FAQs for VirusScan Enterprise for Storage
Technical Articles ID:
KB78672
Last Modified: 7/13/2020
Last Modified: 7/13/2020
Environment
McAfee VirusScan Enterprise for Storage (VSES) 1.x
For details of VSES supported environments, see KB74863.
For details of VSES supported environments, see KB74863.
Summary
This article is a consolidated list of common questions and answers. It is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article:
Contents:
General
Compatibility
Installation and Upgrade
Configuration
Functionality
Recent updates to this article:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
| Date | Update |
| July 13, 2020 | Updated NetApp links. |
| February 11, 2020 | Updated the last question in the Configuration section. |
| January 30, 2020 | Updated a question in the Configuration section. |
| January 27, 2020 | Added a question in the Configuration section. |
Contents:
| General | Product information, including licensing and miscellaneous topics |
| Compatibility | Interaction between other products and software |
| Installation and Upgrade | Information about installation, upgrade, migration, and removal |
| Configuration | Best practices, optimization, configuration, customization, and back up |
| Functionality | Product features and functions, including reporting and troubleshooting |
General
Can RPC storage appliances, for example NetApp ONTAP and VSES scanners, be in the same Active Directory domain?
Yes. This configuration is recommended for the following reasons:
Yes. This configuration is recommended for the following reasons:
- Security—If the storage appliances and the VSES scanners and NAS reside in different Active Directory domains, you must make sure that authentication is unhindered.
- Performance—The closer the storage appliances and VSES scanners are, both logically (security boundaries) and physically (router hops), the more optimum the performance. The RPC design choice involves the following protocols and their dependencies:
- Active Directory
- CIFS/SMB
- Named Pipes
- NetBIOS over TCP/IP
- RPC
Compatibility
What environments does VSES support?
The filer models supported are covered in KB74863.
Are read-only storage appliance volumes supported?
No. Any read-only volume on a storage appliance is not a candidate for VSES scanning and must be excluded in VSES. Examples of such volumes are a NetApp ONTAP SnapMirror volume and a NetApp ONTAP Snapshot volume. For additional information, see KB60568.
Does VSES work successfully in the presence of SMB3?
Yes. But, whether VSES works successfully depends on the filer. If the filer supports SMB3, and it can successfully negotiate with the operating system used for the VSES scan server, then VSES continues to function as normal.
The filer models supported are covered in KB74863.
Are read-only storage appliance volumes supported?
No. Any read-only volume on a storage appliance is not a candidate for VSES scanning and must be excluded in VSES. Examples of such volumes are a NetApp ONTAP SnapMirror volume and a NetApp ONTAP Snapshot volume. For additional information, see KB60568.
Does VSES work successfully in the presence of SMB3?
Yes. But, whether VSES works successfully depends on the filer. If the filer supports SMB3, and it can successfully negotiate with the operating system used for the VSES scan server, then VSES continues to function as normal.
Installation and Upgrade
Is there any best practice advice before installing VSES?
Yes. Both McAfee and storage appliance vendors have documents to help:https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/What_is_the_recommended_value_for_ONTAP_Vscan_offbox_timeout_settings%3F
- Time out settings for 7 mode environments:https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/The_recommended_value_for_vscan_options_timeout_for_Data_ONTAP_7-Mode
Yes. Both McAfee and storage appliance vendors have documents to help:
- For important prerequisites for installing VSES 1.2.0, see KB86868.
- Product documentation:
- See the VSES 1.2.0 Product Guide.
- See the VSES 1.3.0 Product Guide. - VSES Product Data Sheet: http://www.mcafee.com/ca/resources/data-sheets/ds-virusscan-enterprise-for-storage.pdf
- NetApp Documentation:
- Antivirus Scanning Best Practices Guide: https://www.netapp.com/us/media/tr-4286.pdf
- To access the specific timeout values for NetApp and VSES article, you must log on and search for the right NetApp Knowledge Base athttp://support.netapp.com/
- Time out settings for 7 mode environments:
- Antivirus Solutions with EMC Isilon Scale-Out NAS (Best Practice Recommendations for Capacity and Performance): https://community.emc.com/thread/199473
NOTE: McAfee can't accept any responsibility for the accuracy of third-party information.
Configuration
Can I have two VSES scanners monitoring one storage appliance?
Yes. Having two scanners is actually the best configuration to obtain good performance. See NetApp best practices: https://www.netapp.com/us/media/tr-4286.pdf
Is the NetApp policy in ePolicy Orchestrator (ePO) related to the Network Appliance filer AV Scanner feature in the local VSES scanner UI?
Yes. The NetApp policy is what propagates to the Network Appliance filer AV Scanner in the local VSES scanner UI. Both ICAP AV Scanner and Network Appliance filer AV Scanner are configured using two separate policies in ePO.
Is it needed to enable Interactive Logon for the VSES service account, when using RPC-based or NetApp ONTAP controllers?
Other environmental group policies might require that Interactive Logon be enabled for the service account, for the account to apply successfully within the Network Appliance AV Scanner plug-in, in the VSE console. Certain restrictions can prevent the account from applying during McAfee Agent policy enforcement, and when manually entering the credentials in the NetApp plug-in, without Interactive Log on being enabled.
Can I enable the scan on network drives feature for VSE or ENS Threat Prevention when these products are installed on the client systems accessing the filer that is already protected by VSE for Storage?
Although this option is configurable within VSE and ENS Threat Prevention, McAfee does not support the scan on network drives feature when the network share is already protected by a separate real-time scanner such as VSES. For example, when the storage device is already protected by VSES, enabling scan on network drives for the VSE or ENS on-access scanner does not provide any added malware detection capability. When you enable this feature for VSE or ENS Threat Prevention with VSE for Storage real-time scanning present, it might introduce performance and file-locking issues. The issues are caused because these products try to scan files simultaneously, when accessed by the user.
Yes. Having two scanners is actually the best configuration to obtain good performance. See NetApp best practices: https://www.netapp.com/us/media/tr-4286.pdf
Is the NetApp policy in ePolicy Orchestrator (ePO) related to the Network Appliance filer AV Scanner feature in the local VSES scanner UI?
Yes. The NetApp policy is what propagates to the Network Appliance filer AV Scanner in the local VSES scanner UI. Both ICAP AV Scanner and Network Appliance filer AV Scanner are configured using two separate policies in ePO.
Is it needed to enable Interactive Logon for the VSES service account, when using RPC-based or NetApp ONTAP controllers?
Other environmental group policies might require that Interactive Logon be enabled for the service account, for the account to apply successfully within the Network Appliance AV Scanner plug-in, in the VSE console. Certain restrictions can prevent the account from applying during McAfee Agent policy enforcement, and when manually entering the credentials in the NetApp plug-in, without Interactive Log on being enabled.
Can I enable the scan on network drives feature for VSE or ENS Threat Prevention when these products are installed on the client systems accessing the filer that is already protected by VSE for Storage?
Although this option is configurable within VSE and ENS Threat Prevention, McAfee does not support the scan on network drives feature when the network share is already protected by a separate real-time scanner such as VSES. For example, when the storage device is already protected by VSES, enabling scan on network drives for the VSE or ENS on-access scanner does not provide any added malware detection capability. When you enable this feature for VSE or ENS Threat Prevention with VSE for Storage real-time scanning present, it might introduce performance and file-locking issues. The issues are caused because these products try to scan files simultaneously, when accessed by the user.
Functionality
Does VSES share a global cache like MOVE AV?
No. The storage appliance keeps the clean file cache, if there is one configured for the storage appliance. VSES sends a notification to the storage appliance when DATs are updated, and it is up to the storage appliance to delete its cache when notified and is not the responsibility of VSES.
Does VSES use the persistent cache shared between VSE on-access scanner (OAS) and VSE on-demand scanner ODS?
No. VSES uses the VSE McAfee McShield service purely as its scan engine. Scan requests that VSES makes on the engine come via a separate code path to the McAfee McShield service, and are unrelated to any local scans and their caching that VSE is responsible for.
How does VSES scan large files?
Only a small subset of a file is scanned. The engine determines which parts. RPC storage appliances allow VSES to access their file systems directly, greatly enhancing scan request fulfillment speed. ICAP storage appliances must copy the whole file to be scanned to the VSES scanner first, before the engine can then scan, making scan request fulfillment times longer than with RPC. So, file size and network saturation are more important in an ICAP scenario.
Does VSES load its own DAT and Engine or does it use what the 'McAfee McShield' service loads?
VSES uses the McAfee McShield service as its DAT and Engine server.
Does VSES use threads from the 'McAfee McShield' service if there is excessive load?
The McAfee McShield service spawns scan threads to serve each VSES scan request it receives. This thread count is irrespective of other scan threads related to local VSE scanning.
What is the relevance of the VSES scan thread configuration and how does it affect the needed scanner count?
Depending on your environment, you must plan for VSES to handle the expected load. You determine this load as follows:
Back to Contents
No. The storage appliance keeps the clean file cache, if there is one configured for the storage appliance. VSES sends a notification to the storage appliance when DATs are updated, and it is up to the storage appliance to delete its cache when notified and is not the responsibility of VSES.
Does VSES use the persistent cache shared between VSE on-access scanner (OAS) and VSE on-demand scanner ODS?
No. VSES uses the VSE McAfee McShield service purely as its scan engine. Scan requests that VSES makes on the engine come via a separate code path to the McAfee McShield service, and are unrelated to any local scans and their caching that VSE is responsible for.
How does VSES scan large files?
Only a small subset of a file is scanned. The engine determines which parts. RPC storage appliances allow VSES to access their file systems directly, greatly enhancing scan request fulfillment speed. ICAP storage appliances must copy the whole file to be scanned to the VSES scanner first, before the engine can then scan, making scan request fulfillment times longer than with RPC. So, file size and network saturation are more important in an ICAP scenario.
Does VSES load its own DAT and Engine or does it use what the 'McAfee McShield' service loads?
VSES uses the McAfee McShield service as its DAT and Engine server.
Does VSES use threads from the 'McAfee McShield' service if there is excessive load?
The McAfee McShield service spawns scan threads to serve each VSES scan request it receives. This thread count is irrespective of other scan threads related to local VSE scanning.
What is the relevance of the VSES scan thread configuration and how does it affect the needed scanner count?
Depending on your environment, you must plan for VSES to handle the expected load. You determine this load as follows:
- You have y number of physical filers.
- You have z number of discrete filer IP addresses that send scan requests.
For ICAP
Deploy 2x(y) scanners. Configure each scanner’s ICAP scan thread count for 20*x(z) threads.
For NetApp
Deploy 2x(y) scanners. Configure each scanner’s NetApp scan thread count for 50*x(z) threads.
IMPORTANT: The filer vendor must fill this number based on how many simultaneously outstanding scans request the filer's operating system version issues from a discrete filer IP address.
VSES ICAP and RPC scanners can each be configured with a maximum of 800 threads. These threads act as buffers for incoming rushes of requests. This thread count does not indicate how many scan threads can be handled in a manner conducive to performance.
Test in the working environment. If the default logsStats_ICAP.log 'threads used' counter + Stats_NetApp.log 'threads used' counter are greater than or equal to 40 threads consistently in use over many logging increments, indicates server stress. (Dependent on the robustness of the physical hardware of the VSES scanner). To distribute the load so that service dropouts do not occur during peak load periods, consider adding VSES scanners.
NOTE: If the scanner only scans ICAP or NetApp filers, only theStats_ICAP.log or the Stats_NetApp.log , respectively, need to be considered.
Deploy 2x(y) scanners. Configure each scanner’s ICAP scan thread count for 20*x(z) threads.
For NetApp
Deploy 2x(y) scanners. Configure each scanner’s NetApp scan thread count for 50*x(z) threads.
IMPORTANT: The filer vendor must fill this number based on how many simultaneously outstanding scans request the filer's operating system version issues from a discrete filer IP address.
VSES ICAP and RPC scanners can each be configured with a maximum of 800 threads. These threads act as buffers for incoming rushes of requests. This thread count does not indicate how many scan threads can be handled in a manner conducive to performance.
Test in the working environment. If the default logs
NOTE: If the scanner only scans ICAP or NetApp filers, only the
Back to Contents
