VirusScan Enterprise for Storage compatibility test with IBM SONAS
技術的な記事 ID:
KB75544
最終更新: 5/5/2020
最終更新: 5/5/2020
環境
McAfee VirusScan Enterprise (VSE) 8.8
McAfee VirusScan Enterprise for Storage (VSES) 1.0.2 (add-on module for VSE 8.8)
IBM SONAS
For details of VSE 8.8 supported environments, see KB51111.
McAfee VirusScan Enterprise for Storage (VSES) 1.0.2 (add-on module for VSE 8.8)
IBM SONAS
For details of VSE 8.8 supported environments, see KB51111.
概要
VSES ensures that viruses and malware are not spread through remote shares. It scans files that are copied to and from NAS devices that are used for file storage. Its multi-scanner and multi-filer configurations deliver parallel processing for optimal load balancing and flexible failover protection.
This document is a self-certification one to understand how the IBM Scale Out Network Attached Storage (SONAS) product/Server/ICAP client integrates with VSES, which provides the antivirus solution to the ICAP clients. Product Engineering has evaluated this solution and found it to be compatible with the VSES Solution.
ICAP protocol
- Allows ICAP clients to pass HTTP messages to ICAP servers for some sort of transformation or other processing (adaptation).
- The server executes its transformation service on messages and sends back responses to the client, usually with modified messages.
- Typically, the adapted messages are either HTTP requests or HTTP responses.
- The RFC used for ICAP is 3507.
NOTES:
- VSES supports only Response Modification (
RESPMOD ) and Request Modification (REQMOD ) commands. It does not support theFILEMOD command. - VSES supports RESPMOD only in a specific format:
RESPMOD icap://<ICAP Server>:1344/AVSCAN ICAP/1.0
- VSES supports version 1.0 of the ICAP standard.
- VSES supports only 8k chunks of data and rejects anything larger.
Basic Architecture of ICAP [Generic model, HTTP request]
Request Modification by ICAP server
- In REQMOD mode, an ICAP client sends an HTTP request to an ICAP server. The ICAP server might then send back a modified version of the request. The ICAP client might then perform the modified request by contacting an origin server or pipeline the modified request to another ICAP server for further modification.
- Sends back an HTTP response to the request. This response is used to provide information useful to the user if there was an error. (For example, You sent a request to view a page you are not allowed to see.)
- Returns an error.
Request Modification Data Flow
- A client makes a request to an ICAP-capable surrogate (ICAP client) for an object on an origin server.
- The surrogate sends the request to the ICAP server.
- The ICAP server executes the ICAP resource's service on the request and sends the possibly modified request or a response to the request back to the ICAP client.
- The following occurs if the previous step returned a request:
- The surrogate sends the request, possibly different from the original client request, to the origin server.
- The origin server responds to the request.
- The surrogate sends the reply (from either the ICAP server or the origin server) to the client.
Response Modification
- In the
RESPMOD mode, an ICAP client sends an HTTP response to an ICAP server.- The ICAP server might then:
- Send back a modified version of the response.
- Return an error.
Examples: Include formatting HTML for display on special devices, human language translation, virus checking, and so forth.
Response Modification - Data flow
- A client makes a request to an ICAP-capable surrogate (ICAP client) for an object on an origin server.
- The surrogate sends the request to the origin server.
- The origin server responds to request.
- The ICAP-capable surrogate sends the origin server's reply to the ICAP server.
- The ICAP server executes the ICAP resource's service on the origin server's reply and sends the possibly modified reply to the ICAP client.
- The surrogate sends the reply, possibly modified from the original origin server's reply, to the client.
解決策
Compatibility testing stages
Install VSES:
Install VSES:
| Prerequisites | Install VSE 8.7i with latest patch. |
| Steps | Install VSES by executing |
| Expected Results |
|
| Comments | Screenshots attached for successful installation of VSES. See the attachment, |
Bind ICAP server configuration:
| Prerequisites | Install VSE 8.7i with latest patch and VSES. |
| Steps |
|
| Expected Result | No errors during Bind and adding ICAP Clients occur. You can expect connection to be established successfully. |
| Comments | Screenshots attached for successful ICAP Server Configuration with |
Test your ICAP clients with a clean file:
| Prerequisites | Install VSE 8.7i with the latest patch and VSES. Connection must be established between the ICAP server and client. |
| Steps | Copy a known clean file to the CIFS share to be scanned by the ICAP server. |
| Expected Results | Verify that the scan is completed successfully and the file can be opened. |
| Comments | Logs for the test are attached. See the attachment, |
Test your ICAP clients with large files (1 MB or larger):
| Prerequisites | Install VSE 8.7i with latest patch and VSES. Connection must be established between the ICAP server and client. |
| Steps | Copy the file to the CIFS share to be scanned by the ICAP server. |
| Expected Results | Verify that the scan is completed successfully and the file can be opened. |
| Comments | Logs for the test are attached. See the attachment, IBMVSE.zip, in the Attachments section of this article. |
Test AV Scanning with EICAR test files:
| Prerequisites | Install VSE 8.7i with the latest patch and VSES. |
| Steps | Download EICAR test virus samples such as |
| Expected Results | Verify you get a response similar to the one below: VSES responds as File is Infected and non-cleanable. You can expect that the ICAP client implements the necessary action, such as deny the access or delete the file. |
| Comments | Logs for the test are attached. See the attachment, |
Final remarks/observations:
The IBM SONAS system is designed as a multi-petabyte global storage platform supporting extreme scalability for business infrastructures that demand high performance and high availability. IBM has thoroughly tested the SONAS system with VSES, confirming their interoperability and compatibility. The product development team is committed to proactively providing Enterprise users with the best solutions to reduce time and mitigate risk during planned implementations. IBM SONAS’s integration with VSES provides the following advantages:
Continuous Protection:
VSES integration withSONAS supports On-Access scanning, which protectsIBM-SONAS against the real-time threats when users are accessing or writing files onIBM-SONAS .
On-Demand Protection:
VSES integration withSONAS also supports On-Demand scanning, which allows administrators ofIBM-SONAS to run or schedule offline scans during nonpeak hours. On-demand scans are typically done after the AV signature updates on the scan engines and files are scanned against the new AV signatures.
High availability:
Multiple scan engines can be configured with IBM SONAS to provide high availability of scan engines. In the event one scan engine goes down,IBM SONAS redirects scan requests to available scan engines. IBM SONAS probes the failed scan engine periodically and enables it when the scan engine becomes available.
Intuitive File Scanning:
Scanning results are cached inSONAS . Files are not scanned again unless they are modified or an update of the AV signature on the scan engine occurs. It ensures optimum scanning performance.
Selective scanning:
VSES integration withIBM SONAS supports scanning for selected files by configuring an Include/Exclude list based on file extensions. OnIBM-SONAS , the administrator can also select scopes based on shares, file systems, file sets, and paths which need to be scanned because not all files are exposed to virus threats.
