Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

S

ScotN

76 Posts

2605

September 18th, 2013 08:00

CAVA Implementation Q/A

Hi,

Sorry if these questions are clearly outlined somewhere but I'm not finding it. Please kindly direct me if so.

Background

Implementing CAVA POC on a non production data mover server_9 in a VG8.  DART 7.1.71.101,  McAfee Ent. 8.8, EMC_CEE_Pack_6_0_4

I have successfully configured server_9, and the CAVA service on a Win2k3 x32 test CAVA server running McAfee. The virus checker service is running and successfully reports scan when a policy is created in McAfee.  Like most I have several data movers, VDM's and file systems that all require a different scan policy. These are the pieces I am missing. To keep it simple Lets say I have the following policy requirements.

  • server_9 unified share Exported via NFS and Native CIFS \\vnx9\sh01 500Gb (Scan daily, report only)  VLAN5
  • server_9 unified share Exported via NFS and Native CIFS \\vnx9\sh02 100Gb (Scan on demand, clean or isolate file) VLAN6
  • server_9 VDMA share Exported via VDM  CIFS \\VDMA\sh03 3Tb (Scan daily, report only) VLAN7
  • server_9 NFS share Exported via NFS only  (Scan daily, report only) VLAN7

CAVA Server is running in VLAN2

Implementation Questions:

  1. Where does one setup schedule and policy per share ?  I could do this in McAfee or should this be on a schedule local to the DM using server_viruschk server_9 -fsscan sh01 -create?
  2. How does CEP play into this ? I'm missing the big picture and getting failure in the instructions /nas/sbin/server_user server_9 -add -md5 -passwd DOMAIN\cavauser.
  3. Kind of a policy question but will CAVA use McAfee's capacity management? The Performance tab in McAfee policy editor.

Thanks

Scot

umichklewis

1.2K Posts

September 25th, 2013 11:00

A few caveats -


First, CAVA is designed to scan CIFS shares on-demand.  NFS access won't trigger an on-demand scan, but you can still create a filesystem scan.  Second, I don't know of any way can you create a scheduled filesystem scan, short of creating your own script and crontab.  Next, I believe that you can only create one viruschk.conf per physical datamover, so I think you'll only be able to have one policy.  The McAfee policy settings determine the disposition of a file (clean, delete, isolate).  It also looks like McAfee only supports one policy at a time, so you might be limited there, too.

Here's a possible (though complex) solution.  Since most of your policy requirements are "Scan Daily, Report Only", I would create two groups of CAVA servers; I'll call them "Pool_Daily_Report" and "Pool_OnDemand_Clean".  "Pool_Daily_Report" would consist of a few McAfee CAVA servers set with disposition to Report Only, ie.e. don't delete or modify infected flies.  I would create one viruschk.conf file that referenced the hostnames/IPs of these CAVA servers and configure it on the datamover.  Then, I would create a crontab that would create a scan job outside of business hours and direct the output to a file.

Your server that requires on-demand scans introduces a wrinkle, however.  There's no way I can see to change the policy on a per-CIFS server basis, so I would move that CIFS server to a separate physical datamover and configure a different viruschk.conf file on that datamover.  I would set it to use the other pool of CAVA servers "Pool_OnDemand_Clean", where the McAfee disposition was set to Clean infected files (and delete or isolate as your policies dictate).

I'm not sure how CEP plays into your environment.  CEPA is usually used with applications that subscribe to notifications from the VNX.  CEPA isn't required for CAVA to work - they just share the same infrastructure.

Let us know if that helps!

Karl

ScotN

76 Posts

September 27th, 2013 12:00

From what I gather McAfee will manage the policy, scan and schedule. What I am trying to understand is what roll cava plays in AV when McAfee is doing all the work ? I can only create scans on shares that are available to the CAVA server. So PCI networks that are isolated will need to have their own set of CAVA servers?

This is the only thing I see cava has over strait AV.

The Viruschecker engine on the mover keeps an index of files scanned so that subsequent scans of unmodified files are passed over.

I see no documentation on how this is accomplished or configured and when you call support they will not touch it because these are implementation questions.

Peter_EMC

674 Posts

September 30th, 2013 02:00

The Viruschecking is using a CIFS-Server running on the physical datamover. It does not need any manually created share, beacuse it is using the special CHECK$ Share (/this is only working for users/groups with the special checker permissions) and has access to all mounted filesystems on the datamover. It does not matter. if they are mounted on a VDM.

For virus scanning the network connection of this CIFS-Server is used, so you need it to be able to communicate with the CAVA servers.

CAVA is doing the communication between the datamover (the above CIFS Server) and your AV Software (i.e. McAfee)

Because of this you do not need CAVA Servers for each different VLAN configured on the datamover.

Typically the virus scanning using the datamover / Cava feature is done rearly in realtime (when writing into a file after the close) or also "scan on first read".

If the only thing you want to do is full scans and no real time scanning, then you can also map a share on a AV Scanner, without CAVA.

Please read the "Using VNX™ Event Enabler" manual, which will give you much more details.

View More

View All

No Events found!

Top