This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
May 30, 2022
Added the FAQ "How should I configure the NetApp feature vscan - scan - mandatory (on/off)?" in the "Configuration" section.
April 18, 2022
Updated the FAQ "What's the relevance of the ENSSP or VSES scan thread configuration and how does it affect the needed scanner count?" indicating that the asterisk (*) in the formulas refers to the maximum number of simultaneous requests expected from each discrete filer IP address.
October 8, 2021
Updated the abbreviation for ENSSP.
October 4, 2021
Updated for ENSSP.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
Can RPC storage appliances, for example NetApp ONTAP and ENSSP or VSES scanners, be in the same Active Directory (AD) domain?
Yes. This configuration is recommended for the following reasons:
Security — If the storage appliances and the ENSSP or VSES scanners and NAS reside in different AD domains, you must make sure that authentication is unhindered.
Performance — The closer the storage appliances and ENSSP or VSES scanners are, both logically (security boundaries) and physically (router hops), the more optimum the performance.The RPC design choice involves the following protocols and their dependencies:
AD
CIFS/SMB
Named Pipes
NetBIOS over TCP/IP
RPC
This design choice confers permanent throughput benefits over competing designs such as ICAP. The storage appliances, network, Windows operating system, and the ENSSP or VSES scanner product must fulfill the prerequisites. The same prerequisites exist, regardless of the vendor; these requirements aren't specific to ENSSP or VSES.
Are read-only storage appliance volumes supported?
No. Any read-only volume on a storage appliance isn't a candidate for ENSSP or VSES scanning and must be excluded in ENSSP or VSES. Examples of such volumes are a NetApp ONTAP SnapMirror volume and a NetApp ONTAP Snapshot volume. For more information, see KB60568 - Files in a NetApp Filer snapshot folder aren't accessible.
Does ENSSP or VSES work successfully in the presence of SMB3?
Yes. But, whether ENSSP or VSES works successfully depends on the filer. If the filer supports SMB3, and can successfully negotiate with the operating system used for the ENSSP or VSES scan server, ENSSP or VSES continues to function as normal.
Can I use two ENSSP or VSES scanners for monitoring one storage appliance?
Yes. Having two scanners is actually the best configuration to obtain good performance. See the NetApp best practices article.
Is the NetApp policy in ePolicy Orchestrator (ePO) related to the Network Appliance filer AV Scanner feature in the local ENSSP or VSES scanner UI?
Yes. The NetApp policy is what propagates to the Network Appliance filer AV Scanner in the local ENSSP or VSES scanner UI. Both the ICAP AV Scanner and Network Appliance filer AV Scanner are configured using two separate policies in ePO.
Is it needed to enable Interactive Logon for the ENSSP or VSES service account, when using RPC-based or NetApp ONTAP controllers?
Other environmental group policies might require that Interactive Logon be enabled for the service account. This requirement is for the account to apply successfully within the Network Appliance AV Scanner plug-in, in the ENSSP or VSE console. Certain restrictions can prevent the account from applying during McAfee Agent policy enforcement, and when manually entering the credentials in the NetApp plug-in, without Interactive Log on being enabled.
Can I enable the scan on network drives feature for ENS Threat Prevention or VSE when these products are installed on the client systems accessing the filer that ENSSP or VSES protects?
This option is configurable within ENS Threat Prevention and VSE. But, we don't support the scan on network drives feature when the network share is already protected by a separate real-time scanner such as ENSSP or VSES. For example, when ENSSP or VSES protects the storage device, enabling scan on network drives doesn't provide any added malware detection capability. When you enable this feature, it might introduce performance and file-locking issues. The issues are caused because these products try to scan files simultaneously, when the user accesses them.
How should I configure the NetApp feature vscan - scan - mandatory (on/off)?
When enabled, this feature denies all file access to any file that doesn't return a virus scan result of "clean." Any service interruption with the scan servers (for example, a disconnect) can result in a denial-of-service. A denial-of-access can also happen when a result such as a scan time-out occurs. Anything that prevents scanning of the files and the scanner's ability to return a result of "clean" results in the user being denied access to the files. When turned off, file access resumes without any scanning occurring. If users need the ability to access files even when scanning isn't occurring (for any reason), this feature must remain off. The administrator must determine whether turning on this feature outweighs any potential impact on file access.
Does ENSSP or VSES share a global cache like MOVE AV?
No. The storage appliance keeps the clean file cache if there's one configured for the storage appliance. ENSSP or VSES sends a notification to the storage appliance when DATs are updated. It's up to the storage appliance to delete its cache when notified and isn't the responsibility of ENSSP or VSES.
How does ENSSP or VSES scan large files?
Only a small subset of a file is scanned. The engine determines which parts the RPC storage appliances allow ENSSP or VSES to access their file systems directly, greatly enhancing the scan request fulfillment speed. ICAP storage appliances must copy the whole file to be scanned to the ENSSP or VSES scanner first, before the engine can scan it. So, scan request fulfillment times are longer than that with RPC. So, file size and network saturation are more important in an ICAP scenario.
Does ENSSP or VSES load its own DAT and Engine or does it use what the McShield service loads?
ENSSP or VSES uses the McShield service as its DAT and Engine server.
Does ENSSP or VSES use threads from the McShield service if there's excessive load?
The McShield service spawns scan threads to serve each ENSSP or VSES scan request that it receives. This thread count is irrespective of other scan threads related to local ENS or VSE scanning.
What is the relevance of the ENSSP or VSES scan thread configuration and how does it affect the needed scanner count?
Depending on your environment, you must plan for ENSSP or VSES to handle the expected load. You determine this load as follows:
You have y number of physical filers.
You have z number of discrete filer IP addresses that send scan requests.
For ICAP
Deploy 2x(y) scanners. Configure each scanner's ICAP scan thread count for 20*x(z) threads.
For NetApp
Deploy 2x(y) scanners. Configure each scanner's NetApp scan thread count for 50*x(z) threads.
IMPORTANT:The asterisk (*) in the above formulas refers to the maximum number of simultaneous requests expected from each discrete filer IP address. The filer vendor must fill this number based on how many simultaneously outstanding scans request the filer's operating system version issues from a discrete filer IP address.
ENSSP or VSES ICAP and RPC scanners can each be configured with a maximum of 800 threads. These threads act as buffers for incoming rushes of requests. This thread count doesn't indicate how many scan threads can be handled in a manner conducive to performance.
Test in the working environment. If the default logs (ENSSP) ICAPStats_Activity.log / (VSES) Stats_ICAP.log 'threads used' counter + (ENSSP) NetAppStats_Activity.log / (VSES) Stats_NetApp.log 'threads used' counter is greater than or equal to 40 threads consistently in use over many logging increments, it indicates server stress (dependent on the robustness of the physical hardware of the ENSSP or VSES scanner). To distribute the load so that service dropouts don't occur during peak load periods, consider adding ENSSP or VSES scanners.
NOTE: If the scanner only scans ICAP or NetApp filers, only the (ENSSP) ICAPStats_Activity.log / (VSES) Stats_ICAP.logor the (ENSSP) NetAppStats_Activity.log / (VSES) Stats_NetApp.log, respectively, need to be considered.
