec Protection Engine must be configured to specify the types of files to be scanned for viruses. The scan policy on the protection engine determines which files it should scan from FluidFS. The scanned files are those contained in archive or container file formats.

You can control which embedded files are scanned by using an extension or type exclusion list, or you can scan all files regardless of extension and type. A prepopulated extension and type exclusion list exists that you can modify. Symantec Protection Engine is configured by default to scan all files.

For more information, see the Implementation Guide or Online Help (UHS).

Specifying which file types to scan You can control which file types are scanned by specifying those extensions that you want to exclude from scanning, or you can scan all files regardless of extension.

To scan all files except for those that are in the file extension exclusion list:



of 16

1. On the Symantec Protection Engine administrative interface, in the left pane, click Policies.

2. Under Views, click Scanning.

3. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you enable this option, both the file extension exclude list and the file type exclude list are activated automatically.

4. Type each file extension that you want to add to the list on a separate line. Use a period with each extension in the list.

5. To remove a file extension from the list, select it and delete it from the File extension exclude list.

6. To restore the default file extension exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.




To scan all file types except those in the file type exclusion list:

1. On the Symantec Protection Engine administrative interface, in the left pane, click Policies.

2. Under Views, click Scanning.

3. In the right pane, under Files to Scan, click Scan all files except those in the extension or type exclude lists. When you enable this option, both the file type exclude list and the file extension exclude list are activated automatically.

4. Type each file type you want to add to the list on a separate line. To include all subtypes for a file type, use the wildcard character /*.

For more information on how to write the file types, see the Implementation Guide or Online Help (UHS).

5. To remove a file type from the list, select it and delete it from the File type exclude list.

6. To restore the default file type exclude list, in the left pane, under Tasks, click Reset Default List. This option restores the default file-type exclude list and the file-extension exclude list.







of 16

About specifying container handling limits File attachments that consist of container files can overload the system and cause denial-of-service attacks. They can be overly large, contain large numbers of embedded, compressed files, or be designed to maliciously use resources and degrade performance. Symantec Protection Engine can be configured to impose limits on how container files are handled. This reduces the exposure of the network to denial-of-service attacks.

You can specify the following limits for handling container files:

The maximum amount of time, in seconds, that is spent decomposing a container file and its contents This setting does not apply to .hqx or .amg files.

The maximum file size, in megabytes, for the individual files that are in a container file.

The maximum number of nested levels to decompose for scanning.

The maximum number of bytes that are read when determining whether a file is MIME-encoded.

You can specify whether to allow or deny access to the file if any of these specified limits is met or exceeded.

Symantec Protection Engine blocks container files based on their type, because only certain file types contain virus or malicious code. You can configure Symantec Protection Engine to block partial container files, malformed container files, and encrypted container files as well.

For more information on container handling limits, see the Implementation Guide or Online Help (UHS).

Scheduling LiveUpdate to update virus definitions automatically Scheduling LiveUpdate to occur automatically at a specified time interval ensures that Symantec Protection Engine always has the most current virus definitions. Schedule LiveUpdate to occur at the same time for each protection engine if you use multiple scanprotectionengines to support virus scanning. This scheduling ensures that all protection engines have the same version of virus definitions. Having the same version of virus definitions is necessary for proper functioning of virus scanning on the FluidFS device.

You must schedule LiveUpdate on each Symantec Protection Engine. When LiveUpdate is scheduled, LiveUpdate runs at the specified time interval relative to the LiveUpdate base time. The default LiveUpdate base time is the time that the protection engine was installed.

You can change the LiveUpdate base time. If you change the scheduled LiveUpdate interval, the interval adjusts based on the LiveUpdate base time.

To schedule LiveUpdate to update virus definitions automatically :

1. On the Symantec Protection Engine administrative interface, in the left pane, click System.

2. Under Views, click LiveUpdate Content.




of 16

3. In the right pane, under LiveUpdate Content, check Enable scheduled LiveUpdate. This option is enabled by default.

4. In the LiveUpdate interval list, choose an interval. You can select from 2, 4, 8, 10, 12, or 24-hour intervals. The default LiveUpdate interval is 2 hours.




Configuring Rapid Release updates to occur automatically You can configure Symantec Protection Engine to obtain uncertified definition updates with Rapid Release. You can configure Symantec Protection Engine to retrieve Rapid Release definitions every 5 minutes to every 120 minutes. Rapid Release definitions are created when a new threat is discovered. Rapid Release definitions undergo basic quality assurance tests by Symantec Security Response.

However, they do not undergo the intense testing that is required for a LiveUpdate release. Symantec updates Rapid Release definitions as needed to respond to high-level outbreaks.

Warning: Rapid Release definitions do not undergo the same rigorous quality assurance tests as LiveUpdate and Intelligent Updater definitions. Symantec encourages users to rely on the full quality-assurance-tested definitions whenever possible. Ensure that you deploy Rapid Release definitions to a test environment before you install them on your network.

If you use a proxy or firewall that blocks FTP communications, the Rapid Release feature does not function. Your environment must allow FTP traffic for the FTP session to succeed.

You can schedule Rapid Release updates to occur automatically at a specified time interval to ensure that Symantec Protection Engine always has the most current definitions. Scheduled Rapid Release updates are disabled by default.

1. On the Symantec Protection Engine administrative interface, in the left pane, click System.

2. Under Views, click Rapid Release Content.

3. In the content area under Rapid Release Content, select the Enable scheduled Rapid Release check box to enable automatic downloads of Rapid Release definitions. This option is disabled by default.

4. In the Rapid Release interval box, to specify the interval between which you want Symantec Protection Engine to download Rapid Release definitions, do any of the following steps:

Type the interval.

Click the up arrow or down arrow to select the interval.

of 16

You can select any number between 5 minutes and 120 minutes. The default value is 30 minutes.




of 16

Configuring antivirus scanning for Nutanix Files Files supports the Internet Content Adaptation Protocol (ICAP) to enable communication with external servers hosting third-party antivirus software. This software scans files stored on Files shares to help provide protection against viruses. This software scans files in real time when files are opened, closed, read from, or written to.

Figure 1 Files AV Concept

Files AV Requirements

AOS 5.1.2 minimum Files 2.2.0 minimum

Two or more ICAP servers Note: Nutanix recommends to have a minimum number of scanning threads that is 11 times the number of FSVM nodes or (11 * number of FSVM nodes).

Overview

Files performs the following task when working with ICAP servers. 1. A client requests to read, write, open, or close a file. 2. Files determines that the file requires scanning. 3. If a scan is required, then Files sends the file to the ICAP server and requests a scan. 4. The ICAP server scans the file and reports the scan results to Files. 5. If the file is unsafe then Files quarantines and denies access to the file. 6. If the file is clean or disinfected, then Files allows the client access to the file.

Note: By default, antivirus scan is disabled on all shares.

Antivirus File State

This diagram shows the process flow for file scans.

of 16

Figure 2 Antivirus File State Diagram

Glossary

The following terms are used by Files in the Prism web console to show file status applied by the antivirus scanning feature. State

State Definition Quarantined This file has been scanned, determined to be unsafe, and all access

to the file is blocked until the administrator manually changes the file state.

Unquarantined The administrator moves the file from the quarantined state to allow client access. Unquarantined files are not scanned again.

Events Events

Definition

Cleaned The antivirus scanner has scanned and cleaned the file. This process overwrites the original file. Using this feature requires the disinfected virus file function on the ICAP server.

Quarantined This file has been scanned, determined to be unsafe. All access to the file is blocked until the administrator manually changes the file state.

Unquarantined The administrator manually moves the file from the quarantined state to allow client access. Unquarantined files are not scanned again.

Deleted The file is removed from the file systems.

Antivirus Details

The Files Antivirus details tab displays dynamic information about scanned files. It displays reports or graphs on the File Server page. These reports and graphs display the following information:

ICAP Servers

of 16

Reports Quarantined Files

Unquarantined Files To view this information, go to Home > File Server > Antivirus.

Figure 3 Files Antivirus tab

ICAP Servers

The ICAP servers tab displays the scanned files information for each ICAP server. ICAP Server Statistics: The table displays information such as Port number, description, files

scanned, disconnect count, average latency, connection status and actions available. Average Latency: This graph displays the latency times for the scans to be completed (in

milliseconds).

Files Processed or Data Processed: Click the Files Processed drop-down arrow to select the files processed or data processed graph. The processed files graph displays the number of files that have been scanned. The data processed graphs displays the amount of data (in GiB) that has been processed.

Queue Length: The number of files that are in queue to be scanned.

of 16

Reports The Reports tab displays the information about the scanning period and share status.

Scan Period: This information displays the files scanned, threats detected, number of files cleaned, and number of files quarantined during each scanning period.

Share Status: Displays the state of the scanned share. This includes: file path, threat description, ICAP server, time, action taken on share.

Figure 4 Files AV Reports tab

Note: If you reach the limit of the number of files in both the Quarantined and Unquarantined tables, scanning through the UI will be impacted. The web consoles alerts you when the number of files has reached 80 percent of the number of files supported.

Quarantined Files The Quarantined Files tab displays the files that have been identified by the antivirus software as having a virus and are therefore placed into quarantine where they cannot be read or written by the clients. An administrator can perform the following actions on the quarantined files.

Rescan: Rescan the files that have been quarantined. Unquarantine: Move the files out of quarantine. The selected file is then available for use.

Delete: Delete the quarantined file permanently.

Figure 5 Files AV Quarantined Files

Unquarantined Files The Unquarantined Files tab displays files that have been manually released from quarantine. Unquarantined files are available for use. These files are not scanned again until the administrator resets the unquarantine state. The administrator can perform the following actions on unquarantined files.

Reset: Move the to a normal state that is neither quarantined or unquarantined. In this state, the next access to the file triggers the scan.

Quarantine: Move the files to quarantine where read and write access is blocked.

of 16

Figure 6 Files AV Unquarantined files

Configuring antivirus scanning Configure and enable antivirus scanning on Files shares.

Note: Available in Files 2.2.0 and later.

After configuring the antivirus scan, you must enable the scan for each share that you want scanned.

1. Log on to the Prism web console and navigate to Home > File Server. 2. In the action links, click Antivirus settings.

The Antivirus window is displayed. 3. Connect the ICAP servers.

a) Enter the IP address or hostname of the antivirus servers. b) Enter the port number.

The default port number is 1344 or you can use a separate port number. c) (Optional) Enter a description for the ICAP server. d) Click Save. e) Ensure the connection status automatically updates to OK.

If the server is detected to be an antivirus server, the software tests the validity of the configured server and updates the status to OK.

f) Click Next.

4. Complete the Scan Settings. Settings can be overridden for individual shares through the share-level antivirus settings. Note: Nutanix recommends two or more ICAP servers.

a) Scan on Write: Scans a file after it is saved (a write operation). b) Scan on Read: Scans a files when it is opened (read operation).

Nutanix recommends to always enable Scan on Read. c) Exclude File Types: Add one or more file extensions that you do not want to

include in the scan. Note:

Ensure these settings match the fi le type configuration of your ICAP servers. Nutanix recommends to add the following fi le extensions for user profiles when

using the Files Antivirus scanning: .dat .ini .pol

If you have discovered that multiple fi les with a specific extension type have been quarantined incorrectly by the ICAP server, adding this fi le type extension to the ignore list will only prevent future fi les from being quarantined. You must remove the quarantine for the incorrectly quarantined fi les to access them.

of 16

d) Exclude files Larger Than: Set a limit on the file size to be scanned. Note: Ensure these settings match the file type configuration of your ICAP servers.

e) Show Advanced Options: Scan Time Out: Set the maximum amount of time that a scan can take

before timing out. Block access to files if scan cannot be completed (Recommended):

Block access if the ICAP servers are unavailable or are unable to scan the file due to any issues. Users are unable to open these files.

f) Click Save.

5. Enable the antivirus scanning on each share. a) From the Home page, go to File Server > Share. b) Select the share from the list and click Antivirus Settings. c) The Antivirus setup window is displayed.

Note: By default, antivirus scan is disabled on all shares. Check the box Enable antivirus scan for this share.

d) (Optional) You can change the settings listed previously for this individual share. e) Click Save.

Managing Antivirus Scanning

Managing Files Antivirus and other options. Note: Available in Files 2.2.0 and later.

1. Delete an Antivirus server. a) On the File Server page, click Antivirus Settings. b) Click the x on the row with the ICAP server. Click Next.

2. Add more ICAP servers, see Configuring Antivirus Scanning. 3. Replace an ICAP server.

Note: Add the new ICAP server before removing the old server.

a) Add the new ICAP server. b) Remove the previous ICAP server.

4. Edit an ICAP server description. a) Go to Home > File Server. b) Click Antivirus Settings. c) Select the IP address for the ICAP server and click the pencil icon. d) Edit the description box and click Next

of 16

C opyright © 2018 Symantec Corporation. A ll rights reserved. Symantec, the Symantec Logo, and Norton A ntiVirus are

trademarks or regis tered trademarks of Symantec Corporation or its affiliates in the U .S. and other countries . O ther

names may be trademarks of their respective owners .

The produc t described in this document is distributed under licenses restricting its use, copying, dis tribution, and

decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without

prior written authorization of Symantec C orporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” A ND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS A ND

WA RRANTIES, INCLUDING A NY IMPLIED WA RRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURP OSE

O R NO N-INFRINGEMENT, A RE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS A RE HELD TO BE

LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES

IN C ONNECTION WITH THE FURNISHING PERFORMANCE, O R USE OF THIS DOCUMENTATION. THE INFORMATION

C O NTAINED IN THIS DOCUMENTATION IS SUBJECT TO C HANGE WITHOUT NOTICE.

Symantec C orporation

350, E llis Street

Mountain V iew, C A 94043

http://www.symantec .com

http://www.symantec.com/

configuring symantec protection engine for network attached … · 2020. 6. 15. · page 5 of 16 1....

Documents