emc celerra network server · 2020-05-08 · emc celerra network server version 5.6.46 using...

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748-9103

1-508-435-1000www.EMC.com

EMC® Celerra® Network ServerVersion 5.6.46

Using Celerra AntiVirus AgentP/N 300-004-144

REV A05

EMC Celerra Network Server Version 5.6.46 Using Celerra AntiVirus Agent2

Copyright © 1999 – 2009 EMC Corporation. All rights reserved.

Published August, 2009

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

For the most up-to-date regulatory document for your product line, go to the Technical Documentation and Advisories section on EMC Powerlink.

For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.

All other trademarks used herein are the property of their respective owners.

EMC Celerra Network Server Version 5.6.46 Using Celerra AntiVirus Agent 3

Preface

Chapter 1 IntroductionAbout CAVA ...................................................................................... 12System requirements ........................................................................ 13Restrictions......................................................................................... 14

AV engines .................................................................................. 14CAVA pool .................................................................................. 14CEE and Windows 64-bit operating systems......................... 14Compatibility with MPFS ........................................................ 14Databases .................................................................................... 14File-level retention ..................................................................... 15Non-CIFS protocols ................................................................... 15

User interface choices ....................................................................... 16Terminology....................................................................................... 17Related information.......................................................................... 19

Chapter 2 ConceptsCAVA concepts .................................................................................. 22AntiVirus partners ............................................................................ 23CAVA features ................................................................................... 24

Load balancing and fault tolerance......................................... 24scan-on-first-read....................................................................... 25Updating virus definition files ................................................ 25Scan on write .............................................................................. 25Sizing tool ................................................................................... 25CAVA Calculator........................................................................ 26Virus-checking continuation .................................................... 26

Contents


Contents

Scanning after definition file update (manual process) ....... 27The CAVA virus-checking client ............................................. 27

Chapter 3 Installation PathAbout the CAVA installation process ............................................ 32

Basic installation procedure .................................................... 32Installation procedure for Trend Micro .................................. 33

Chapter 4 Configuring the Domain User AccountDomain user account overview...................................................... 36Determine the interface name on the Data Mover....................... 37Create a domain user account......................................................... 39

Create with Active Directory on Windows Server 2003 and Windows 2000............................................................................ 39Create from User Manager for Domains................................ 41

Create a local group on each Data Mover ..................................... 43Create local group in Windows Server 2003 ......................... 43Create local group in Windows 2000...................................... 46Create local group in Windows NT........................................ 50

Assign the EMC virus-checking right to the group..................... 51Assign in Windows Server 2003 and Windows 2000 ........... 52Assign in Windows NT............................................................. 55

Assign local administrative rights to the AV user ....................... 57Assign in Windows Server 2003 .............................................. 57Assign in Windows 2000 .......................................................... 59Assign in Windows NT............................................................. 61

Chapter 5 Configuring viruschecker.confAbout the viruschecker.conf file ..................................................... 64

viruschecker.conf parameters .................................................. 68

Chapter 6 Installing Third-Party ApplicationsAbout third-party AV engines ........................................................ 74

Install Symantec SAV for NAS ................................................ 74Install McAfee VirusScan ......................................................... 81Install Computer Associates eTrust ........................................ 84Install Sophos Anti-Virus ......................................................... 86Install Kaspersky Anti-Virus.................................................... 90Trend Micro ServerProtect for EMC Celerra ......................... 96

5EMC Celerra Network Server Version 5.6.46 Using Celerra AntiVirus Agent

Contents

Chapter 7 Installing CAVAAbout the CAVA installation ......................................................... 100

Prerequisites.............................................................................. 100Install CAVA ............................................................................. 101Complete the CAVA installation for Windows 2000 and Windows Server 2003 .............................................................. 103Complete the CAVA installation for Windows NT............ 107

Chapter 8 Starting the VC ClientAbout the VC client......................................................................... 110

Prerequisites.............................................................................. 110Start the VC client .................................................................... 111Optional VC client procedures............................................... 112Verify the installation .............................................................. 113

Chapter 9 Managing CAVACAVA management......................................................................... 116

(Optional) Install Celerra AntiVirus Management snap-in 116Display virus-checking information ..................................... 117Audit virus-checking information......................................... 118Start, stop, and restart CAVA ................................................. 118Perform a full file system scan ............................................... 120Check the status of a full file system scan ............................ 122Stop a file system scan............................................................. 122Enable scan-on-first-read ........................................................ 122Update virus definition files................................................... 123Turn off the AV engine ............................................................ 124Turn on the AV engine............................................................. 124Manage CAVA thread usage .................................................. 124View the application log file................................................... 126Enable automatic virus detection notification ..................... 127Customize virus-checking notification ................................. 129Customize notification messages........................................... 130

Chapter 10 Monitoring and Sizing CAVAAbout CAVA monitoring and sizing ............................................ 134

CAVA Calculator ...................................................................... 134CAVA sizing tool ...................................................................... 138


Contents

Chapter 11 Managing the Registry and AV DriversCAVA Registry and driver management..................................... 146

EMC CAVA configuration Registry entries ......................... 146EMC AV driver Registry entry .............................................. 149Manage the EMC AV driver................................................... 149

Chapter 12 TroubleshootingTroubleshooting CAVA .................................................................. 154

E-Lab Interoperability Navigator.......................................... 154Known problems and limitations ......................................... 154Error messages ......................................................................... 155EMC Training and Professional Services ............................. 155

Index


Preface

As part of an effort to improve and enhance the performance and capabilities of its product lines, EMC periodically releases revisions of its hardware and software. Therefore, some functions described in this document may not be supported by all versions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, please contact your EMC representative.

Note: This document was accurate as of the time of publication. However, as information is added, new versions of this document may be released to the EMC Powerlink website. Check the Powerlink website to ensure that you are using the latest version of this document.

Conventions used inthis guide

EMC uses the following conventions for special notices.

Note: A note presents information that is important, but not hazard-related.

CAUTION!A caution contains information essential to avoid data loss or damage to the system or equipment.

IMPORTANT!An important notice contains information essential to operation of the software.

8 EMC Celerra Network Server Version 5.6.46 Using Celerra AntiVirus Agent

Preface

Typographical conventionsEMC uses the following type style conventions in this document:

Where to get help EMC support, product, and licensing information can be obtained as follows.

Product information – For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to the EMC Powerlink website (registration required) at http://Powerlink.EMC.com.

Normal Used in running (nonprocedural) text for:• Names of resources, attributes, pools, Boolean expressions,

buttons, DQL statements, keywords, clauses, environment variables, functions, utilities

• URLs, pathnames, filenames, directory names, computer names, filenames, links, groups, service keys, file systems, notifications

Bold Used in running (nonprocedural) text for names of commands, daemons, options, programs, processes, services, applications, utilities, kernels, notifications, system calls, and man pages

Used in procedures for:• Names of interface elements (such as names of windows,

dialog boxes, buttons, fields, and menus)• What user specifically selects, clicks, presses, or types

Italic Used for:• Full titles of publications referenced in text• User input variable identifiers

Courier Used for:• System output, such as an error message or script • URLs, complete paths, filenames, prompts, and syntax when

shown outside of running text

Courier bold Indicates specific user input (such as commands)

Courier italic Indicates variables in procedures and syntax diagrams

< > Angle brackets enclose parameter or variable values supplied by the user

[ ] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

{ } Braces indicate content that you must specify (that is, x or y or z)

... Ellipses indicate nonessential information omitted from the example

http://Powerlink.EMC.com

http://Powerlink.EMC.com


Preface

Troubleshooting – For troubleshooting information, go to Powerlink, search for Celerra Tools, and select Celerra Troubleshooting from the navigation panel on the left.

Technical support – For technical support, go to Powerlink and choose Support. On the Support page, you can access Support Forums, request a product enhancement, talk directly to an EMC representative, or open a service request. To open a service request, you must have a valid support agreement. Please contact you EMC sales representative for details about obtaining a valid support agreement or to answer any questions about your account.

Note: Do not request a specific support representative unless one has already been assigned to your particular system problem.

Problem Resolution Roadmap for EMC Celerra contains additional information about using Powerlink and resolving problems.

Your comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send your opinion of this document to:

[email protected]

http://powerlink.emc.com

../ProblemResolutionRoadmap/index.htm



Preface

Introduction 11

1Invisible Body Tag

This overview of EMC Celerra AntiVirus Agent (CAVA) includes system requirements, restrictions, user interface choices, terminology, and related documentation information:

◆ About CAVA ....................................................................................... 12◆ System requirements ......................................................................... 13◆ Restrictions.......................................................................................... 14◆ User interface choices ........................................................................ 16◆ Terminology........................................................................................ 17◆ Related information ........................................................................... 19

Introduction


Introduction

About CAVACAVA provides an antivirus solution to clients using an EMC® Celerra® Network Server. It uses industry-standard Common Internet File System (CIFS) protocols in a Microsoft Windows Server 2003, Windows 2000, or Windows NT domain. CAVA uses third-party antivirus software to identify and eliminate known viruses before they infect files on the storage system (for example, the EMC Symmetrix® storage system). “User interface choices” on page 16 lists supported third-party antivirus software.

This document is part of the Celerra Network Server information set and is intended for system administrators who are responsible for implementing virus checking on their Celerra Network Servers and managing the Celerra AntiVirus Agent.

System requirements 13

Introduction

System requirementsFor the latest system requirements, consult the website or documentation of the particular third-party AV engine manufacturer. The AV engine version might differ depending on the operating system.

For minimum system requirements of AV engines, contact the appropriate third-party vendor. CAVA supports 32-bit and 64-bit Windows environments and corresponding third-party engines.

For Celerra Network Servers, search the EMC E-Lab™ Interoperabilty Navigator for system requirements.


Introduction

RestrictionsThe following are known limitations at the time of publication.

Note: The EMC Celerra Network Server Release Notes contain the most up-to-date product issues.

AV engines Currently, no known limitations exist for the number of AV engines configured in the viruschecker.conf file. All AV engines are surveyed every 60 seconds (by default) to determine which AV engines are online and available. This implies that configurations with many AV engines might experience some delays due to network latency.

Kaspersky Anti-Virus Kaspersky Anti-Virus for Windows Servers Enterprise Edition is supported with Celerra Event Enabler (CEE) version 4.5.1 as of Celerra version 5.6.46.

CAVA pool Each Data Mover should have a CAVA pool consisting of a minimum of two CAVA servers. This is specified in the Data Mover’s “viruschecker.conf” file. Chapter 5, “Configuring viruschecker.conf,” contains details.

CEE and Windows 64-bit operating systems

In order to run CEE on Windows 64-bit operating systems, the Celerra-to-CEE communications must be over Microsoft RPC (MS-RPC). The version of CEE that runs on Windows 64-bit operating systems is supported with Celerra version 5.6.45 or later and CEE version 4.5.0.4 or later.

Compatibility with MPFS

Starting with NAS version 5.0, CAVA is available for MPFS. However, CAVA cannot share the same host as the MPFS client for Windows.

Databases You should not set up realtime scanning of databases. Accessing a database usually triggers a high number of scans, which in turn can cause a large amount of lag when accessing data.

To ensure that the database files are virus free, use the AV engine to schedule regular scans when the database is not in use.

Restrictions 15

Introduction

File-level retention EMC strongly recommends that the antivirus (AV) administrator updates the virus definition files on all resident AV engines in the CAVA pools, and periodically runs a full file system scan of the file system to detect infected file-level retention (FLR) files. Using File-Level Retention on EMC Celerra provides detailed information about FLR files.

To run a full file scan from the Control Station, use the server_viruschk -fsscan command. When an infected FLR file is discovered, the resident AV engine records the presence of the infection and its location in the log file of the resident scan engine. Although an administrator cannot fix or remove the infected file, the file's read access can be restricted to make the file unavailable. The infected file can only be deleted after its retention date has passed.

The “scan-on-first-read” functionality of CAVA does not detect a virus in an FLR file.

Non-CIFS protocols The Celerra antivirus solution is only for clients running the CIFS protocol. If NFS or FTP protocols are used to move or modify files, the files are not scanned for viruses.

../FileRet/index.htm


Introduction

User interface choicesThe Celerra Network Server offers flexibility in managing networked storage based on the support environment and interface preferences. This guide describes how to configure CAVA using the command line interface (CLI).

You can also perform some of these tasks using the following Celerra management applications:

◆ Microsoft Management Console (MMC) snap-ins

◆ Active Directory Users and Computers (ADUC) extensions

Installing EMC Celerra Management Applications includes instructions on launching Celerra Manager, and on installing the MMC snap-ins and the ADUC extensions.

For additional information about managing your Celerra, refer to:

◆ Learning about EMC Celerra on the EMC Celerra Network Server Documentation CD

◆ Celerra Manager online help

◆ Application’s online help system on the EMC Celerra Network Server Documentation CD

../InstallationManagement/index.htm

../../mergedprojects/Concepts/Celerra_Product_Line.htm

Terminology 17

Introduction

TerminologyThis section defines terms important to understanding CAVA capabilities with the Celerra Network Server. The EMC Celerra Glossary provides a complete list of Celerra terminology.

AV engine: Third-party antivirus software running on a Windows server that works with the Celerra AntiVirus Agent (CAVA).

AV server: Windows server configured with the CAVA and a third-party antivirus engine. “System requirements” on page 13 provides details.

AV user: Specific domain user either created or selected as the account configured for the virus checking. Use this account when configuring all of the Windows servers with CAVA and the AV engine.

CAVA Calculator: Tool that estimates the number of CAVAs required to provide a user-defined level of performance in a CAVA pool, based on user information. The tool can be run at any time, even if there is no CAVA present.

CAVA sizing tool: Program that monitors all CAVAs in the network, and sizes the network to find the ideal number of AV servers. When you install CAVA on the AV servers, the CAVA sizing tool, cavamon.exe, is also installed.

Celerra AntiVirus Agent (CAVA): Application developed by EMC that runs on a Windows server and communicates with a standard antivirus engine to scan CIFS files stored on a Celerra Network Server.

Celerra AntiVirus Management snap-in: Microsoft Management Console (MMC) snap-in to the Celerra Management Console. You can use the Celerra AntiVirus Management snap-in with CAVA and a third-party AV engine. The snap-in is used to view or modify the CAVA parameters located in the /.etc/viruschecker.conf file. The Celerra AntiVirus Management online help provides more details.

Celerra Event Enabler: Framework that provides the working environment for the CAVA and CEPA facilities.

Celerra Event Publishing Agent (CEPA): EMC-provided agent running on a Windows server that provides details of events occurring on the Windows server. It can communicate with the Celerra Network Server to display a list of events that occurred.

../../mergedprojects/Glossary/index.htm

../../mergedprojects/Glossary/index.htm


Introduction

Common Internet File System (CIFS): File-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets.

EMC AV driver: Part of the CAVA software package, and configured automatically during installation.

EMC CAVA: Name of the Windows Server 2003, Windows 2000, and Windows NT framework service, which houses the CAVA and CEPA facilities.

EMC_CEE_Pack.exe: Executable file that installs the Celerra Event Enabler framework software, including CAVA. This file is located on the Celerra Event Enabler CD.1

virus-checking client (VC client): Virus-checking agent component of the Celerra Network Server software that runs on the Data Mover.

virus definition file: File containing information for a virus protection program that protects a computer from the newest, most destructive viruses. This file is sometimes referred to as a virus signature update file, a virus pattern update file, or a virus identity (IDE) file.

Windows Management Instrumentation (WMI): Microsoft implementation and supporting infrastructure for the Common Information Model.

1. Previous to CAVA 4.0, the name of the executable was EMCCAVAPack.exe and was located on the CAVA CD.

Related information 19

Introduction

Related informationSpecific information related to the features and functionality described in this guide are included in:

◆ EMC Celerra Network Server Command Reference Manual

◆ Online Celerra man pages

◆ EMC Celerra Network Server Parameters Guide

◆ Managing EMC Celerra for a Multiprotocol Environment

◆ Configuring and Managing CIFS on EMC Celerra

◆ Microsoft’s website for WMI information

◆ Symantec SAV for NAS documentation

◆ McAfee VirusScan documentation

◆ Computer Associates eTrust Threat Management Agent documentation

◆ Sophos Anti-Virus documentation

◆ Trend Micro ServerProtect for EMC documentation

The EMC Celerra Network Server Documentation CD, supplied with Celerra and also available on the EMC website Powerlink®, provides the complete set of EMC Celerra customer publications. After logging in to Powerlink, go to Support > Technical Documentation and Advisories > Hardware/Platforms Documentation > Celerra Network Server. On this page, click Add to Favorites.The Favorites section on your Powerlink home page provides a link that takes you directly to this page.

Celerra Support Demos are available on Powerlink. Use these instructional videos to learn how to perform a variety of Celerra configuration and management tasks. After logging in to Powerlink, go to Support > Product and Diagnostic Tools > Celerra Tools > Celerra Support Demos.

../CommandReference/index.htm

../Parameters/index.htm

../ConfWinMulti/index.htm

../ConfWindows/index.htm



Introduction

Concepts 21

2Invisible Body Tag

This chapter describes CAVA high-level concepts:

◆ CAVA concepts ................................................................................... 22◆ AntiVirus partners ............................................................................. 23◆ CAVA features .................................................................................... 24

Concepts


Concepts

CAVA conceptsThe Celerra Network Server is resistant to the invasion of viruses because of its architecture. Each Data Mover runs data access in realtime software, which is an embedded operating system. The Data Mover is resistant to viruses because third parties are unable to run programs containing viruses on a Data Mover.

Note: The AntiVirus server used to check files cannot reside in a Virtual Data Mover. It must be located in a physical Data Mover.

Although the Data Mover is resistant to viruses, Windows clients also require virus protection. Virus protection on the client reduces the chance that the client will store an infected file on the server, and protects the client if it opens an infected file.

The Celerra antivirus solution uses a combination of the Celerra Network Server Data Mover, CAVA, and a third-party antivirus engine. The CAVA software and a third-party AV engine must be installed on a Windows Server 2003, Windows 2000, or Windows NT server in the domain.

Note: McAfee 8.0i can be installed on a workstation in addition to or in place of a server. The McAfee 8.0i documentation provides more information.

AntiVirus partners 23

Concepts

AntiVirus partnersEMC has partnered with and supports the following AV engines:

◆ Symantec SAV for NAS

◆ McAfee VirusScan

◆ Computer Associates eTrust Threat Management Agent

◆ Sophos Anti-Virus

◆ Kaspersky Anti-Virus for Windows Servers Enterprise Edition

◆ Trend Micro ServerProtect for EMC Celerra

This list was correct at the time of publication. The EMC E-Lab Interoperability Navigator and the EMC Celerra Network Server Release Notes provide the latest list of supported AV engines and versions.

Chapter 6, “Installing Third-Party Applications,” contains further information about supported third-party antivirus software.


Concepts

CAVA featuresWhen CAVA is used with one of the supported third-party antivirus applications listed in “AntiVirus partners” on page 23, the following features are available:

◆ “Load balancing and fault tolerance” on page 24

◆ “scan-on-first-read” on page 25

◆ “Updating virus definition files” on page 25

◆ “Scan on write” on page 25

◆ “Sizing tool” on page 25

◆ “CAVA Calculator” on page 26

◆ “Virus-checking continuation” on page 26

◆ “Scanning after definition file update (manual process)” on page 27

◆ “The CAVA virus-checking client” on page 27

Load balancing and fault tolerance

You can use the CAVA Calculator and the CAVA sizing tool to help determine the number of CAVA servers the system requires. The CAVA Calculator can help you prior to installation, and you can use it to run what-if scenarios after installation. The CAVA sizing tool collects information from a running environment to give you a recommendation on the number of CAVA servers needed. EMC recommends that if fault tolerance is a concern, you should configure a minimum of two AV servers in the network. If one of the AV servers goes offline or cannot be reached by the Celerra Network Server, having two AV servers ensures that file scanning capability is maintained.

If you have more than one AV server on the network, the Celerra Network Server balances workloads among the AV servers by distributing the scanning jobs in a round-robin fashion. For example, if one AV server goes offline, Celerra Network Server distributes the scanning load among the other available AV servers.

Note: Each file is scanned by one AV server. You cannot configure CAVA so that a file is simultaneously scanned by multiple AV servers running different AV software.

CAVA features 25

Concepts

scan-on-first-read CAVA uses the access time of a file to determine if a file should be scanned. The access time is compared with a time reference stored in the EMC CAVA service. If the file’s access time is earlier than the reference time, the file is scanned on read before it is opened by the CIFS client. You can set the access time using the server_viruschk command. EMC Celerra Network Server Command Reference Manual provides more information about the server_viruschk command.

CAVA updates the scan-on-first-read access time when it detects a virus definition file update on the AV engine.

Updating virus definition files

CAVA can automatically detect a new version of the virus definition file and update the access time. To use this feature you must have scan-on-first-read enabled. Currently, the latest versions of all supported third-party antivirus engines support automatic pattern updates. The EMC Celerra Network Server Release Notes and the EMC E-Lab Interoperability Navigator provide the latest information on other antivirus products.

Scan on write CAVA initiates a scan after a file is modified and closed. If a file is opened, but there are no modifications made to it, it is not scanned upon closing it.

Sizing tool The CAVA sizing tool runs on Windows-based systems. The tool assists the system administrator in determining how many AV engines are necessary to provide adequate AV scanning across the Celerra Network Server.

The tool gathers information based on the specified CAVA servers queried, and returns statistics on each CAVA server.

When you install CAVA on the AV servers, the CAVA sizing tool, cavamon.exe, is also installed.

In addition, you can use the VB script, cavamon.vbs, to monitor the AV servers; however, cavamon.vbs does not perform sizing.

The heuristic in the sizing tool is set to size the CAVA environment for an average 60-percent saturation level (or workload level) in all AV servers in the environment. Users wanting to use their own heuristic for sizing can use the cavamon.vbs script for gathering CAVA statistics. These statistics can then be used as input to custom algorithms.



Concepts

Sizing toolconfiguration

overview

Configure one or more AV servers in the network as the monitoring CAVA sizing tool server—this is the server you use to monitor and size all other AV servers. The monitoring system, and all AV servers that you want to monitor, must be running the WMI subsystem. WMI is built into Windows 2000 but must be installed on Windows NT (download the WMI core 1.5 from Microsoft).

Note: The CAVA sizing tool must run on an AV server—you cannot run the sizing tool from any Windows server in the domain.

The CAVA sizing tool must be enabled on the AV servers you monitor; however, you do not have to configure the sizing tool on these servers. If you want the ability to monitor CAVA from multiple servers in the network, you can enable and configure the CAVA sizing tool on multiple servers.

The monitoring sizing tool server:

◆ Monitors all other Windows servers running CAVA.

◆ Monitors and gathers statistics on the AV engines.

◆ Gathers and lists workload information for each individual AV engine.

◆ Provides recommendations on how many AV engines are required to provide optimal antivirus protection.

Chapter 10, “Monitoring and Sizing CAVA,” contains more details.

CAVA Calculator CAVA Calculator is a utility that assists you in determining the number of CAVA servers for the environment prior to installation. CAVA Calculator can be installed and run independent of CAVA and the Celerra Network Server, whereas the sizing tool uses the actual workload. This utility is installed as part of the Celerra Event Enabler framework. “System requirements” on page 13 provides system requirements.

Virus-checking continuation

This feature stores the paths of all unscanned files whenever virus scanning is interrupted, such as in the following circumstances:

◆ Data Mover restarts — The list of unscanned files is stored in a directory reserved by the panic handler software. When the Data Mover restarts, the virus checker reads the list of unscanned files, and then scans the files.

CAVA features 27

Concepts

◆ Virus checking is stopped or a file system is unmounted — The list of unscanned files is stored in a special file on the file system. When the virus checker is restarted or the file system is remounted, the virus checker reads the unscanned list and scans the files.

The list of unscanned files is stored in the /.etc/viruschecker.audit file on each Data Mover. Use this command to manually update this file.

Scanning after definition file update (manual process)

To check files after the third-party antivirus definition file is updated, you must run the server_viruschk -set accesstime command. CAVA also supports scanning for compressed files (for example, files with the .zip extension), if the third-party antivirus software (AV engine) supports the scanning of compressed files.

The CAVA virus-checking client

The virus-checking (VC) client is the agent component of the Celerra Network Server software on the Data Mover. The VC client interacts with the AV engine, which processes requests from the VC client. Scanning is supported only for CIFS access. While the scan or other related actions are taking place, access to the file from any CIFS client is blocked.

The VC client does the following:

◆ Queues and communicates filenames to CAVA for scanning.

◆ Provides and acknowledges event triggers for scans. Possible event triggers include:

• A file is renamed on a Celerra Network Server.

• A file is copied or saved to a Celerra Network Server.

• A file is modified and closed on a Celerra Network Server.

Note: Table 1 on page 29 provides a detailed list of scanning triggers.

Action

Store the list of unscanned files using this command syntax:$ server_viruschk <movername> -auditwhere:<movername> = name of the Data Mover


Concepts

◆ Requests a virus check by sending the universal naming convention (UNC) pathname to CAVA.

◆ Allows the AV engine to perform the correct user-defined action on the file when the file is discovered to contain a virus. User-defined actions may include:

• Curing or repairing the file

• Renaming the file

• Changing the file extension

• Moving the file to a quarantined area

• Deleting or purging the file

Note: The AV engine maintains full access to the file being scanned while performing the user-defined action on the file. After completion, the AV engine returns control of the file to the VC client.

◆ If CAVA reports that the file was successfully scanned, the Celerra Network Server allows the file to be available to the client.

◆ If multiple instances of CAVA have been installed, the VC client sends scanning requests to the CAVA servers in a round-robin method.

Basic VC clientconfiguration

The VC client can be configured by using the server_viruschk command and the viruschecker.conf file. An alternative method uses the Celerra AntiVirus Management snap-in. “(Optional) Install Celerra AntiVirus Management snap-in” on page 116 provides details.

Full file system scan An administrator can perform a full scan of a file system using the server_viruschk -fsscan command. To use this feature, CAVA must be enabled and running. The administrator can query the state of the scan while it is running, and can stop the scan if necessary. A file system cannot be scanned if the file system is mounted with the option noscan. As the scan proceeds through the file system, it touches each file and triggers a scan request for each file.

CAVA features 29

Concepts

Scanning quickglance chart

Table 1 on page 29 explains when virus scanning occurs.

Note: When virus checking is enabled, two clients cannot concurrently write to the same file. The first client that requests the file, opens the file for write access; the second client must wait until the file is closed by the first client, and, if the first client modified the file, until the file is checked by the AV servers.

Table 1 Scanning quick glance chart

On the Data Mover Does scanning occur

Read a file (scan-on-first-read) Yes

Move or copy a file Yes

Create and save a file Yes

Modify and close a file Yes

Restore from a backup, only if it needs to restore a file (write) Yes

Rename: New name (extension is not in masks= and is in excl=)1 No

Rename: Original filename (extension is not in masks= and is not in excl=), new name (extension is not in masks= and is not in excl=) has same extension1

No

Rename: Original filename (extension is not in masks= and is not in excl=), new name (extension is in masks= and is not in excl=) has different extension1

Yes

Rename: Original filename (extension is in masks= and is not in excl=), new name (extension is in masks= and is not in excl=)1

No

Note: masks= and excl= are defined in the viruschecker.conf file. The masks= is set to *.* and the antivirus engine is configured to scan all files.

1. If masks=*.*, renames will not trigger scanning. If masks do not equal *.* (that is, *.exe, *.bat), then a trigger will occur.


Concepts

Installation Path 31

3Invisible Body Tag

This chapter outlines the tasks necessary to install CAVA. The tasks necessary to complete each task are located in this chapter and Chapter 4, “Configuring the Domain User Account.” Topics include:

◆ About the CAVA installation process.............................................. 32

Installation Path


Installation Path

About the CAVA installation processThe CAVA installation process varies depending on the third-party antivirus software you use. For most antivirus software, use the “Basic installation procedure” on page 32. For Trend Micro ServerProtect software, use the “Installation procedure for Trend Micro” on page 33.

Basic installation procedure

If you are installing one of the following third-party antivirus software applications, use the installation path shown in Table 2 on page 32:

◆ Symantec SAV for NAS

Note: SAV for NAS version 5.1.x requires using CAVA version 3.6.2 or later.

◆ McAfee VirusScan

◆ Computer Associates eTrust

◆ Sophos Anti-Virus

◆ Kaspersky Anti-Virus for Windows Servers Enterprise Edition

Table 2 Basic installation procedure

Step Action Procedure

1. Create a domain user with the EMC virus-checking right.

“Domain user account overview” on page 36

2. Configure virus-checking parameters on the Data Movers.

“About the viruschecker.conf file” on page 64

3. Install the AV engine on the Windows AV server. “About third-party AV engines” on page 74

4. Install CAVA on the Windows AV servers. “About the CAVA installation” on page 100

5. Start the virus-checking client on the Data Mover. “About the VC client” on page 110

6. Verify the CAVA installation. “Verify the installation” on page 113

About the CAVA installation process 33

Installation Path

Installation procedure for Trend Micro

If you are installing Trend Micro ServerProtect for EMC Celerra, use the installation path shown in Table 3 on page 33.

Table 3 Installation procedure for Trend Micro

Step Action Procedure

1. Create a domain user with the EMC virus-checking right.

“Domain user account overview” on page 36

2. Configure virus-checking parameters on the Data Movers.

“About the viruschecker.conf file” on page 64

3. Install CAVA on the Windows AV servers. “About the CAVA installation” on page 100

4. Install the Trend AV engine. “Trend Micro ServerProtect for EMC Celerra” on page 96

5. Start the virus-checking-client on the Data Mover. “About the VC client” on page 110

6. Verify the CAVA installation. “Verify the installation” on page 113


Installation Path

Configuring the Domain User Account 35

4Invisible Body Tag

This chapter describes how to configure the AV user (domain user) account with the EMC virus-checking right. Having this account allows the Data Mover to distinguish CAVA requests from all other requests. Topics included are:

◆ Domain user account overview ....................................................... 36◆ Determine the interface name on the Data Mover........................ 37◆ Create a domain user account .......................................................... 39◆ Create a local group on each Data Mover ...................................... 43◆ Assign the EMC virus-checking right to the group ...................... 51◆ Assign local administrative rights to the AV user......................... 57

Configuring theDomain User Account


Configuring the Domain User Account

Domain user account overviewThe CAVA installation requires a Windows user account that is recognized by Celerra Data Movers as having the EMC virus-checking privilege. This user account enables the Data Mover to distinguish CAVA requests from all other client requests. To accomplish this, you should create a new domain user, assign to this user the EMC virus-checking right locally on the Data Mover, and run the CAVA service in this user context.

Table 4 on page 36 provides an overview of configuring the AV user (domain user) with the EMC virus-checking right. The user account that you create in the following procedures is the preferred user account that should be configured with EMC virus-checking access.

You can also configure a local user account with access rights even if it is on a stand-alone server. Configuring and Managing CIFS on EMC Celerra provides more information on local users.

Note: For Windows Server 2003 or Windows 2000 without Active Directory, follow the instructions for Windows NT.

Optional methodFor Windows Server 2003 or Windows 2000, you can accomplish Tasks 2 through 5 using the Celerra AntiVirus Management snap-in. Installing EMC Celerra Management Applications provides installation instructions.

Table 4 Overview of configuring the AV user

Task Action Procedure

1. Determine which Data Mover interface to use when creating the local group.

“Determine the interface name on the Data Mover” on page 37

2. Create a domain user account (AV user). “Create a domain user account” on page 39

3. Create a local group on each Data Mover in the domain and add the AV user to the group.

“Create a local group on each Data Mover” on page 43

4. Assign the EMC virus-checking right to the local group.

“Assign the EMC virus-checking right to the group” on page 51

5. Assign local administrative rights to the local group on each AV server.

“Assign local administrative rights to the AV user” on page 57




Determine the interface name on the Data Mover 37


Determine the interface name on the Data MoverYou must identify the CIFS interface for the Data Mover before you create a local group on a Data Mover. Frequently, a Data Mover is configured with more than one CIFS interface. If this is the case, choose one CIFS interface for each Data Mover and use the same CIFS interface throughout the CAVA configuration.

To obtain the interface name, run the following server_cifs command from the Control Station.

Note: If you do not want to use the default CIFS interface for virus checking, you must specify another CIFS interface by setting the CIFSserver= parameter in the viruschecker.conf file. “(Optional) Define VC scanning criteria” on page 66 provides more information.

Action

Display all CIFS interfaces configured on a Data Mover using this command syntax:$ server_cifs <movername>

where:<movername> = name of the Data MoverExample:$ server_cifs server_2



Output

In this output example, the default CIFS interface is shown in boldface:server_2 :32 Cifs threads startedSecurity mode = NTMax protocol = NT1I18N mode = UNICODEHome Directory Shares DISABLED

Default WINS servers = 172.16.20.15:172.16.21.15Enabled interfaces: (All interfaces are enabled)Disabled interfaces: (No interface disabled)

DOMAIN CAPITALSSID=S-1-5-15-c6ab149b-92d87510-a3e900fb-ffffffff>DC=BOSTON(172.16.20.10) ref=2 time=0 msDC=NEWYORK(172.16.20.50) ref=1 time=0 ms

CIFS Server (Default) DM32-ANA0[CAPITALS] (Hidden)Alias(es): CFS32_0Comment='EMC_Celerra_File_Server'if=ana0 l=172.16.21.202 b=172.16.21.255 mac=0:0:d1:1d:b7:25 if=ana1 l=172.16.21.207 b=172.16.21.255 mac=0:0:d1:1d:b7:26

CIFS Server DM32-ANA1[CAPITALS] (Hidden)Alias(es): CFS32_1Comment='EMC_Celerra_File_Server'if=ana0 l=172.16.21.202 b=172.16.21.255 mac=0:0:d1:1d:b7:25 if=ana1 l=172.16.21.207 b=172.16.21.255 mac=0:0:d1:1d:b7:26

Create a domain user account 39


Create a domain user accountYou must create a domain user account on the Windows domain controller. The CAVA service is running in the context of this user.

Go to one of the following sections to create the domain user account:

◆ “Create with Active Directory on Windows Server 2003 and Windows 2000” on page 39

◆ “Create from User Manager for Domains” on page 41

Create with Active Directory on Windows Server 2003 and Windows 2000

Step Action

1. Log in to the Windows Server 2003 or Windows 2000 server as the Domain Administrator.

2. From the taskbar, click Start and select Settings > Control Panel > Administrative Tools > Active Directory Users and Computers.



3. In the console tree, right-click Users, and select New > User from the shortcut menu. The New Object - User dialog box appears.

4. In the New Object - User dialog box, do the following:a. Specify the First name, Last name, and User logon name. For the logon name, use something that refers

to virus checking, for example, virususer.

Note: You can give the domain user any name you want, although it should have a context-appropriate name. The name virususer is used as an example in this guide.

b. Click Next. The Password dialog box appears.

5. In the Password dialog box, do the following:a. Type a password and confirm the password in the appropriate fields.b. Select Password never expires.c. Click Next. A confirmation screen appears.d. Click Finish. The New Object - User dialog box closes.

6. Go to “Create a local group on each Data Mover” on page 43.

Step Action

Create a domain user account 41


Create from User Manager for Domains You create a domain user account from User Manager for Domains on Windows NT, Windows Server 2003 without Active Directory, or Windows 2000 without Active Directory.

Step Action

1. Start User Manager for Domains:• For Windows NT:

Click Start on the Windows taskbar, and select Settings > Control Panel > Administrative Tools > User Manager for Domains. The User Manager window appears.

• For Windows Server 2003 or Windows 2000 without Active Directory:Click Start on the Windows taskbar, and select Settings > Control Panel > Administrative Tools > Computer Management. Select Local Users and Groups.

2. For Windows NT, select User > New User. For Windows Server 2003 or Windows 2000, right-click the Users folder and select New User. The New User dialog box appears.



3. In the New User dialog box, do the following:a. In the Username box, type a name. For example, virususer.

Note: You can give the domain user any name you want, although it should have a context-appropriate name. The name virususer is used in this guide.

b. Type a password and confirm the password in the appropriate fields.c. Clear User Must Change Password at Next Logon.d. Click Add to save the new virususer account.e. Click the Groups button. The Group Memberships dialog box appears.

4. In the Group Memberships dialog box, do the following:a. Select Administrators from the Not a Member Of list.b. Click Add. The Administrator group is added to the Member Of list. The virususer account should be a

member of the Domain Users group and the Administrators group.c. Click OK. The Group Memberships dialog box closes.d. Click OK. The New User dialog box closes.

5. Go to “Create local group in Windows NT” on page 50.

Step Action

Create a local group on each Data Mover 43


Create a local group on each Data MoverTo assign the EMC virus-checking right to the domain user you just created, you must first create a local group on the Data Mover and assign the user to this group. Then assign the EMC virus-checking right to the group.

Go to one of the following sections to create the local group:

◆ “Create local group in Windows Server 2003” on page 43

◆ “Create local group in Windows 2000” on page 46

◆ “Create local group in Windows NT” on page 50

Create local group in Windows Server 2003

Step Action

1. For systems with Active Directory, in Active Directory Users and Computers, double-click EMC Celerra and click Computers.



2. In the Computer pane, right-click the CIFS server you want to manage and select Manage from the shortcut menu. The Computer Management window appears.

3. Under System Tools, double-click Local Users and Groups.

Step Action



4. Right-click Groups and select New Group. The New Group dialog box appears.

5. In Group name, type a group name (for example, viruscheckers) and in Description, type a description.

6. Click Add. The Select Users, Computers, or Groups dialog box appears.

7. In the Select Users, Computers, or Groups dialog box, do the following:a. Type the name of the AV user account that you created in “Create a domain user account” on page 39.b. Click Check Names.c. Click OK to close the Select Users, Computers, or Groups dialog box.d. Click OK. You return to the New Group dialog box.

8. Click Create, and click Close. The group is created and added to the Groups list. Go to “Assign in Windows Server 2003 and Windows 2000” on page 52.

Step Action



Create local group in Windows 2000

Step Action

1. For systems with Active Directory, in Active Directory Users and Computers, double-click EMC Celerra and click Computers. For systems without Active Directory, in Computer Management, select Local Users and Groups, and proceed to step 4.



2. In the Computer pane, right-click the CIFS server you want to manage and select Manage. The Computer Management window appears.

3. Under System Tools, double-click Local Users and Groups.

Step Action



4. Right-click Groups and select New Group. The New Group dialog box appears.

5. In Group name, type a group name (for example, viruscheckers) and in Description, type a description.

Step Action



6. Click Add. The Select Users or Groups dialog box appears.

7. In the Select Users or Groups dialog box, do the following:a. Select the domain from the Look in: list box.b. Select the previously created virus-checking user from the list.c. Click Add. The username appears in the lower window.d. Click OK. You return to the New Group dialog box.

8. Click Create, and click Close. The group is created and added to the Groups list. Go to “Assign in Windows Server 2003 and Windows 2000” on page 52.

Step Action



Create local group in Windows NT

Step Action Result

1. From User Manager, select User > Select Domain. The Select Domain dialog box appears.

2. In the Select Domain dialog box, do the following:a. In the Domain field, type:

\\<CIFS_servername>

where <CIFS_servername> = the NetBIOS name or IP address of the CIFS server on the Data Mover.

b. Click OK.

User Manager for the Data Mover opens.

3. Select User > New Local Group. The New Local Group dialog box appears.

4. In the New Local Group dialog box:a. Type a group name and description in the

appropriate fields.b. Click Add.

The Add Users and Groups dialog box appears.

5. In the Add Users and Groups dialog box:a. Select the Windows domain from the List Names

From list box.b. Select the name of the virususer you created in

“Create a domain user account” on page 39 from the Names list box.

c. Click Add. The username appears in the lower window.

d. Click OK.

The New Local Group dialog box appears. The AV user has been added to the new group.

6. In the New Local Group dialog box, click OK.If you receive a message that the new member could not be added to the group, ensure that you have correctly enabled CIFS user authentication. Configuring and Managing CIFS on EMC Celerra provides information on setting up CIFS user authentication.

The New Local Group dialog box closes.

7. Go to “Assign in Windows NT” on page 55.


Assign the EMC virus-checking right to the group 51


Assign the EMC virus-checking right to the groupNow that you have created the domain user, you must distinguish this user from all other domain users by assigning the EMC virus-checking right. This right is not a domain privilege, but rather it exists locally in the Data Mover and is added to the local group you created in the previous section.

Note: You cannot use Microsoft’s Windows Local Policy Setting tools to manage user rights assignments on a Data Mover because the Windows Local Policy Setting tools do not allow you to remotely manage user rights assignments.

Go to one of the following sections to assign the EMC virus-checking right to the group:

◆ “Assign in Windows Server 2003 and Windows 2000” on page 52

◆ “Assign in Windows NT” on page 55



Assign in Windows Server 2003 and Windows 2000

Step Action

1. Click Start and select Settings > Control Panel > Administrative Tools > Celerra Management. The Celerra Management window appears.

Note: Installing EMC Celerra Management Applications provides information on installing the Celerra Management Console.

2. Do one of the following:• If a Data Mover is already selected (name appears after Data Mover Management), go to step 4.• If a Data Mover is not selected:

Right-click Data Mover Management and select Connect to Data Mover.In the Select Data Mover dialog box, select a Data Mover using one of the following methods:– In the Look in: list box, select the domain in which the Data Mover you want to manage is located, and select the Data Mover from the list.or– In the Name box, type the computer name, IP address, or the NetBIOS name of the Data Mover.

3. Double-click Data Mover Management, and double-click Data Mover Security Settings.




4. Click User Rights Assignment. The assignable rights appear in the right pane.

5. Double-click EMC Virus Checking. The Security Policy Setting dialog box appears.

Step Action



6. Click Add. The Select Users or Groups window appears.

7. In the Select Users or Groups window do the following:a. Select the CIFS server from the Look in: list box.b. Select the antivirus group that you created in “Create a local group on each Data Mover” on page 43.c. Click Add. The group name appears in the lower window.d. Click OK. You return to the Security Setting dialog box.

8. Click OK. The EMC Virus Checking policy now shows the Data Mover local group. Go to the section, “Assign local administrative rights to the AV user” on page 57 to continue.

Step Action



Assign in Windows NT

Step Action

1. From the Policies menu, select User Rights. The User Rights Policy window appears.

2. In the User Rights Policy window:a. Click Show Advanced User Rights.b. Select EMC Virus Checking from the Right list box.c. Click Add. The Add Users and Groups window appears.



3. In the Add Users and Groups window:a. From the List Names From list, select the Data Mover on which you created the group.b. From the Names list, select the group you created previously.c. Click Add. The group appears in the Add Names box.

4. Click OK.The system returns to the User Rights Policy window. The local group appears in the Grant To box.

5. Click OK.The system returns to the User Manager window. Go to the next section, “Assign in Windows NT” on page 61.

Step Action

Assign local administrative rights to the AV user 57


Assign local administrative rights to the AV userYou must assign local administrative rights to the AV user on each AV server. You must repeat this procedure for each AV server.

Note: If the AV server is a domain controller, the virus-checking user account should join the Domain Administrator group instead of the local administrator group. This is because the local administrator group is not managed on a domain controller.

Go to one of the following sections to assign local administrative rights to the group:

◆ “Assign in Windows Server 2003” on page 57

◆ “Assign in Windows 2000” on page 59

◆ “Assign in Windows NT” on page 61

Assign in Windows Server 2003

Step Action

1. Click Start and select Settings > Control Panel > Administrative Tools > Computer Management. The Computer Management window appears.

2. From the Action menu, select Connect to Another Computer. The Select Computer window appears.



3. In the Select Computer window:a. Select the virus-checker server.b. Click OK. The Select Computer window closes.

4. In the Computer Management window:a. Expand System Tools.b. Expand Local Users and Groups.c. Click Users. The users’ names appear in the right pane.

5. Right-click on the name of the AV user account that you created in “Create a domain user account” on page 39 and select Properties. The Account Properties window appears.

6. Click the Member of tab. Click Add. The Select Groups window appears.

7. In the Enter the object names to select field, type Administrators. Click OK. The Select Groups window closes.

8. Click OK to close the Account Properties dialog box.

9. Repeat steps 1–8 for each AV server in the network. On completion of the steps, go to “About the viruschecker.conf file” on page 64.

Step Action



Assign in Windows 2000

Step Action

1. Click Start and select Settings > Control Panel > Administrative Tools > Computer Management. The Computer Management window appears.

2. From the Action menu, select Connect to Another Computer. The Select Computer window appears.

3. In the Select Computer window:a. Select the virus-checker server.b. Click OK. The Select Computer window closes.

4. In the Computer Management window:a. Expand System Tools.b. Expand Local Users and Groups.c. Click Groups. The group names appear in the right pane.

5. Double-click the Administrators group. The Administrators Properties dialog box appears.



6. Click Add. The Select Users or Groups window appears.

7. In the Select Users or Groups window:a. Select the domain from the Look in: list box.b. Select the AV user account that you created in “Create from User Manager for Domains” on page 41.c. Click Add.d. Click OK. The Select Users or Groups window closes.

8. Click OK to close the Administrators Properties dialog box.

9. Repeat steps 1–8 for each AV server in the network. On completion of the steps, go to “About the viruschecker.conf file” on page 64.

Step Action



Assign in Windows NT

Step Action

1. From the domain controller or AV server:Click Start and select Settings > Control Panel > Administrative Tools > User Manager for Domains. The User Manager window appears.

2. From the User menu, select Select Domain. The Select Domain dialog box appears.

3. In the Select Domain dialog box:a. Type the UNC name of an AV server (for example, \\AVserver).b. Click OK. The Select Domain dialog box closes.

4. In the Groups pane, double-click the Administrators group. The Local Group Properties dialog box appears.

5. Click Add. The Add Users and Groups dialog box appears.



6. In the Add Users and Groups dialog box:a. Select the domain from the List Names From list.b. Select the AV user you created in “Create from User Manager for Domains” on page 41.c. Click Add.d. Click OK. The Add Users and Groups dialog box closes.

7. Click OK. The Local Groups Properties dialog box closes.

8. Repeat steps 1–7 for each AV server in the network. On completion of the steps, go to the next section, “About the viruschecker.conf file” on page 64.

Step Action

Configuring viruschecker.conf 63

5Invisible Body Tag

This chapter describes how to create, edit, and update the viruschecker.conf file. It also provides information about the parameters used in the file:

◆ About the viruschecker.conf file ...................................................... 64

Configuringviruschecker.conf


Configuring viruschecker.conf

About the viruschecker.conf fileThe viruschecker.conf file defines the Celerra virus-checking parameters for each Data Mover in the domain. For CAVA to work properly, some parameters, such as the addr parameter, must be configured. Other parameters are optional and you can configure them if you want to control the scope and style of the virus scanning.

This guide describes only the command-line procedures. In Windows Server 2003 and Windows 2000 environments, you can also use the Celerra AntiVirus Management snap-in to modify the CAVA parameters on the Data Mover. Celerra AntiVirus Management is installed as a Microsoft Management Console (MMC) snap-in to the Celerra Management Console. Installing EMC Celerra Management Applications provides instructions on installing the snap-in.

Note: A template file for viruschecker.conf resides on the Control Station in the /nas/sys directory. This file should not be edited directly but can be copied to another directory such as /nas/site for editing with a text editor.

This section covers the following required tasks:

1. “Create and edit viruschecker.conf” on page 65

2. “Define AV server IP addresses in viruschecker.conf” on page 65

3. “Send viruschecker.conf to the Data Mover” on page 66

4. “(Optional) Define VC scanning criteria” on page 66

Note: There are additional viruschecker.conf parameters you can configure. “viruschecker.conf parameters” on page 68 provides a list of these parameters.


About the viruschecker.conf file 65


Create and edit viruschecker.confEnsure that the viruschecker.conf file resides in the /.etc directory on the Data Mover before editing. You can either create a new viruschecker.conf file or retrieve the existing viruschecker.conf file and edit the contents:

◆ If the viruschecker.conf file does exist in the /.etc directory, type the following command to retrieve this file for editing:

$ server_file <movername> -get viruschecker.conf viruschecker.conf

◆ If the viruschecker.conf file does not exist in the /.etc directory, copy the template viruschecker.conf file from the /nas/sys directory on the Control Station to another directory, such as /nas/site for editing with a text editor.

Define AV server IP addresses in viruschecker.conf

Step Action

1. Open the viruschecker.conf file using an editor.

2. Locate the addr entry.

3. Add the IP addresses of all Windows servers running CAVA software, or a fully qualified domain name (FQDN). Use a vertical bar (|) or a colon (:) to separate multiple addresses.Example:The first entry below identifies a single Windows server, the second entry identifies multiple Windows servers, while the third entry identifies an FQDN:addr=192.16.20.29

addr=192.16.20.15:192.16.20.16:192.16.20.17

addr=wichita.nasdocs.emc.com

The addresses entered represent the Windows servers that the Data Mover will send the UNC path of the files to scan. For multiple server installations, the UNCs are sent in a round-robin fashion to all Windows servers configured with CAVA and the AV engine.

4. Save and close the viruschecker.conf file.



Send viruschecker.conf to the Data MoverYou must put a copy of the viruschecker.conf file on each Data Mover in the domain.

Note: If you customize a Data Mover’s viruschecker.conf file by configuring the CIFSserver= parameter, ensure that you put the customized viruschecker.conf file on the correct Data Mover.

The following documents provide more information:

◆ EMC Celerra Network Server Command Reference Manual provides detailed information on the server_file command.

◆ Managing EMC Celerra for a Multiprotocol Environment provides details on mounting a file system.

(Optional) Define VC scanning criteriaYou can configure the masks= parameter in the viruschecker.conf file to scan files with a specific extension, for example, the extension .doc or .docx for Microsoft Word documents. If you have multiple CIFS interfaces on a Data Mover, you can set the CIFSserver= parameter to specify which interface the Data Mover uses to communicate with the AV servers.

“viruschecker.conf parameters” on page 68 provides a full listing of viruschecker.conf parameters, including mask.

Action

Copy the viruschecker.conf file from the Control Station to the /.etc directory on the Data Mover using this command syntax:$ server_file <movername> -put viruschecker.conf viruschecker.conf

where:<movername> = name of the Data Mover

Output Note

server_2 : done • Repeat this command for each Data Mover within the domain.

• If the viruschecker.conf file is missing from the /.etc directory, the VC client will not start.





Step Action

1. Open the viruschecker.conf file using an editor.

2. Locate the masks= entry.

3. Type the entry for the list of files to be scanned.Examples:In the following example, all files are scanned:masks=*.*

In the following example, only .exe, .com, .doc, .docx, and .ppt files are scanned:masks=*.exe:*.com:*.doc:*.docx:*.ppt

4. Type the NetBIOS name of the Data Mover. “Determine the interface name on the Data Mover” on page 37 provides details:CIFSserver=<netbios_name or IP address>

Example:CIFSserver=dm53-ana0

Note: If this parameter is not set, the default NetBIOS name on that Data Mover is used. If you set this parameter, ensure that you use the same interface that you used in “Create a domain user account” on page 39.

5. Save and close the viruschecker.conf file.



viruschecker.conf parameters

Table 5 on page 68 provides additional parameters that can be configured within the viruschecker.conf file, or for use with the Celerra AntiVirus Management snap-in.

The masks= parameter can greatly affect virus-checking performance. It is recommended that you do not use masks=*.* because this setting scans all files. Many files cannot harbor viruses, therefore, masks=*.* is not an efficient setting. Most AV engines do not scan all files. The masks= and excl= parameters in the viruschecker.conf file should be equal to or a superset of the masks= and excl= settings used by the AV engine.

Table 5 Parameters in the viruschecker.conf file (page 1 of 4)

Parameter Description Example

masks= Configures file extensions that will be scanned.

masks=*.exe

In the following example, only .exe, .com, .doc, .docx, and .ppt files are scanned:masks=*.exe:*.com:*.doc:*.docx:*.ppt

excl= Defines files or file extensions to exclude during scanning.

excl=pagefile.sys:*.tmp

addr= Sets the IP addresses for the AV servers, or an FQDN.

Single IP address:addr=192.16.20.29

Multiple IP addresses:addr=192.16.20.15:192.16.20.16:192.16.20.17

FQDN:addr=wichita.nasdocs.emc.com

Note: If an AV server is going to be temporarily or permanently removed, delete its IP address from this file before shutting down the EMC CAVA service.

CIFSserver=<CIFS_server_name> (optional)

Identifies the interface on the Data Mover used by the CAVA Client <CIFS_server_name> (NetBIOS name, compname, or the IP address) of the CIFS server on the Data Mover. If the parameter is not given, the default CIFS server is used.

CIFSserver=CIFS_Host2



maxsize=<n> (optional)

Sets the maximum file size for files that will be checked. Files that exceed this size are not checked.Type a hexadecimal number with a prefix of 0x. The maxsize must be less than or equal to 0xFFFFFFFF.If the parameter is not given or is equal to 0, it means no file size limitation is set.The file size is in bytes with a 4 GB maximum.

maxsize=0xFFFFFFFF

highWaterMark=<n> (optional) Edits the highWaterMark parameter.When the number of requests in progress becomes greater than the highWaterMark, a log event is sent to the Celerra Network Server.The default value is 200. The maximum is 0xFFFFFFFF.

highWaterMark=200

lowWaterMark=<n> (optional) Edits the lowWaterMark parameter. When the number of requests in progress becomes lower than lowWaterMark, a log event is sent to the Celerra Network Server.The default value is 50.

lowWaterMark=50

RPCRetryTimeout=<n> (optional)

Sets the timeout of the RPC retry. The timeout is set in milliseconds.The default value is 5000 milliseconds. The maximum is 0xFFFFFFFF.

RPCRetryTimeout=4000





RPCRequestTimeout=<n> (optional)

Sets the timeout of the RPC request (in milliseconds).Works with RPCRetryTimeout. When an RPC is sent to the CAVA server, if the server answers after the RPCRetryTimeout, the Data Mover retries until RPCRequestTimeout is reached. If RPCRequestTimeout is reached, the Data Mover goes to the next available CAVA server.The default value is 25000 milliseconds.

Note: This value should be equal to the SAV for NAS Container File Processing Limits value. “Install Symantec SAV for NAS” on page 74 contains details.

RPCRequestTimeout=20000

msrpcuser= Specifies the name assigned to either a simple user account or user account that is part of a domain that the EMC CAVA service is running under on the CEE machine.

User account:msrpcuser=ceeuser

Domain.user account:msrpcuser=CEE1.ceeuser

surveyTime=<n> (optional)

Specifies the time interval used to scan all AV servers to see if they are online or offline. This parameter works with the shutdown parameter shown next. If no AV server answers, the shutdown process begins using the configured shutdown parameter. This is the only parameter that triggers shutdown.The default value is 60 seconds.min=1, max=0xFFFFFFFF.

surveyTime=60





shutdown= Specifies the shutdown action to take when no server is available. Works with the surveyTime parameter.Options include the following parameters:

• shutdown=cifs — Stops CIFS if no AV server is available. (No Windows clients can access any Celerra share.)If strict data security is important in the environment, you should enable this option to prevent access to the files if all AV servers are unavailable. If this option is not enabled, and all AV servers are unavailable, clients can modify files without any virus checking.

Note: shutdown=CIFS should be disabled if less than two CAVA servers are configured.

shutdown=cifs

• shutdown=no — Continues retrying list of AV servers if no AV server is available. Two watermarks exist (low and high); when each is reached, an Event log is sent. Use the Event log to take corrective action on the Data Mover to ensure that virus checking is functional.

shutdown=no

• shutdown=viruschecking — Stops the virus checking if no AV server is available. (Windows clients can access Celerra shares without virus checking.)

The default is shutdown=no.

shutdown=viruschecking



Installing Third-Party Applications 73

6Invisible Body Tag

This chapter describes how to install and configure the third-party AV engine packages for CAVA:

◆ About third-party AV engines.......................................................... 74

Installing Third-PartyApplications


Installing Third-Party Applications

About third-party AV enginesInstall one of the third-party AV engines on each participating AV server before installing CAVA (except for Trend Micro ServerProtect, which you install after installing CAVA). Use the virususer account created in “Create a domain user account” on page 39 when installing the AV engine software.

Note: The EMC E-Lab Interoperability Navigator and the EMC Celerra Network Server Release Notes provide the latest list of supported AV engines and versions.

This section contains installation instructions for the following products:

◆ “Install Symantec SAV for NAS” on page 74

◆ “Install McAfee VirusScan” on page 81

◆ “Install Computer Associates eTrust” on page 84

◆ “Install Sophos Anti-Virus” on page 86

◆ “Install Kaspersky Anti-Virus” on page 90

◆ “Trend Micro ServerProtect for EMC Celerra” on page 96

CAUTION!All packages except Trend Micro ServerProtect for EMC Celerra must be installed prior to installing CAVA. “Trend Micro ServerProtect for EMC Celerra” on page 96 provides installation instructions.

Install Symantec SAV for NAS

Symantec SAV for NAS resides on an AV server and interfaces with CAVA version 3.6.2 (or later) for SAV for NAS versions 4.3.X and 5.1.X using the NATIVE and Internet Content Adaptation Protocol (ICAP) protocols, respectively. The application that requires antivirus scanning links to the Symantec library of scanning API calls, using these protocols. Symantec SAV for NAS version 4.3.X uses the NATIVE protocol and version 5.1.X uses the ICAP protocol for the deletion of the infected files.

About third-party AV engines 75


Note: You must change the SAV for NAS service from SYSTEM to the same user that is running CAVA, otherwise access problems can result. “Domain user account overview” on page 36 provides more information about configuring the domain user and assigning access rights.

Step Action

1. Install the SAV for NAS software. Symantec documentation provides specific installation steps.

2. Navigate to the SAV for NAS Status page. Click Configuration.



3. If you are using SAV for NAS 4.3.X, select Native protocol then skip to step 5 on page 78.

Step Action



4. If you are using SAV for NAS 5.1.X, select ICAP protocol, and type 1344 in the Port number box to support Symantec SAV for NAS version 5.1.X.

Note: In order for SAV for NAS 5.x to work with Celerra, ICAP needs to accept requests from IP address 127.0.0.1. In 5.1.x (shown above) this can be done by either leaving the bind address field blank which includes all addresses, or by specifying 127.0.0.1.

While using SAV for NAS 5.1.X, perform the following:a. Stop the Scan Engine Service.b. Open a command prompt, navigate to the directory where the scan engine has been installed, and run the following

command:java -jar xmlmodifier.jar -s /policies/Misc/HonorReadOnly/@value falsepolicy.xml

c. Restart the Scan Engine Service.If the above setting is not specified, SAV for NAS will not be able to delete the infected files because CAVA will not accept any scan requests.

Step Action



5. Click LiveUpdate. Click the LiveUpdate Now to get any new definition files.

Step Action



Note: You can upgrade CAVA support for Symantec from SAV for NAS version 4.3.X or any other vendors version to Symantec SAV for NAS 5.1.X using the Modify option on the initial CAVA installation screen.

Step Action



Setting exclusions When using SAV for NAS and SAVCE on the same machine, the temporary scan directory of SAV for NAS must be set in the Exclusions section of the File System Auto-Protect configuration menu in the SAVCE main console. This is to ensure that the AV engine takes action on all infected files that the virus scan detects.

Setting containerhandling policies

The SAV for NAS Container File Processing Limit for the time to extract a file should be equal to the RPCRequestTimeout value set in the viruschecker.conf file (the default is 25000 milliseconds). To access the limit, from the Scan Engine’s menu choose Policies > Filtering > Container Handling and set the Time to extract file meets or exceeds: value.

Step Action

1. Navigate to the SAV for NAS Status page. Click Configuration and then Resources.

2. Specify a temporary directory for scanning.

Note: Allow enough room for this directory to grow because it can become several GBs in size. If a local AV solution is used, make sure to also exclude this directory from scanning. A local AV solution on the AV server must not be allowed to scan the temporary working directory in use by SAV for NAS.



ModifyingLimitChoiceStop

settings

The LimitChoiceStop parameter controls container violations actions. If this is set to false, the scan engine allows access to a file that is violating some of the container policies (such as max extract time exceeded) and will only log this error. If this is set to true (the default setting), the scan engine blocks access to (deletes) the file on the container violations.

You need to set the LimitChoiceStop parameter to false. Failure to perform this step results in an AV_INTERFACE error and CAVA will not become online.

Install McAfee VirusScan

Step Action

1. Edit the filtering.xml file that resides in the SAV install directory.

2. Set the LimitChoiceStop option to false.

Step Action

1. Create a temporary directory on the hard drive of an AV server to interface with CAVA, and extract the VirusScan release files into that directory. McAfee’s documentation provides specific installation steps.

2. Install and start the application.

Note: If you are upgrading VirusScan, create a backup copy of the MCSHIELD.EXE file. Copy this file to a different directory or rename the file with a different extension.

3. Open the VirusScan On-Access Monitor, and click Properties. The VirusScan Properties dialog box appears.

4. On the VirusScan Properties window, click Detection. The Detection tab appears.



5. From the Detection tab, select the following:

Note: If you are running McAfee version 7.1 or later, it is critical to have When reading from disk selected.

6. Click Apply.

Step Action



7. On the VirusScan Properties window, click Actions. The Actions tab appears.

8. From the Actions tab, do the following:a. From the When a threat is found list, select one of the following options:

• Clean files automatically. This automatically cleans the infection (if it can be cleaned). If the infection cannot be cleaned, the file is left in place and the extension VIR is appended to the filename.

• Delete files automatically. This automatically deletes infected files.b. Click Apply.

Note: Optionally, you might want to configure the Response to user options.

9. Close the VirusScan Properties window. Go to “About the CAVA installation” on page 100.

Step Action



Install Computer Associates eTrust

Step Action

1. Install the eTrust application on an AV server to interface with CAVA. Computer Associates’ documentation provides specific installation steps.

2. Start the application, and navigate to the eTrust Threat Management Agent window.

3. On the eTrust Threat Management Agent window, click the Scan tab.

4. On the Scan tab, select the following:• Under Direction, select Incoming and Outgoing Files.• Under Safety Level, select Secure.• Under Infection Treatment, select any of the options.



5. Click the Advanced tab.

6. On the Advanced tab, select the following:• Under Protected Areas, select Protect Network Drives. You can also select Protect Floppy Drives and Protect

CD-ROM if desired.• Under Advanced Protection and Realtime Pop-up Messages, select whatever you want.

Step Action



Install Sophos Anti-Virus

7. Click Selection, and click Advanced. The Advanced Detection Options dialog box appears.

8. Under Antivirus Engine, select Heuristic Scanner, for infections whose signatures have not yet been isolated and documented.

Note: The settings under NTFS File System are optional.

9. Click OK to save the changes. Go to “About the CAVA installation” on page 100.

Step Action

Step Action

1. Install Sophos Anti-Virus on a server that will interface with the CAVA server. Sophos’ documentation provides specific installation steps.

2. Right-click the Sophos icon (a blue shield) in the system tray and select Open Sophos Anti-Virus.

3. On the Sophos Anti-Virus home page, click Configure Sophos.

4. Select On-access scanning. The On-access scan settings for this computer dialog box appears.



5. On the Scanning tab, ensure that Enable on-access scanning for this computer is checked and select On read.

Step Action



6. On the Options tab, select Scan for adware/PUAs and Scan for suspicious files (HIPS).

Step Action



7. On the Cleanup tab in Viruses/spyware, select Automatically clean up items that contain virus/spyware. Select Delete to delete items that cannot be cleaned up.

8. Click OK to close the dialog box.

9. Close the Sophos program. Go to “About the CAVA installation” on page 100.

Step Action



Install Kaspersky Anti-Virus

Step Action

1. Install Kaspersky Anti-Virus for Windows Servers Enterprise Edition on a server that will interface with the CAVA server. Kaspersky’s documentation provides specific installation steps.

2. Open the Kaspersky Anti-Virus MMC Console.

3. In the left pane, select Real-time protection and then Real-time file protection. The Real-time file protection window appears.



4. In the right pane, select Configuring protection scope. The Configuring protection scope tab appears.

5. On the Configuring protection scope tab, select Network places and click Settings.

Step Action



6. On the General tab:• In Objects protection, select All objects and Scan alternate NTFS streams.• In Compound objects protection, select all six checkboxes.

Step Action



7. On the Actions tab, in Actions to be performed on infected objects, select one of the following options:• Block access and disinfect• Block access and disinfect; delete if disinfection fails• Block access and delete• Block access and perform recommended action

Note: Block access does not work with CAVA.

In Actions to be performed on suspicious objects, select one of the following options:• Block access and quarantine• Block access and delete• Block access and perform recommended action

Note: Block access does not work with CAVA.

Step Action



8. On the Performance tab:• In Exclusions, clear Exclude objects and Exclude threats.• In Advanced settings, clear Stop if scan takes longer than (sec) and Do not scan compound objects

larger than (MB), and select Use iChecker technology and Use iSwift technology.

9. In the left pane, right-click Real-time file protection and select Save task to save the settings you changed.

Step Action



10. In the left pane, right-click Real-time file protection and select Properties. The Real-time file protection Properties dialog box appears.

11. On the General tab, select On access and modification.

12. On the Schedule tab, select one of the scheduling options.

13. Click OK to save the settings and close the Real-time file protection Properties dialog box.

14. Close the Kaspersky Anti-Virus program. Go to “About the CAVA installation” on page 100.

Step Action



Trend Micro ServerProtect for EMC Celerra

ServerProtect for EMC Celerra resides on an AV server and interfaces with CAVA.

Prerequisites: Trend Micro ServerProtect for EMC Celerra must be installed after installing CAVA. “About the CAVA installation” on page 100 provides instructions on installing CAVA.

If CAVA is not installed on the ServerProtect target AV server, you will receive this server error message:

Before installing ServerProtect, you must install the EMC Celerra AntiVirus Agent (CAVA).

Install Trend MicroServerProtect

To protect the Celerra Network Server system and the AV server, the default setting for the ServerProtect Real-time Scan function is Incoming & Outgoing. EMC strongly recommends not to change this setting.

Note: The Trend Micro documentation provides specific installation and configuration steps.

Step Action

1. Start ServerProtect. The Management Console window appears. Figure 1 on page 97 shows the ServerProtect Management Console window.

2. Select Enable real-time scanning, and select the following:• Under Scan file type, select Selected files.• Under Scan options, select Scan floppy boot area, MacroTrap, and Scan mapped network drive.

Note: Ensure that you have selected Scan mapped network drive, for CAVA to function with Server Protect 5.58.

• Under Compressed files, select Scan compressed files.Leave all other settings as they are.When you have completed the steps, the Management Console window should look like Figure 1 on page 97.

3. Click Apply to save the changes. Go to “About the VC client” on page 110.



Figure 1 Trend Micro ServerProtect Real-time Scan options window

Installing CAVA 99

7Invisible Body Tag

This chapter describes how to install CAVA on each server in the domain that will act as an AV server:

◆ About the CAVA installation.......................................................... 100

Installing CAVA


Installing CAVA

About the CAVA installationCAVA should be installed on each server in the domain that you want to act as an AV server. If you plan on using the CAVA Calculator, you also need the Microsoft .NET Framework installed. If you do not have the .NET Framework, it is installed during the installation of the CAVA Tools package.

Note: You should configure at least two AV servers in the network. If one of the AV servers goes offline or cannot be reached by the Celerra Network Server, having two AV servers ensures that file scanning capability is maintained.

Prerequisites This section provides important information that you should be aware of before installing CAVA:

◆ Removing old versions of CAVA: If an AV server has a previous version of CAVA installed, remove that version of CAVA, reboot, and then install the new version of CAVA. Use the Windows Control Panel’s Add/Remove Programs window to remove old versions of CAVA. You must have local administrative privileges to remove programs.

Note: If you do not remove the previous version of CAVA before upgrading, you can choose the Remove option on the initial installation screen to first remove the previous version, then continue with the installation.

◆ Reinstallation of CAVA: During a reinstallation of CAVA, you might see an overwrite protection message if the installation files were previously unpacked to the temporary directory. If this happens, do the following: From the Overwrite Protection message window, click Yes to All to overwrite the existing files. This process ensures that the latest version of the files exist in the temporary directory.

About the CAVA installation 101

Installing CAVA

◆ Machine restarts without prompting: On machines running Windows NT, during the first installation of the CAVA engine, a system restart will occur following the Windows Installer installation and before the actual installation of CAVA begins. After the Windows NT server is restarted, the installation process will continue without prompting. This is a known Windows InstallShield behavior.

◆ Celerra Event Enabler CD: You must have a copy of the Celerra Event Enabler CD to install the latest version of CAVA on each server.

Install CAVA

Step Action Result

1. Insert the Celerra Event Enabler software distribution CD into the CD drive of the Windows server where you want to install the Celerra Event Enabler software.

If Windows Autorun is enabled and the InstallShield Wizard window appears, skip to step 6; otherwise, go to step 2.

2. From the Windows taskbar, click Start and select Run.

The Run dialog box appears.

3. From the Run dialog box:a. Click Browse to locate the EMC_CEE_Pack

executable file on the Celerra Event Enabler CD.b. Select the EMC_CEE_Pack executable file for

either 32-bit (_Win32) or the 64-bit (_x64) version of the software and click Open.

c. Click OK to start the InstallShield Wizard.

The Welcome to the InstallShield Wizard for EMC Celerra Event Enabler Framework Package window appears:• If you have the most current version of

InstallShield, the License Agreement window appears. Skip to step 7.

• If you do not have the most current version of InstallShield, you are prompted to install it. Go to step 4.

4. Click Next. The Location to Save Files window appears.

5. Click Next.

Note: Do not change the location of the temporary directory.

The Extracting Files process runs and returns to the Welcome to the InstallShield Wizard window.

6. Click Next. The License Agreement window appears.

7. Click I accept the terms in the license agreement, and click Next.

The Customer Information window appears.

8. Type a username and organization, and click Next. The Setup Type window appears.

9. Select Complete, and click Next. The Symantec SAV for NAS window appears.


Installing CAVA

10. If you are using Symantec antivirus software, select Work with Symantec SAV for NAS and the option for the SAV version you are using; otherwise, click Next. The Ready to Install the Program window appears.

11. Click Install. After the program is installed, the InstallShield Wizard Completed window appears.

12. Click Finish. The EMC Celerra Event Enabler Installer Information window appears and prompts you to restart the server.

13. Click Yes.

Note: Clicking No cancels the restart.

The machine restarts. Go to one of the following sections to complete the installation:• For Windows Server 2003 and Windows 2000

installations, go to “Complete the CAVA installation for Windows 2000 and Windows Server 2003” on page 103.

• For Windows NT installations, go to “Complete the CAVA installation for Windows NT” on page 107.

Step Action Result


Installing CAVA

Complete the CAVA installation for Windows 2000 and Windows Server 2003

Step Action

1. From the Windows taskbar, click Start > Settings > Control Panel > Administrative Tools > Services.

2. Double-click EMC CAVA in the Service list. The EMC CAVA Properties window appears.

3. From the EMC CAVA Properties window, click Log On.


Installing CAVA

4. Select This account, and click Browse to locate the virususer account created in “Domain user account overview” on page 36. The Select User window appears.

5. Click Locations. The Locations window appears.

Step Action


Installing CAVA

6. Navigate to the domain where the virususer account exists, select the domain location, and click OK. The Select User window now contains the location.

7. Click Advanced.

8. Click Find Now.

9. Select the virus user’s account from the list, and click OK.

Step Action


Installing CAVA

10. For this user account, type the account’s password in both the Password and Confirm password fields.

11. Click OK. The following message appears:The new logon name will not take effect until you stop and restart the service.

12. Click OK.

13. Stop and restart the EMC CAVA service. “Start, stop, and restart CAVA” on page 118 provides instructions on using the EMC CAVA services.

Step Action


Installing CAVA

Complete the CAVA installation for Windows NT

Step Action

1. From the Windows taskbar, click Start > Settings > Control Panel.

2. Click the Services icon. The Services window appears.

3. Scroll until you see EMC CAVA in the Service list and then select it.

4. From the Services window, click Startup.

5. From the Services window, click This Account.

6. Do the following:a. Click Browse.b. Locate the virususer account created in “Domain user account overview” on page 36.c. Select the user from the list.

7. Type passwords in the Password and Confirm Password fields.

8. Click OK, and click Close to complete the configuration.

9. Return to the EMC CAVA Installer Information window, and click Yes.


Installing CAVA

Starting the VC Client 109

8Invisible Body Tag

This chapter describes how to start virus checking on the VC client. Before starting, you should have appropriately installed and configured CAVA. After virus checking has been started, you should verify the installation:

◆ About the VC client ......................................................................... 110

Starting the VC Client



About the VC clientAfter the installation is complete, you must start the virus-checking client (VC client) on the Data Mover by using the server_setup command or using the Celerra AntiVirus Management snap-in. The VC client communicates with CAVA on the AV servers.

Prerequisites Before starting the virus-checking service:

◆ The administrator must issue the following command from the Control Station:

/nas/sbin/server_user server_2 -add -md5 -passwd <msrpcuser>

The administrator then must follow the prompts for entering information.

<msrpcuser> is the name assigned to either a simple user account or user account that is part of a domain that the EMC CAVA service is running under on the Celerra Event Enabler machine. For example, if the EMC CAVA service is running under a user called ceeuser, the viruschecker.conf file entry would be msrpcuser=ceeuser. If ceeuser is a member of a domain, the entry would be msrpcuser=domain.ceeuser.

◆ Ensure that the CIFS services are configured and started. Managing EMC Celerra for a Multiprotocol Environment provides details.

◆ Ensure that CAVA is installed and running on all AV servers. “About the CAVA installation” on page 100 provides details.


About the VC client 111


Start the VC client

Action

Start the VC client on the Data Mover by using this command syntax:$ server_setup <movername> -Protocol viruschk -option start

where:<movername> = name of the Data MoverExample:To start the VC client on server 2, type:$ server_setup server_2 -Protocol viruschk -option start

Output Note

server_2 : done If CAVA is not running on a Windows server in the domain, you will receive the following error message:RPC Error from checker xxx.xxx.xxx.xxx

EMC Celerra Network Server Error Messages Guide provides details.

../ErrorMsgs/index.htm



Optional VC client procedures

The following two procedures are optional after the VC client starts running.

Stop the VC client To stop the VC client, use this command syntax:

$ server_setup <movername> -P viruschk -o stop

where:

<movername> = name of the Data Mover

Update theviruschecker.conf file

When making subsequent changes to the viruschecker.conf file, use the server_viruschk command with the update parameter to load the file into memory. This updates the viruschecker.conf file without stopping the virus-checking services.

Note: Celerra AntiVirus Management snap-in provides an alternative method to update the viruschecker.conf file. “(Optional) Install Celerra AntiVirus Management snap-in” on page 116 provides instructions on using the snap-in.

Use this procedure while the VC client is running.

Step Action

1. From the Control Station, use this command syntax to copy the viruschecker.conf file from the Data Mover:$ server_file <movername> -get viruschecker.conf viruschecker.conf

2. Edit the copied viruschecker.conf file with a text editor.

3. Use this command syntax to copy the modified viruschecker.conf file to the corresponding Data Mover:$ server_file <movername> -put viruschecker.conf viruschecker.conf


4. Update the viruschecker.conf file on the Data Mover by using this command syntax:$ server_viruschk <movername> -update

where:<movername> = name of the Data MoverExample:To update the file on server 2, type:$ server_viruschk server_2 -update

Output:server_2 : done

About the VC client 113


Verify the installation

Confirm that virus checking is operating properly by using one of the following methods:

◆ Use a placebo virus to trigger the AV engine. A placebo, or benign virus, does not infect Windows Server 2003, Windows 2000, Windows NT servers or the Data Movers. Visit Eicar online at the following URL to download the Eicar antivirus eicar.com.txt file:http://www.eicar.org/anti_virus_test_file.htm

◆ Mimic the client’s access to files on the Data Mover for various levels of access. For example, perform a write from one client followed by multiple reads from other clients, or copy a number of files from one directory to another on the Data Mover.

Managing CAVA 115

9Invisible Body Tag

This chapter describes management tasks for CAVA. It also has details on CAVA thread usage:

◆ CAVA management ......................................................................... 116

Managing CAVA


Managing CAVA

CAVA managementThis chapter contains information on the following:

◆ “(Optional) Install Celerra AntiVirus Management snap-in” on page 116

◆ “Display virus-checking information” on page 117

◆ “Audit virus-checking information” on page 118

◆ “Start, stop, and restart CAVA” on page 118

◆ “Perform a full file system scan” on page 120

◆ “Enable scan-on-first-read” on page 122

◆ “Update virus definition files” on page 123

◆ “Turn off the AV engine” on page 124

◆ “Turn on the AV engine” on page 124

◆ “Manage CAVA thread usage” on page 124

◆ “View the application log file” on page 126

◆ “Enable automatic virus detection notification” on page 127

◆ “Customize virus-checking notification” on page 129

◆ “Customize notification messages” on page 130

You can manage CAVA by using the Windows Server 2003, Windows 2000, or Windows NT 4.0 Services Applet.

Note: The CIFS services must be configured and started before you can modify configuration parameters for an AV client.

(Optional) Install Celerra AntiVirus Management snap-in

In Windows Server 2003 and Windows 2000 environments, use the Celerra AntiVirus Management snap-in to modify the CAVA parameters on the Data Mover. Installing EMC Celerra Management Applications provides instructions on installing the snap-in.

Open the CelerraAntiVirus

Management snap-in

To open the Celerra AntiVirus Management snap-in, click Start on the Windows taskbar, and select Settings > Control Panel > Administrative Tools > Celerra Management. The Celerra Management Console appears.

For assistance in using the Celerra AntiVirus Management snap-in, click Help in the toolbar.


CAVA management 117

Managing CAVA

Note: The CIFS services must be configured and started on the Data Mover before you can change Celerra virus-checking configuration parameters.

Display virus-checking information

Action

Display the virus checker information by using this command syntax:$ server_viruschk {<movername> | ALL}

Example:To display the virus checker information on server 2, type:$ server_viruschk server_2

Output Note

server_2 :10 threads started1 Checker IP Address(es):172.24.101.217 ONLINE at Tue Jan 25 23:29:04 2005 (GMT-00:00)RPC program version: 3CAVA release: 3.3.5, AV Engine: Network AssociatesLast time signature updated: Tue Jan 25 23:28:14 2005 (GMT-00:00)1 File Mask(s):*.* No File excludedShare \\127_SVR2SH1\CHECK$RPC request timeout=25000 millisecondsRPC retry timeout=5000 millisecondsHigh water mark=200 Low water mark=50 Scan all virus checkers every 60 secondsWhen all virus checkers are offline:Continue to work with Virus Checking and CIFSScan on read if access Time less than Tue Jan 25 23:28:14 2005 (GMT-00:00)Panic handler registered for 65 chunks

No arguments.Displays the virus checker configuration.

ALL

Executes the command for all Data Movers.


Managing CAVA

Audit virus-checking information

Start, stop, and restart CAVA

Use the EMC CAVA service to start, stop, pause, or resume services on the AV server. Through the Services window, you can manage the CAVA service if it fails to start on restart. You can access the CAVA service from a Windows Server 2003, Windows 2000, or Windows NT server using the methods described in:

◆ “From Windows Server 2003 or Windows 2000” on page 119

◆ “From Windows NT” on page 120

Action

Audit the virus checker information by using this command syntax:$ server_viruschk {<movername> | ALL} -audit

Example:To audit the virus checker information on server 2, type:$ server_viruschk server_2 -audit

Output Note

server_2 :Total Requests:244Requests in progress:1

NO ANSWER from Virus Checker Servers: 0ERROR_SETUP: 0FAIL: 0TIMEOUT: 0min=1837 uS, max=183991 uS average=30511 uS

0 File(s) in the collector queue1 File(s) processed by the AV threadsRead file ‘/.etc/viruschecker.audit’ to display the list of pending requests

No arguments.Displays the virus checker configuration.

ALL

Executes the command for all Data Movers.

-audit

Displays the status of the virus checker, such as how many files have been checked and the progress of those that are being checked.

CAVA management 119

Managing CAVA

From Windows Server2003 or Windows 2000

Step Action

1. From the taskbar, click Start, and select Settings > Control Panel > Administrative Tools > Services.

2. Scroll to EMC CAVA.

3. Right-click EMC CAVA and click Start, and select either Stop, Pause, Resume, or Restart (whichever is appropriate) from the shortcut menu.


Managing CAVA

From Windows NT

Perform a full file system scan

An administrator can perform a full scan of a file system using the server_viruschk -fsscan command from the Control Station. To use this feature, CAVA must be enabled and running. The administrator can query the state of the scan while it is running, and can stop the scan if necessary. A file system cannot be scanned if the file system is mounted with the option noscan. As the scan proceeds through the file system, it touches each file and triggers a scan request for each file.

Step Action

1. From the taskbar, click Start, and select Settings > Control Panel.

2. Click the Services icon to open the Services window.

3. Scroll to EMC CAVA.

4. Click either Start, Stop, Pause, or Resume (whichever is appropriate).

Note: To restart a service on Windows NT, you must stop and start the service.

CAVA management 121

Managing CAVA

Note: If a file system is unmounted during a full file system scan with -fsscan, the scan stops, and there can be files that might not have been touched by the scan, which means there can still be infected files present. Upon remount, -fsscan must be restarted to scan any remaining files for infection.

Although a single file system can have only one scan running on it at a time, you can scan multiple file systems simultaneously. However, scanning multiple file systems can cause the lowWaterMark and highWaterMark parameters to be reached, and an event log to be sent. You might need to increase the lowWaterMark and highWaterMark parameter values in this case. “viruschecker.conf parameters” on page 68 provides details about parameters.

Use this command to perform a full file system scan.

Action

To start a scan on a file system, use this command syntax:$ server_viruschk <movername> –fsscan <fsnname> -create

where:<movername> = name of the Data Mover<fsname> = name of the file systemExample:To start a scan on ufs1, type:$ server_viruschk server_2 –fsscan ufs1 -create

Output

server_2 : done


Managing CAVA

Check the status of a full file system scan

Stop a file system scan

Enable scan-on-first-read

You can enable the CAVA scan-on-first-read functionality using the server_viruschk command. The command sets the reference time on the virus-checker configuration file. The Data Mover uses the access

Action

To check the status of a scan on a file system, use this command syntax:$ server_viruschk <movername> –fsscan <fsnname> -list

where:<movername> = name of the Data Mover<fsname> = name of the file systemExample:To check the scan of a file system, type:$ server_viruschk server_2 -fsscan ufs1 -list

Output

server_2 :FileSystem 24 mounted on /ufs1: 8 dirs scanned and 22 files submitted to the scan engine firstFNN=0x0, lastFNN=0xe0f34b70, queueCount=0, burst=10

Action

To stop a scan on a file system, use this command syntax:$ server_viruschk <movername> –fsscan <fsnname> -delete

where:<movername> = name of the Data Mover<fsname> = name of the file systemExample:To stop a scan on ufs1, type:$ server_viruschk server_2 –fsscan ufs1 -delete

Output

server_2 : done

CAVA management 123

Managing CAVA

time of a file during an open to see if the file must be scanned. This time is compared with the time reference that is in the virus checker configuration on the Data Mover. If the access time of the file is less than this reference, the file is scanned before it is opened by the CIFS client. The time reference is updated with a field of the response of the virus checker only if the time given in this field is greater than the time reference. CAVA sets the access time when it detects a virus definition file update. The accesstime=now option sets the reference time to the current time. The accesstime=none option disables the time scan (scan-on-first-read) functionality. The reference time is stored in memory and in the viruschecker.dat file located in the /.etc directory. The time is persistent after a stop or start of the virus-checker service or after restarting the Data Mover.

Use this command to enable the scan-on-first-read functionality.

Update virus definition files

CAVA can automatically detect a new version of the virus definition file and update the access time. When a CIFS user accesses a file, the file is scanned with the latest virus definitions, even if it has not been modified since the previous scan. Each time CAVA receives an update, an entry in the Event Log is made. Updates are made through a CAVA heartbeat. To use this feature you must have scan-on-first-read enabled.

Note: Currently, McAfee version 8.0i supports automatic detection of virus definition updates. The EMC Celerra Network Server Release Notes and EMC E-Lab Interoperability Navigator provide the latest information on other antivirus products.

Action

To enable scan-on-first-read, use this command syntax:$ server_viruschk <fsname> -set accesstime=0205231130.00

where:<fsname> = name of the file systemExample:To enable scan-on-first-read on file system server 2, type:$ server_viruschk server_2 -set accesstime=0205231130.00

Output

server_2 : done


Managing CAVA

Turn off the AV engine

Use this procedure to turn off the AV engine on an AV server. If you do not, the virus-checking capability of the AV server is compromised and the CIFS files stored on the Celerra Network Server might be susceptible to virus infection.

Turn on the AV engine

If you turned off the AV engine on an AV server, use this procedure to restore the virus checking to its fully operational configuration.

Manage CAVA thread usage

Celerra AntiVirus uses four types of threads to handle virus checking:

◆ Normal Data Mover CIFS threads — Serve CIFS requests from any CIFS client.

◆ Reserved Data Mover CIFS threads — Serve CIFS requests from the external AV servers only.

◆ Data Mover viruschk threads — Issue antivirus check requests to CAVA threads on the external AV servers.

◆ CAVA threads on each external antivirus (AV) server — Service the requests issued by viruschk threads on the Data Movers.

By default, 20 threads run on each external AV server. The default number of CIFS threads that run on a Data Mover depends on Data

Step Action

1. Exclude the AV servers from the list of servers providing virus-checking capability to the Celerra Network Server. “Define AV server IP addresses in viruschecker.conf” on page 65 provides details.

2. Stop the EMC CAVA service. “Start, stop, and restart CAVA” on page 118 provides details.

3. Disable the third-party realtime scanning feature from the AV server. The third-party application’s documentation provides details.

Step Action

1. Enable the third-party realtime scanning feature from the AV server. The third-party application’s documentation provides details.

2. Start the EMC CAVA service. “Start, stop, and restart CAVA” on page 118 provides details.

3. Include the AV servers from the list of servers providing virus-checking capability to the Celerra Network Server. “Define AV server IP addresses in viruschecker.conf” on page 65 provides details.

CAVA management 125

Managing CAVA

Mover memory. By default, three CIFS threads are reserved for AV activities (these are the reserved Data Mover CIFS threads). By default, each Data Mover runs 10 viruschk threads.

In general, you should set the number of reserved threads for the VC client equal to the number of AV checking servers. However, this number should not be set higher than half the number of CIFS threads. “Adjust the maxVCThreads parameter” on page 126 provides information on setting the maxVCThreads parameter. Managing EMC Celerra for a Multiprotocol Environment provides more information on setting the number of normal CIFS threads on a Data Mover.

You can set the number of viruschk threads using the server_setup command. EMC Celerra Network Server Command Reference Manual describes how to set viruschk threads using server_setup. Chapter 11, “Managing the Registry and AV Drivers,” describes how to change the default number of CAVA threads.

If virus checking is enabled, a file usually must be scanned for viruses before the file can be accessed. Occasionally, if the VC client runs out of threads, file access requests cannot progress because there are no VC threads available for virus scanning—in effect, a deadlock occurs between file access requests and virus-checking requests.

For these situations, the VC client has special threads reserved for breaking deadlocks. The maxVCThreads parameter specifies the number of special threads reserved for the VC client. The number of reserved threads is configured by default and can be set by modifying the maxVCThreads parameter in the /nas/site/slot_param, or the /nas/server/slot_<x>/param files. Generally, the default setting for maxVCThreads is appropriate for most networks and does not need to be set.




Managing CAVA

Adjust themaxVCThreads

parameter

Use this procedure to adjust the maximum number of threads reserved for breaking deadlocks.

CAUTION!Do not change other lines in the parameter file without a thorough knowledge of the potential effects on the system. Contact EMC Customer Service for more information.

View the application log file

The following section describes the steps to access the Event Viewer and the associated application log files. CAVA logs events in the Windows Server 2003, Windows 2000, and Windows NT application event logs.

From Windows Server2003 or Windows 2000

Step Action

1. Log in to the Control Station.

2. Type the following:$ server_param {<movername> | ALL} -facility cifs -modify maxVCThreads -value <new_value>

where:<movername> = name of the Data Mover<new value> = the maximum number of threads reserved for virus checking

3. Restart CAVA with the new parameter by typing:$ server_viruschk <movername> -update


Step Action

1. From the taskbar, click Start, and select Settings > Control Panel > Administrative Tools > Computer Management.

Note: Another way to open Event Viewer is to click Start on the Windows taskbar, and select Settings > Control Panel > Administrative Tools > Event Viewer.

../Parameters/index.htm

CAVA management 127

Managing CAVA

From Windows NT

Enable automatic virus detection notification

When CAVA detects an infected file, CAVA can automatically send notification to the client through Windows pop-up messages when the Windows Messenger service is enabled. For administrators, events are logged in the system log.

2. Under System Tools, double-click Event Viewer, and click Application Log.

3. In the right-hand pane, locate the entries for EMC Checker Server.

Step Action

Step Action

1. From the Windows taskbar, click Start, and select Administrative Tools > Event Viewer. The Event Viewer - Application Log window appears.

2. Select Log > Application.

3. Double-click the EMC CAVA entry to ensure that the correct version is installed, and that the service was successfully started.For example:The EMC CAVA service, version 3.6.2.0 was successfully started.

4. Click Close to exit the Event Detail window.

5. Either click Close or select Exit from the Log menu.


Managing CAVA

The Messenger service is enabled by default on Windows NT systems. Use this procedure to enable messaging on a Windows Server 2003 or Windows 2000 system.

Step Action

1. Select Start > Settings > Control Panel > Administrative Tools > Services.

2. In the Services window, right-click the Messenger service entry and select Properties.

3. The Messenger Properties dialog box appears.

4. Select Automatic from the Startup type list. Click Apply.

5. Click OK to exit.

CAVA management 129

Managing CAVA

Customize virus-checking notification

You can customize the type of virus-checking notification CAVA sends and who receives notification by modifying the viruschk.notify parameter on the Data Mover. The default value for the viruschk.notify parameter is 7. Table 6 on page 129 provides details on the parameter values. This guide describes only the command-line procedures. Celerra Manager online help gives information on using the graphical user interface to modify parameter values.

Each third-party antivirus vendor varies slightly on which type of event triggers notification. Table 7 on page 129 lists the types of events supported by the third-party vendors. Third-party vendor documentation provides more information.

Table 6 viruschk.notify parameter

Module Parameter Value Comment/Description

cifs viruschk.notify 0–3, 6, 7 (default)4, 5 are not allowed

Setting the value of the parameter determines the type of notification CAVA sends and upon which type of event it is sent:0= A log event is sent to the Control Station if a file is deleted or renamed.1= A log event is sent to the Control Station if a file is deleted, renamed, or modified.2= A Windows message and a log event are generated if a file is deleted or renamed.3= A Windows message is sent to the client if a file is deleted or renamed. A log event is generated if a file is deleted, renamed, or modified.6= A Windows message is sent to the client when a file is deleted, renamed, or modified. A log event is generated if a file is deleted or renamed.7= A Windows message and a log event are generated when a file is deleted, renamed, or modified. This is the default.

Table 7 Event trigger type (page 1 of 2)

Vendor DeleteMove orquarantine Rename Copy Shred

Network clean

Computer Associates

McAfee

Sophos

../../../wwhelp/wwhimpl/java/html/wwhelp.htm


Managing CAVA

Customize notification messages

Use this procedure to customize notification messages that are displayed when CAVA detects a virus.

Symantec (SAV for NAS)

Trend Micro

Table 7 Event trigger type (page 2 of 2)

Vendor DeleteMove orquarantine Rename Copy Shred

Network clean

Step Action

1. Log in to the Control Station as root.

2. Create and edit the cifsmsg.txt file in a text editor.

3. Use this syntax to customize a message:

Note: Use # at the beginning of a sentence if you want to add comments to this file.

$error.FileDeletedByVC=<message line 1><message line :><message line n>.$error.FileRenamedByVC=<message line 1><message line :><message line n>.$warning.FileModifiedByVC=<message line 1><message line :><message line n>.

Note: The last line must be a period (.).

4. Save and close the file, then type: $ server_file <server_x> -put cifsmsg.txt cifsmsg.txt

where:<server_x> = name of the Data Mover

CAVA management 131

Managing CAVA

5. To affect the changes you made to the cismsg.txt file, restart (stop and start) the CIFS service on the Data Mover by using this command syntax:$ server_setup <server_x> -P cifs -o stop$ server_setup <server_x> -P cifs -o start

where:<server_x> = name of the Data Mover

If you have also changed the parameter, as described in “Customize virus-checking notification” on page 129, restart the Data Mover (instead of restarting CIFS) to affect all changes at once.

Step Action


Managing CAVA

Monitoring and Sizing CAVA 133

10Invisible Body Tag

This chapter describes the CAVA Calculator and the CAVA sizing tool:

◆ About CAVA monitoring and sizing............................................. 134

Monitoring and SizingCAVA


Monitoring and Sizing CAVA

About CAVA monitoring and sizingYou can use CAVA Calculator to estimate the number of CAVA servers that you might need prior to installing CAVA. You can also use the CAVA sizing tool to monitor the CAVA usage on the network and determine the optimal number of CAVA servers, based on system usage.

CAVA Calculator This section details how to install, run, and uninstall the CAVA Calculator on a Windows NT, Windows 2000, Windows XP, or Window Server 2003 system.

You do not need any other CAVA component installed on the system to run CAVA Calculator.

Prerequisites You must have the Microsoft .NET Framework 1.1 or later installed on the system. The .NET Framework software is included with Windows 2000, Windows XP, and Windows Server 2003 installations and is available on the CAVA software installation media. You can also download the .NET Framework from the Microsoft website.

The CAVA Calculator installation requires a restart at the end of the installation process.

Install the CAVACalculator

The CAVA Calculator is automatically installed as part of a complete Celerra Event Enabler software installation. You only need to perform this procedure if you performed a Custom installation and did not install the CAVA Calculator.

Step Action

1. Insert the Celerra Event Enabler software distribution CD into the CD drive of the Windows server where the CEE software is installed. If Windows Autorun is enabled and the InstallShield Wizard window appears, skip to step 4; otherwise, go to step 2.

2. From the Windows taskbar, click Start and select Run. The Run dialog box appears.

About CAVA monitoring and sizing 135


3. From the Run dialog box:a. Click Browse to locate the EMC_CEE_Pack executable file on the Celerra Event Enabler CD.b. Select the EMC_CEE_Pack executable file for either 32-bit (_Win32) or the 64-bit (_x64) version of the

software and click Open.c. Click OK to start the InstallShield Wizard.The Welcome to the InstallShield Wizard for EMC Celerra Event Enabler Framework Package window appears.

4. Click Next. The License Agreement window appears.

5. Select I accept the terms of the license agreement. Click Next.

6. Type a username and organization, and click Next. The Setup Type window appears.

7. Choose Custom. Click Next.

8. Select Tools from the Custom Setup screen and click Next.

Note: To install only the CAVA Tools, click the down arrow beside each feature you do not want to install and select This feature will not be available.

9. Click Install.

10. Click Finish.

11. The EMC CAVA Installer Information window appears.You need to restart the system to complete the installation. Click Yes to restart immediately or No to restart at a later time.

Step Action



Start CAVA Calculator

The CAVA Calculator’s online help provides more information about using CAVA Calculator.

Step Action

1. Click the EMC CAVA Tools icon.

2. The CAVA Tools window appears.

3. Select File > New if the CAVA Calculator is not in the CAVA Tools workspace.



Uninstall the CAVACalculator

The CAVA Calculator is automatically uninstalled when the Celerra Event Enabler software is uninstalled, and cannot be uninstalled by itself. Only use this procedure if you want to uninstall Celerra Event Enabler.

Step Action

1. Insert the Celerra Event Enabler software distribution CD into the CD drive of the Windows server where the CEE software is installed. If Windows Autorun is enabled and the InstallShield Wizard window appears, skip to step 4; otherwise, go to step 2.

2. From the Windows taskbar, click Start and select Run. The Run dialog box appears.

3. From the Run dialog box:a. Click Browse to locate the EMC_CEE_Pack executable file on the Celerra Event Enabler CD.b. Select the EMC_CEE_Pack executable file for either 32-bit (_Win32) or the 64-bit (_x64) version of the

software.

4. Click Next.

5. Select Remove. Click Next.

6. Click Finish.



CAVA sizing tool Table 8 on page 138 lists the actions you must perform to configure the sizing tool.

Prerequisites Before using the sizing tool:

◆ If you are using a Windows NT server, you must download and install WMI, core release 1.5, from the Microsoft website.

◆ The user account on the primary sizing tool server must have local administrative privileges.

Table 8 Actions for configuring the sizing tool

Task Action Procedure

1. Enable the sizing tool on the monitoring sizing tool server and on all AV servers that you want to monitor.

“Enable the sizing tool” on page 139

2. Create the cavamon.dat file on the monitoring server.

Note: Only needed if you use cavamon.exe to run the sizing tool.

“Create the cavamon.dat file” on page 141

3. Start the sizing tool on the monitoring server. “Start the sizing tool” on page 142

4. Size CAVA. “Size CAVA” on page 143

5. Optionally run cavamon.vbs. “(Optional) Gather AV statistics with cavamon.vbs” on page 144



Enable the sizing tool Enable the sizing tool on the primary sizing tool server and on all AV servers that you want to monitor.

Note: If you enable the CAVA sizing tool and you want to enable local file system scanning on the AV server, you should exclude the %SYSTEMROOT%\system32\wbem\ directory from directories to be scanned.

Step Action

1. Open the Windows Registry Editor by running regedit.exe.

Note: Editing the Windows 2000 or Windows NT Registry can cause serious problems that might require a reinstallation of the operating system. It is advisable to create a backup copy of the Registry files (system.dat and user.dat) before editing them.

2. Locate the Sizing entry in the left pane of the Registry Editor in the HKEY_LOCAL_MACHINE\SOFTWARE\EMC\CAVA\Sizing directory.



3. Double-click the Sizing entry located in the right pane. The Edit DWORD Value dialog box for Sizing appears.

4. In the Value data field, type 1. Click OK.

5. (Optional) To control how often CAVA sends information to the sizing tool, double-click the SampleIntervalSecs entry. The Edit DWORD Value dialog box for SampleIntervalSecs appears.

6. (Optional) In the Value data field, type a number between 1 and 60 (seconds). The default value is 10. Click OK.

Note: Do not type any decimal value greater than 60. Any number greater than 60 is not supported in Visual Basic.

7. Close the Registry Editor.

8. Restart CAVA, as described in “Start, stop, and restart CAVA” on page 118.

Step Action



Create thecavamon.dat file

If you run the sizing tool by running cavamon.exe (as opposed to using the script cavamon.vbs) you must create a cavamon.dat file. The cavamon.dat file contains the name or IP address of each AV server that the sizing tool monitors.

Note: The cavamon.vbs script takes its input from the command line interface (CLI) when the script is run.

Use this procedure to create the cavamon.dat file.

Step Action

1. Create a text file, named cavamon.dat, in the Program Files\EMC\CAVA directory.

2. Add a line for each AV server you want to monitor. The file must contain either the IP address or machine name of each AV server. Monitoring will operate properly with both types of entries in the file.To find the name for a Windows server, click Start in the taskbar, and select Control Panel > Settings > System:• On Windows NT or Windows 2000, click the Network Identification tab. • On Windows Server 2003, click the Computer Name tab.

Note: Each AV server listed in the cavamon.dat file must have the CAVA sizing tool enabled.

3. Save and close the file.



Start the sizing tool

Step Action

1. From the Program Files\EMC\CAVA directory, run cavamon.exe.

2. Click Get Stats to start the monitoring process. The output is automatically updated every interval with the CAVA population statistics.

Note: Every interval (set in the sizing tool Registry entry with a default of 10 seconds), the sizing tool captures information about the AV servers (shown in the following figure) defined in the cavamon.dat file.

3. Click Stop Stats to stop the monitoring process.



Size CAVA To start an analysis, click Size in the CAVA Monitor dialog. The sizing tool collects data for 10 successive intervals, and then feeds this data into its heuristic algorithms. After the tool completes its session, the Size box shown at the bottom of Figure 2 on page 143 displays the recommended numbers of AV servers.

Figure 2 CAVA Monitor dialog box



(Optional) Gather AVstatistics with

cavamon.vbs

Action

From a command window on the sizing tool system, run the following command. Use as many AV server machine names as necessary:cscript cavamon.vbs <machine_name_1> <machine_name_2> <machine_name_3>

where:<machine_name_n> = machine name or IP address of the AV server you want to monitorExample:cscript cavamon.vbs \\WIN910108

Output Note

Server:\\WIN910108AV Engine State:UpAV Engine Type:TM ServerProtectFiles Scanned:127899Health:GoodMsec Per Scan:19.85Saturation %:3.45Scans Per Second:0CAVA State:NORMALCAVA Version:2.2.1

• The CAVA sizing tool must be enabled on all AV servers you want to monitor.

• If you have any problems running the script, download and install the Windows Script Host (available at www.microsoft.com).

Managing the Registry and AV Drivers 145


This section describes how to manage the Windows Server 2003, Windows 2000, or Windows NT Registry entries for CAVA, Services management, and the possible errors and problems that might be encountered:

◆ CAVA Registry and driver management...................................... 146

Managing the Registryand AV Drivers


Managing the Registry and AV Drivers

CAVA Registry and driver managementCAVA provides Windows parameters that you can set to modify the behavior of CAVA. You edit the parameters through the Windows Registry Editor. For information about editing the Registry, view the “Changing Keys and Values” online help topic in the Registry Editor (regedit.exe).

Note: Editing the Windows Server 2003, Windows 2000, or Windows NT Registry can cause serious problems that might require a reinstallation of the operating system. It is advisable to create a backup copy of the Registry files before editing them. You should edit the following parameters only if you have an in-depth knowledge of CAVA and the Microsoft Registry.

EMC CAVA configuration Registry entries

There are two user-configurable Registry entries for CAVA configuration:

◆ AgentType — Currently, the only supported AgentType is driver. This option allows for future support of other possible interfaces as they become available.

◆ NumberOfThreads — Determines the number of threads which the CEE framework uses to process incoming requests from Celerra:

• Minimum Value = 1

• Default Value = 20 (decimal)

To access the AgentType entry from the Registry Editor, use this directory path:

HKEY_LOCAL_MACHINE\SOFTWARE\EMC\Celerra Event Enabler\CAVA\Configuration

CAVA Registry and driver management 147


Figure 3 on page 147 shows the Registry Editor with the AgentType shown in the list on the right.

Figure 3 Registry Editor, AgentType entry

To access the NumberOfThreads entry from the Registry Editor, use this directory path:

HKEY_LOCAL_MACHINE\SOFTWARE\EMC\Celerra Event Enabler\Configuration



Figure 4 on page 148 shows the Registry Editor with the NumberOfThreads shown in the list on the right.

Figure 4 Registry Editor, NumberOfThreads entry



EMC AV driver Registry entry

Access the Windows Registry to ensure that the EMC AV driver is properly configured. Figure 5 on page 149 displays the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EMCVirCk

Figure 5 Registry Editor with EMCVirCk

The correct settings for the EMC AV driver are:

◆ ErrorControl = 1

◆ Start = 2

◆ Type = 1

If the settings are different from those indicated, modify them.

Manage the EMC AV driver

The EMC AV driver (EMCVirCk) is a Windows Server 2003, Windows 2000, or Windows NT driver. There are two methods of managing the AV driver:

◆ “For a Windows Server 2003 or Windows 2000 AV server” on page 150

◆ “For a Windows NT AV server” on page 151



For a Windows Server2003 or Windows 2000

AV server

Step Action

1. From the taskbar, click Start, and select Settings > Control Panel > Administrative Tools > Event Viewer.

2. From the Event Viewer window, select System Log.

3. In the right pane, double-click EMCVirCk in the Event Viewer’s System Log list. The Event Properties window appears.

4. Ensure that a loaded successfully message appears in the Description field. If the driver was not loaded successfully, restart the AV server.

5. Click OK to close the Event Properties window.



For a Windows NT AVserver

Step Action

1. From the taskbar, click Start, and select Settings > Control Panel.

2. Double-click the Devices icon.

3. Scroll down the Devices list until you see EMCVirCk.

4. Ensure that the EMCVirCk device status is Started. If the device is not started, select the entry, and click Start.

Troubleshooting 153


This chapter describes troubleshooting information for CAVA:

◆ Troubleshooting CAVA.................................................................... 154

Troubleshooting


Troubleshooting

Troubleshooting CAVAAs part of an effort to continuously improve and enhance the performance and capabilities of its product lines, EMC periodically releases new versions of its hardware and software. Therefore, some functions described in this document may not be supported by all versions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this document, contact your EMC Customer Support Representative.

E-Lab Interoperability Navigator

The EMC E-Lab Interoperability Navigator is a searchable, web-based application that provides access to EMC interoperability support matrices. It is available at http://Powerlink.EMC.com. After logging in to Powerlink, go to Support > Interoperability and Product Lifecycle Information > E-Lab Interoperability Navigator.

Known problems and limitations

Table 9 on page 154 describes known problems that might occur when using CAVA and presents workarounds.

Table 9 CAVA known problems and workarounds

Known problem Symptom Workaround

AV Server FailoverIf you have configured more than one server, and if one of the AV servers fail, file scanning is redirected to other available AV servers. If none of the AV servers are available, the Data Mover CIFS service proceeds without any virus-checking capabilities.

Upon failure of the AV server, a VC client thread polls the AV server in the background. This enables the VC client to reconnect to the failed AV server when it is operational.

Note: All AV engines are polled every 60 seconds (by default) to determine which AV engines are online and available.

The shutdown= option in the viruschecker.conf file specifies the shutdown action to take when an AV server is not available. CAVA can be configured to prevent all CIFS client access to any Celerra share when AV servers are unavailable.The shutdown= parameter in Table 5 on page 68 provides details.


Troubleshooting CAVA 155

Troubleshooting

Error messages As of version 5.6, all new event, alert, and status messages provide detailed information and recommended actions to help you troubleshoot the situation.

To view message details, use any of these methods:

◆ Celerra Manager:

• Right-click an event, alert, or status message and select to view Event Details, Alert Details, or Status Details.

◆ Celerra CLI:

• Type nas_message -info <MessageID>, where <MessageID> is the message identification number.

◆ EMC Celerra Network Server Error Messages Guide:

• Use this guide to locate information about messages that are in the earlier-release message format.

◆ Powerlink:

• Use the text from the error message’s brief description or the message’s ID to search the Knowledgebase on Powerlink. After logging in to Powerlink, go to Support > Knowledgebase Search > Support Solutions Search.

EMC Training and Professional Services

EMC Customer Education courses help you learn how EMC storage products work together within your environment in order to maximize your entire infrastructure investment. EMC Customer Education features online and hands-on training in state-of-the-art labs conveniently located throughout the world. EMC customer training courses are developed and delivered by EMC experts. Go to EMC Powerlink at http://Powerlink.EMC.com for course and registration information.

EMC Professional Services can help you implement your Celerra Network Server efficiently. Consultants evaluate your business, IT processes, and technology and recommend ways you can leverage your information for the most benefit. From business plan to implementation, you get the experience and expertise you need, without straining your IT staff or hiring and training new personnel. Contact your EMC representative for more information.

../ErrorMsgs/index.htm



Troubleshooting


Aaddr parameter 68antivirus partners 23AV driver

managing 149Registry settings 149

AV engine restrictions 14AV engines

Computer Associates 84installing 74Kaspersky 90McAfee 81Sophos 86supported 23Symantec 74Trend Micro ServerProtect 96turning off 124

AV servers, installing CAVA 100

CCAVA 17

features 24installing 100monitoring 138overview 12restarting 118sizing 143sizing tool 138starting 118starting the client 110stopping 118system requirements 13

terminology 17VC client 27

CAVA Calculatorinstalling 134running 136uninstalling 137

CAVA pool restrictions 14cavamon.dat file 141cavamon.vbs file 144Celerra AntiVirus Management 116CIFS 14Computer Associates AV engine

installation overview 32installing 84

creating a domain user 39creating a local group 43customizing notification messages 129

DData Mover, NetBIOS name 37database restrictions 14defining CAVA servers 65definition file, scan on update 27domain user, creating 39

overview 36

FFile-level retention 15File-level retention restrictions 15

Index


Index

Iinstallation, verifying 113installing

CAVA 100CAVA Calculator 134CAVA on AV servers 100Celerra AntiVirus Management 116Computer Associates AV engine 84Kaspersky AV engine 90McAfee AV engine 81Sophos AV engine 86Symantec SAV for NAS 74Trend Micro ServerProtect AV engine 96

KKaspersky Anti-Virus restrictions 14Kaspersky AV engine


known limitations, CAVA 14, 154

Llocal group, creating 43

from Windows 2000 46from Windows NT 50from Windows Server 2003 43

log file, viewing 126

Mmasks parameter 68McAfee AV engine


Messenger service 127Microsoft.NET Framework 134monitoring CAVA 138MPFS 14MPFS restrictions 14MS-RPC restrictions 14

NNetBIOS names, displaying 37non-CIFS protocol restrictions 15

notification messages 127customizing 129

Ppanics, Data Mover 26

RRegistry

AV driver 149CAVA configuration entries 146

related information 19restarting, CAVA 118RPC Error 111running CAVA Calculator 136

Sscanning

criteria, defining 66on first read 25when it occurs 29

services, Messenger 127sizing tool 138

cavamon.dat file 141configuration 138enabling 139overview 26starting 142

snap-ins, Celerra AntiVirus Management 116Sophos AV engine


startingCAVA 118sizing tool 142

stoppingAV engine 124CAVA 118

Symantec SAV for NASinstallation overview 32installing 74

system requirements 13

159EMC Celerra Network Server Version 5.6.46 Using Celerra AntiVirus Agent

Index

Tthreads, viruschk 124Trend Micro ServerProtect AV engine 33

installing 96troubleshooting 154

Uuninstalling CAVA Calculator 137

VVC client 110

stopping 112viruschecker.conf file

creating 65defining CAVA servers 65defining scanning criteria 66overview 64parameters 68sending to Data Mover 66updating 112

virus-checkingclient 27

continuation 26defining criteria 64excluding files 68rights, assigning in Windows 2000 52rights, assigning in Windows NT 55rights, assigning in Windows Server 2003 52triggers 29viewing configuration 117

viruschk threads 124viruschk.notify parameter 129

WWindows 2000

creating a local group 46creating a user account 39

Windows 64-bit operating systems restrictions 14Windows Messenger service 127Windows NT

creating a local group 50creating a user account 39

Windows Server 2003creating a local group 43creating a user account 39


Index

emc celerra network server · 2020-05-08 · emc celerra network server version 5.6.46 using...

Documents