FAQs for Endpoint Security Storage Protection/VirusScan Enterprise for Storage

Technical Articles ID: KB78672
Last Modified: 10/8/2021

Environment

McAfee Endpoint Security Storage Protection (ENSSP) 2.x
McAfee VirusScan Enterprise for Storage (VSES) 1.x

For details of ENSSP supported platforms, see: KB94811 - Supported platforms for Endpoint Security Storage Protection.
For details of VSES supported platforms, see: KB74863 - Supported platforms for VirusScan Enterprise for Storage.

Summary

This article is a consolidated list of common questions and answers. It’s intended for users who are new to the product, but can be of use to all users.

Recent updates to this article:

Date	Update
October 8, 2021	Updated the abbreviation for Endpoint Security Storage Protection.
October 4, 2021	Updated for Endpoint Security Storage Protection.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Contents:
Click to expand the section you want to view:

General - Product information covering miscellaneous topics

Can RPC storage appliances, for example NetApp ONTAP and ENSSP/VSES scanners, be in the same Active Directory domain?
Yes. This configuration is recommended for the following reasons:

Security - If the storage appliances and the ENSSP/VSES scanners and NAS reside in different Active Directory domains, you must make sure that authentication is unhindered.
Performance - The closer the storage appliances and ENSSP/VSES scanners are, both logically (security boundaries) and physically (router hops), the more optimum the performance. The RPC design choice involves the following protocols and their dependencies:
- Active Directory
- CIFS/SMB
- Named Pipes
- NetBIOS over TCP/IP
- RPC

This design choice confers permanent throughput benefits over competing designs such as ICAP. The storage appliances, network, Windows operating system, and the ENSSP/VSES scanner product must fulfill the prerequisites. The same prerequisites exist, regardless of the vendor; these requirements aren’t specific to ENSSP/VSES.

Back to Contents

Compatibility - Interaction between other products and software

What platforms does ENSSP/VSES support?
The filer models supported are covered in:

Are read-only storage appliance volumes supported?
No. Any read-only volume on a storage appliance isn’t a candidate for ENSSP/VSES scanning and must be excluded in ENSSP/VSES. Examples of such volumes are a NetApp ONTAP SnapMirror volume and a NetApp ONTAP Snapshot volume. For more information, see: KB60568 - Files in a NetApp Filer snapshot folder aren't accessible.

Does ENSSP/VSES work successfully in the presence of SMB3?
Yes. But, whether ENSSP/VSES works successfully depends on the filer. If the filer supports SMB3, and it can successfully negotiate with the operating system used for the ENSSP/VSES scan server, then ENSSP/VSES continues to function as normal.

Back to Contents

Installation and Upgrade - Information about installation and upgrade

Is there any best practice advice before installing ENSSP/VSES?
Yes. Both McAfee Enterprise and storage appliance vendors have documents to help:

For important prerequisites for installing, see:
- ENSSP: KB94811 - Supported platforms for Endpoint Security Storage Protection
- VSES 1.2.0: KB86868 - Important prerequisites for installing VirusScan Enterprise for Storage 1.2.0
Product documentation:
- ENSSP 2.0.0 Installation Guide
- VSES 1.3.0 Product Guide
- VSES 1.2.0 Product Guide
VSES product data sheet
NetApp documentation:
- Antivirus Scanning Best Practices Guide
- Specific timeout values for NetApp and ENSSP/VSES:
  - Time out settings for CDOT environments
  - Time out settings for 7 mode

NOTE: McAfee Enterprise can't accept any responsibility for the accuracy of third-party information.

Back to Contents

Configuration - Best practices, optimization, configuration, and customization

Can I use two ENSSP/VSES scanners monitoring one storage appliance?
Yes. Having two scanners is actually the best configuration to obtain good performance. See the NetApp best practices article.

Is the NetApp policy in ePolicy Orchestrator (ePO) related to the Network Appliance filer AV Scanner feature in the local ENSSP/VSES scanner UI?
Yes. The NetApp policy is what propagates to the Network Appliance filer AV Scanner in the local ENSSP/VSES scanner UI. Both ICAP AV Scanner and Network Appliance filer AV Scanner are configured using two separate policies in ePO.

Is it needed to enable Interactive Logon for the ENSSP/VSES service account, when using RPC-based or NetApp ONTAP controllers?
Other environmental group policies might require that Interactive Logon be enabled for the service account. This requirement is for the account to apply successfully within the Network Appliance AV Scanner plug-in, in the ENSSP/VSE console. Certain restrictions can prevent the account from applying during McAfee Agent policy enforcement, and when manually entering the credentials in the NetApp plug-in, without Interactive Log on being enabled.

Can I enable the scan on network drives feature for ENS Threat Prevention or VSE when these products are installed on the client systems accessing the filer that ENSSP/VSES protects?
This option is configurable within ENS Threat Prevention and VSE. But, McAfee Enterprise doesn't support the scan on network drives feature when the network share is already protected by a separate real-time scanner such as ENSSP/VSES. For example, when ENSSP/VSES protects the storage device, enabling scan on network drives doesn’t provide any added malware detection capability. When you enable this feature, it might introduce performance and file-locking issues. The issues are caused because these products try to scan files simultaneously, when the user accesses them.

Back to Contents

Functionality - Product features and functions

Does ENSSP/VSES share a global cache like MOVE AV?
No. The storage appliance keeps the clean file cache, if there’s one configured for the storage appliance. ENSSP/VSES sends a notification to the storage appliance when DATs are updated. It's up to the storage appliance to delete its cache when notified and isn’t the responsibility of ENSSP/VSES.

How does ENSSP/VSES scan large files?
Only a small subset of a file is scanned. The engine determines which parts. RPC storage appliances allow ENSSP/VSES to access their file systems directly, greatly enhancing scan request fulfillment speed. ICAP storage appliances must copy the whole file to be scanned to the ENSSP/VSES scanner first, before the engine can then scan. So, scan request fulfillment times are longer than with RPC. So, file size and network saturation are more important in an ICAP scenario.

Does ENSSP/VSES load its own DAT and Engine or does it use what the McShield service loads?
ENSSP/VSES uses the McShield service as its DAT and Engine server.

Does ENSSP/VSES use threads from the McShield service if there’s excessive load?
The McShield service spawns scan threads to serve each ENSSP/VSES scan request it receives. This thread count is irrespective of other scan threads related to local ENS/VSE scanning.

What is the relevance of the ENSSP/VSES scan thread configuration and how does it affect the needed scanner count?
Depending on your environment, you must plan for ENSSP/VSES to handle the expected load. You determine this load as follows:

You have y number of physical filers.
You have z number of discrete filer IP addresses that send scan requests.

For ICAP
Deploy 2x(y) scanners. Configure each scanner’s ICAP scan thread count for 20*x(z) threads.

For NetApp
Deploy 2x(y) scanners. Configure each scanner’s NetApp scan thread count for 50*x(z) threads.

IMPORTANT: The filer vendor must fill this number based on how many simultaneously outstanding scans request the filer's operating system version issues from a discrete filer IP address.

ENSSP/VSES ICAP and RPC scanners can each be configured with a maximum of 800 threads. These threads act as buffers for incoming rushes of requests. This thread count doesn’t indicate how many scan threads can be handled in a manner conducive to performance.

Test in the working environment. If the default logs (ENSSP) ICAPStats_Activity.log / (VSES) Stats_ICAP.log 'threads used' counter + (ENSSP) NetAppStats_Activity.log / (VSES) Stats_NetApp.log 'threads used' counter are greater than or equal to 40 threads consistently in use over many logging increments, it indicates server stress. (Dependent on the robustness of the physical hardware of the ENSSP/VSES scanner.) To distribute the load so that service dropouts don’t occur during peak load periods, consider adding ENSSP/VSES scanners.

NOTE: If the scanner only scans ICAP or NetApp filers, only the (ENSSP) ICAPStats_Activity.log / (VSES) Stats_ICAP.log or the (ENSSP) NetAppStats_Activity.log / (VSES) Stats_NetApp.log, respectively, need to be considered.

Back to Contents

Affected Products

Endpoint Security Storage Protection 2.x
Getting Started
VirusScan Enterprise for Storage 1.3.x
VirusScan Enterprise for Storage 1.2.x

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

FAQs for Endpoint Security Storage Protection/VirusScan Enterprise for Storage

Environment

Summary

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

FAQs for Endpoint Security Storage Protection/VirusScan Enterprise for Storage

Environment

Summary

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title