Loading...

Knowledge Center


VirusScan Enterprise for Storage checklist for scanners supporting NetApp filers in 7-Mode
Technical Articles ID:   KB81982
Last Modified:  5/22/2018
Rated:


Environment

McAfee VirusScan Enterprise for Storage (VSES) 1.2.x

For details of VSES supported environments, see KB74863.

Summary

This article provides the VSES requirements for supporting NetApp filers in 7-Mode.
CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.


NOTES:
  • 7-Mode is the legacy operating mode for NetApp filers.
  • NetApp OnTap 8.2.1+ filers can now be configured to use Clustered Data OnTap Mode called C-Mode (or sometimes 8-Mode).
  • VSES support on Windows:
    • VSES 1.1.0 on Windows 6.x can simultaneously handle different NetApp filers that are configured in either 7-Mode or C-Mode.
    • VSES 1.1.0 on Windows 5.x supports only 7-Mode.
    • VSES 1.0.0, 1.0.2, and 1.0.3 support only 7-Mode.
  • NetApp OnTap 8.2.1+ filers can still be configured to use 7-Mode.
Required customer information
This information is used in the subsequent checklist to verify that your environment is properly configured.
  1. Provide the user account that is being used for the McAfee VirusScan Enterprise for Storage service:
    • Active Directory Domain Administrator
    • Domain User
    • Local account
      IMPORTANT: If you are scanning non-domain NetApp filers with VSES, you need to set the server name to the VSES domain configuration field.
       
    Check the following to identify the account:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\McAfee VirusScan Enterprise for Storage
      REG_SZ, ObjectName
    • Active Directory
    • The Administrative Tool Computer Management | Local Users and Groups
  2. Identify whether the protocol File and Printer Sharing for Microsoft Networks is enabled on the network adapters used for communication with the filers. Check the settings via the properties of the appropriate network adapters.
  3. Identify whether the protocol NetBIOS over TCP/IP is enabled on the network adapters used for communication with the filers. Check the settings via the properties of the appropriate network adapters.
  4. Identify whether teamed NICs are enabled on the scanner by checking the properties of the appropriate network adapters.
  5. Determine the number of discrete filer IP addresses that send scan requests directly to this scanner.

Customer/Agent checklist to ensure that your environment is correctly configured:
  1. Verify whether teamed NICs are enabled on the scanner by viewing the properties of the appropriate network adapters in the Windows graphical user interface.
  1. Verify the Maximum scan time (seconds) is set to 55 seconds.
    Requirement source: Microsoft, NetApp, McAfee

    The default is 60 seconds; change it to 55.

    From the VSE console (or ePO, for managed nodes):
    1. View the properties of the Network Appliance Filer AV Scanner.
    2. Select the Performance tab.
    3. Select Scan Time, then Maximum scan time (seconds).
      This setting prevents the CIFS protocol on the originating user's end node from timing out before the scan request result.

      NOTE: The Microsoft Windows default CIFS timeout in currently supported Windows versions is 60 seconds.
      Related documents:
  1. Verify that the Number of scan threads is greater than or equal to 50x (number of connecting NetApp IP addresses).

    Requirement Source: NetApp
    • A typical NetApp OnTap filer can issue 50 simultaneous scan requests per IP address, although this ability might change per device (see the NetApp OnTap documentation).
    • Determine the aggregate maximum potential number of outgoing scan requests for all NetApp OnTap filers that register with a particular scanner.
    • Ensure the number of scan threads configured in that particular scanner's VSES NetApp settings matches that aggregate maximum potential number.
    • VSES can be configured with a maximum of 800 threads. So, a single scanner can be configured to handle scan requests from a maximum of 16 NetApp OnTap filers.

    Related document:
    NetApp article 3011812: https://kb.netapp.com/support/index?page=content&id=3011812
     
  1. Review the following File and Printer Sharing for Microsoft Networks protocol requirements:
    Requirement source: McAfee

    The protocol File and Printer Sharing for Microsoft Networks must be enabled on the network adapters used for communication with the storage appliances. Confirm this using either of the following steps:
    • In the Windows graphical user interface, view the properties of the appropriate network adapters.
    • Use regedit.exe, a combination of regedit.exe and wmic.exe, or a MER.

      wmic.exe:
      1. Open a command prompt with Administrator escalation.
      2. Type the following and press Enter:

        wmic nicconfig get Description,IPAddress,SettingID

        The combination of the displayed information is normally sufficient to determine the GUID of the intended network adapter.

      regedit.exe:
      1. Open regedit.exe and navigate to the following key:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

        One or more of the randomly named subkeys have a Description value matching the hardware description of the intended network adapter.

        If there is only one Description value matching the intended network adapter, the data in the ServiceName value is the GUID of the intended network adapter.

        If there are multiple network adapters with the same Description as the intended network adapter, further discrimination is required. Continue to the next step.
         
      2. Pick the first key with a Description that matches the intended network adapter.
      3. Record the ServiceName value and use it as the GUID value in the remaining steps below.
      4. Navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
         
      5. There are one or more subkeys named for random GUIDs. Expand each one in turn until a subkey with the name GUID is found.
      6. Navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{Random GUID}\Connection

        If the Name value matches the intended network adapter, the GUID determined above is the GUID of the intended network adapter.

        If the Name value does NOT match the intended network adapter, the GUID determined above is not the GUID of the intended network adapter.
      7. Repeat the previous steps, considering the second key with a Description that matches the intended network adapter. Wait until the GUID of the intended network adapter is determined.
      8. Determine whether the protocol File and Printer Sharing for Microsoft Networks is bound to a network adapter. In regedit.exe, navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage

        If the Bind value contains the GUID of the network adapter, the protocol is bound to the network adapter.


    For deployment of McAfee Agent (MA) to a scanner, enable the File and Printer Sharing for Microsoft Networks protocol unless the scanners are wholly unmanaged by ePO or an MA installation is performed manually. For more information, see KB56386.

    After deployment of MA has concluded, this protocol remains needed for NetApp OnTap RPC functionality.
    Requirement source: NetApp

    Related documents:
    NetApp article 2011317: https://kb.netapp.com/support/index?page=content&id=2011317&locale=en_US

    NOTES:
    • These NetApp articles are ambiguous if enabling this protocol is only:
      • A legacy break-fix
      • For Windows Server 5.x and down-level OnTap versions noted in the NetApp articles
    • NetApp confirmed that this protocol is still needed on all Windows versions.
    • NetApp confirmed that the articles regarding this topic are not updated.
  1. The NetBIOS over TCP/IP protocol must be enabled on the network adapters used for communication with the storage appliances.

    Confirm this using either of the following options:
    • Option 1: In the Windows graphical user interface, view the properties of the appropriate network adapters.
    • Option 2: Determine the NetBIOS over TCP/IP configuration of the network adapter:
      1. Determine the GUID of the network adapter (per the File and Printer Sharing for Microsoft networks section above).
      2. In regedit.exe, navigate to the following key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_GUID

        The Netbios Options value indicates the configuration:
        0 = Specifies that the Dynamic Host Configuration Protocol (DHCP) NetBIOS over TCP/IP setting is used if available.
        1 = Specifies that NetBIOS over TCP/IP is enabled. This value is the default if DHCP is not available.
        2 = Specifies that NetBIOS over TCP/IP is disabled.

    Requirement Source: NetApp

    Related document:
    NetApp article 2011317: https://kb.netapp.com/support/index?page=content&id=2011317&locale=en_US

    NOTES:
    • This NetApp article is ambiguous if enabling this protocol is only:
      • A legacy break-fix
      • For Windows Server 5.x and down-level OnTap versions noted in the NetApp KB
    • NetApp was not able to confirm if this protocol is still needed on any Windows versions.
    • NetApp was not able to confirm if this protocol is still needed on any Windows versions that NetApp recommended to enable the protocol.
    • NetApp confirmed that the articles regarding this topic are not updated.
  1. Prevent SMB2 traffic between Windows 6.x scanners and NetApp OnTap 8.1.2 or down-level filers.
    Requirement source: NetApp and McAfee

    If a Windows Server 6.x scanner services any down-level filers, SMB2 traffic must be prevented between Windows Server 6.x scanners and down-level filers:
    • NetApp OnTap 8.1.2 or down-level filers are down level filers.
    • NetApp OnTap 8.1.3 or up-level filers are up level filers.
       
    IMPORTANT: NetApp and McAfee both recommend disabling SMB2 on all scanners because SMB2+ brings no value to scanning operations, but can disrupt them.

    Choose one of the following options:

    Option 1 - Environment contains Windows Server 6.x scanners, and down-level and up-level filers:
    • Disable SMB2 on any down-level filers on any network interfaces that communicate with Windows 6.x scanners.
    • SMB2 can be enabled on any Windows 6.x scanners that service down-level filers, but also simultaneously service up-level filers.

      This option allows SMB2 traffic generated from up-level filers while ensuring that no down-level filers ever connect with Windows Server 6.x scanners using SMB2.
    Option 2 - Environment contains Windows Server 6.x scanners, and down-level and up-level filers:
    • SMB2 can be enabled on any down-level filers on the network interface that communicates with Windows 6.x scanners.
    • Disable SMB2 on any Windows 6.x scanners that service any down-level filers.

      This option prevents NetApp OnTap filers of any version from ever connecting using SMB2 with a Windows Server 6.x scanner that services both up-level and down-level filers. It also allows any Windows Server 6.x scanner that services only up-level filers to connect using SMB2.
    Option 3 - Environment contains Windows Server 6.x scanners and down-level filers only:
    • Disable SMB2 on any Windows 6.x scanners. This action prevents SMB2 traffic.
       
    Requirement source: NetApp
    • NetApp OnTap uses the SMB protocols to communicate with third-party scanners.
    • The NetApp OnTap SMB2 implementation on down-level filers is not fully Microsoft-compliant.
    • NetApp recommends that SMB2 is always disabled.
    • SMB2 use provides no benefit in this usage scenario.
    • Disabling SMB2 ensures that no legacy issues are encountered.
       
    Related documents:
    Related document:
    Microsoft article 2696547: http://support.microsoft.com/kb/2696547

    IMPORTANT: The scanner must be restarted for this configuration change to take effect.
  1. The named pipe NTAPVSRQ must be accessible anonymously:
    Requirement source: NetApp
    • NetApp confirmed that the named pipe NTAPVSRQ must always be accessible anonymously on all Windows versions.
    • Without this anonymously accessible named pipe, Kerberos and NTLM operations are negatively affected.
       
    Related documents (invalidated for this setting):
    NetApp article 2011317: https://kb.netapp.com/support/indexpage=content&id=2011317&locale=en_US

    NOTES:
    • The NetApp article is ambiguous if this setting is a legacy condition only for Windows Server 5.x scanners and down-level OnTap versions noted in the NetApp article.
    • NetApp confirmed that the articles regarding this topic are not updated.
       
    Requirement source: McAfee
    • Previous McAfee documentation is invalidated by the NetApp confirmation above.
    • The McAfee document previously stated:

      The named pipe NTAPVSRQ must be accessible anonymously if the filer and scanners are members of different Active Directory domains.
      The named pipe NTAPVSRQ must be accessible anonymously on Windows Server 6.x scanners.
       
    NOTES:
    • The McAfee Product Guide is ambiguous if this setting is a legacy condition only for Windows Server 6.0 scanners noted in the McAfee Product Guide.
    • McAfee plans to update the Product Guide for the next major release.
       
    You must choose one of the following group policy options (Active Directory or Local), which establishes anonymous access for the named pipe NTAPVSRQ:

    Option 1 - Active Directory GPO:
    1. Click Start, Run, type cmd, and click OK.
    2. At the command prompt, type rsop.msc and press ENTER:
    3. In the left pane, expand Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.
    4. In the right pane, locate the following policy option:

      Network Access: Named Pipes that can be accessed anonymously:
    5. Right-click the policy option and select Properties.
    6. On the Security Policy Setting tab, under the Define this policy setting in the template section, add NTAPVSRQ.
       
    Option 2 - Local GPO:
    1. Click Start, Run, type cmd, and click OK.
    2. At the command prompt, type rsop.msc and press ENTER.
    3. In the left pane, expand Computer Configuration, Windows Settings, Windows Settings, Security Settings, Local Policies, Security Options.
    4. In the right pane, locate the policy option: Network Access: Named Pipes that can be accessed anonymously
    5. Right-click the policy option and select Properties.
    6. On the Security Policy Setting tab, under the Define this policy setting in the template section, add NTAPVSRQ.
       
    Regardless of the method you choose, on group policy enforcement, or if gpupdate.exe /force is used, the following is set by the GPO to any pre-existing content in this registry value:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
    • NullSessionPipes
    • REG_MULTI_SZ 'NTAPVSRQ'
    If the setting is made via Active Directory or Local group policy, the scanner need not be restarted for this configuration change to be effective.
  1. Verify that the Everyone group token is added to the Anonymous user's access tokens on Windows 6.x scanners.
    Requirement source: NetApp

    The RPC protocol used by NetApp OnTap to communicate with Windows 6.x scanners requires this token setting.

    Related documents: NetApp Bug ID 512535: http://support.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=512535

    NOTES: The NetApp Bug Report is ambiguous if this setting is only for Windows Server 6.0, as noted in the NetApp article.
    • NetApp confirmed that the Bug Report regarding this issue is not updated.
    • NetApp stated that this setting is needed on all Windows versions.
    • NetApp reported null session pipe and Kerberos problems if the tokens are not set.

    Contrary to NetApp, McAfee believes that:
    • This setting is needed on Windows 6.x scanners.
    • The setting is related to Integrity levels implemented in Windows 6.x.
    • This setting is unnecessary on Windows 5.x scanners. The setting is related to Integrity levels and Integrity levels are not implemented in Windows 5.x.

    Related document:
    MSDN: http://msdn.microsoft.com/en-us/library/bb625964.aspx

    One of the two following options establishing the token must be chosen on Windows 6.x scanners:

    Option 1 - Active Directory GPO:
    1. Click Start, Run, type cmd, and click OK.
    2. At the command prompt, type rsop.msc and press ENTER.
    3. In the left pane, expand Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, Security Options.
    4. In the right pane, locate the following policy option:

      Network Access: Let Everyone permissions apply to anonymous users:
    5. Right-click the policy option and select Properties.
    6. On the Security Policy Setting tab, under the section Define this policy setting, select Enabled.
       
    Option 2 - Local GPO
    IMPORTANT: Ensure that Active Directory GPOs do not overwrite the local GPO.
    1. Click Start, Run, type cmd, and click OK.
    2. At the command prompt, type rsop.msc and press ENTER.
    3. In the left pane, expand Computer Configuration, Windows Settings, Windows Settings, Security Settings, Local Policies, Security Options.
    4. In the right pane, locate the following policy option:

      Network Access: Let Everyone permissions apply to anonymous users:
    5. Right-click the policy option and select Properties.
    6. On the Security Policy Setting tab, under the Define this policy setting section, select Enabled.
       
    Regardless of the method chosen, on group policy enforcement, or if gpupdate.exe /force is used, the following is set by the GPO in this registry value:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    • everyoneincludesanonymous
    • REG_DWORD '1'
    Related Document: Microsoft TechNet: http://technet.microsoft.com/en-us/library/jj852264(v=ws.10).aspx

    If the setting is made via Active Directory or Local group policy, the scanner need not be restarted for this configuration change to be effective.
  1. Check if teamed NICs are enabled on the scanner while the fastpath option is enabled on the filer.

    Requirement source: NetApp
    • Fastpath can result in disconnections with scanners that implement teamed NICs.
    • The error codes vary randomly depending on what operation was in progress during disconnection.
    • NetApp reports that some third-party NIC driver bugs also manifest when teamed NICs are in use.
    Under these conditions, one or both of the following options must be chosen for troubleshooting:


    Option 1 - At the filer:
    At the filer's console, execute the following: options ip.fastpath.enable off

    NOTE: If the problem is resolved, this setting can be permanent if other fastpath benefits are not required (contact NetApp Support).


    Option 2 - At the scanner:
    Disable teamed NICs on the scanner.

    NOTE: If the problem is resolved, this setting can be permanent if other teamed NICs benefits are not required.

    Related documents:
  1. Confirm whether the VSES Scan Server is configured to use Server SPN target name validation level. If it is, disable this option.

    Option 1 - Active Directory GPO:
    1. Open the Group Policy Management Console (gpmc.msc).
    2. Click Computer Configuration, Windows Settings, Local Policies, Security Options.
    3. Select Microsoft Network Server: Server SPN target name validation level.
    4. For the GPO object that applies to the VSES Scan Server set the option to either:

      Disabled
      Or
      Not Defined
Option 2 - Edit Local Security Policy on the VSES Scan Server:
  1. Click Start, Run and type secpol.msc, then press ENTER.
  2. Under Security Settings expand Local Policies, Security Options.
  3. Scroll down and locate Microsoft Network Server: Server SPN target name validation level.
  4. Set this option to either:

    Disabled
    Or
    Not Defined
     
  5. Click Apply, OK.
  6. Close the Local Security Policy window.
 
Option 3 - Or, change the registry setting SmbServerNameHardeningLevel to 0:

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.
  1. Click Start, Run and type regedit, then press ENTER.
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
  3. Right-click SmbServerNameHardeningLevel and select Modify.
  4. Set the value to 0, then click OK.
  5. Close the registry editor.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.