RogerLBenson
1 Copper

CAVA Tuning

Jump to solution
A long time ago I saw a whitepaper (maybe internal, don't remember) that was on CAVA performance tuning. Specifically, where it was appropriate to do either inclusive or exclusive scanning of files (masks= vs excl=). In looking at all the documentation, it *seems* to point toward inclusive scanning, but there is nothing I've found that specifically says "EMC recommends this or this." I have also run into a lot of places where both the masks and excl parameters are set (which makes no sense to say "scan only this, but be sure to exclude these).

Personally, I have run into nothing but trouble when I set mask=*.* and performance drops off quickly and have always recommended inclusive. I'm looking for recommendations (or that paper) to that effect.

At the end of the virusckecker.conf file there is this list of masks which makes me think *.* is a bad idea.

# masks=*.EXE:*.COM:*.DOC:*.DOT:*.XL?:*.MD?:*.VXD:*.386:*.SYS:*.BIN
# masks=*.RTF:*.OBD:*.DLL:*.SCR:*.OBT:*.PP?:*.POT:*.OLE:*.SHS:*.MPP
# masks=*.MPT:*.XTP:*.XLB:*.CMD:*.OVL:*.DEV
# masks=*.ZIP:*.TAR:*.ARJ:*.ARC:*.Z
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
spaceman1
2 Iron

Re: CAVA Tuning

Jump to solution
1 File Mask(s):
*.*
62 Excluded File(s):
*.CAB *.CTR *.DCB *.DCT *.DIR *.EDB *.FMB *.FMT *.FMX *.FRM *.FYI *.FZY *.GZ
*.INP *.IVT *.JPG *.KEY *.LDB *.LFP *.LOG *.MAD *.MAF *.MAM *.MAQ *.MAR *.MAT
*.MDA *.MDB *.MDE *.MDN *.MDW *.MDZ *.MEG *.NDX *.NSF *.OPT *.ORA *.ORC *.OST
*.PDF *.PST *.RAR *.SC *.SEC *.SFP *.SQC *.SQL *.SQR *.STM *.STP *.TAG *.TAR
*.TEX *.TIF *.TMP *.TRK *.VOL *.VOL *.XFD *.XFS *.ZIP ????????

Confirmed by someone VERY familiar with CAVA, EMC dev I think.

Don't forget the tuning on the CAVA servers. For Symantec there are some tcp tweaks, exclude the temp scanning directory from the host vscan, use lots of RAM for scanning, etc.
I can post details if you are interested.

There is a batch file on SAV SE servers to configure SAV SE pick up any IU updates pushed out to clients managed by SSC. Helps to unify things a bit when the SHTF as we had last week...
We run 4 CAVA VMs against our ns40 and 960 with about 1500 concurrent users.
0 Kudos
11 Replies
TF-9l6i4
2 Iron

Re: CAVA Tuning

Jump to solution
Interesting point raised.....

Here's my setup:

excl=*.dtl:*.err:*.lnk:*.out
masks=*.*

Which means I fall into the "exclude" camp. maybe this is why we need to run 7 CAVA servers to keep things moving????

Be interested to hear other's findings.
0 Kudos
Highlighted
umichklewis
3 Argentium

Re: CAVA Tuning

Jump to solution
I'm one of those "Scan everything" folks:

masks=*.*
excl=*.tmp:????????:*journal:*.dotm

I just ignore .tmp files and M$ temp files. We scan everything because we can't be guaranteed CIFS clients have A/V software installed - we have Macs and Linux hosts that have clearly transferred files to the Celerra that CAVA has deleted.
0 Kudos
RogerLBenson
1 Copper

Re: CAVA Tuning

Jump to solution
Here's what I've found so far.

The exclude option only works if mask=*.*, so that's "scan everything but x, y, & z".

If you specify something in mask=, then exclude does not work. So excl=*.tmp,*.~?? etc with a mask=*.do?,*.ex? etc ONLY scans what's in the mask= field. Haven't determined if doing that slows things down (and I suspect it does because it has to look at both instruction sets to scan, but not much), but it is sloppy.

Each CAVA server scans one file at a time, using round robin to decide who scans what. A good argument for using the the sizing tool.

I haven't found out if the server_viruschk -all command bypasses the mask & excl options, but I suspect it does. Also, the rules for scan on demand are scan on first read, write, and modify, but I haven't determined if a previous the -all bypasses that also. Again, I suspect it does otherwise new virus definitions might never get a crack at older files.

Still no EMC best practices.
0 Kudos
RogerLBenson
1 Copper

Re: CAVA Tuning

Jump to solution
Well I'll be... Primus coughed it up finally.

emc62326: What are the best practices for Celerra virus checking?
http://knowledgebase.emc.com/emcice/documentDisplay.do;jsessionid=C4ECA4A393FF3ACEB382912BD01107E2?d...

And what I was looking for:
2.) The mask= parameter can greatly impact virus checking performance. It is recommended that you do not use mask=*.* since this setting scans all files. Many file types cannot harbor viruses, therefore, mask=*.* is not an efficient setting. Most AV engines do not scan all file types. Also scans of file types with an unknown extension will result in the entire file being scanned, increasing network bandwidth and resources.

And there are some good links down at the bottom on CAVA too.
0 Kudos
spaceman1
2 Iron

Re: CAVA Tuning

Jump to solution
1 File Mask(s):
*.*
62 Excluded File(s):
*.CAB *.CTR *.DCB *.DCT *.DIR *.EDB *.FMB *.FMT *.FMX *.FRM *.FYI *.FZY *.GZ
*.INP *.IVT *.JPG *.KEY *.LDB *.LFP *.LOG *.MAD *.MAF *.MAM *.MAQ *.MAR *.MAT
*.MDA *.MDB *.MDE *.MDN *.MDW *.MDZ *.MEG *.NDX *.NSF *.OPT *.ORA *.ORC *.OST
*.PDF *.PST *.RAR *.SC *.SEC *.SFP *.SQC *.SQL *.SQR *.STM *.STP *.TAG *.TAR
*.TEX *.TIF *.TMP *.TRK *.VOL *.VOL *.XFD *.XFS *.ZIP ????????

Confirmed by someone VERY familiar with CAVA, EMC dev I think.

Don't forget the tuning on the CAVA servers. For Symantec there are some tcp tweaks, exclude the temp scanning directory from the host vscan, use lots of RAM for scanning, etc.
I can post details if you are interested.

There is a batch file on SAV SE servers to configure SAV SE pick up any IU updates pushed out to clients managed by SSC. Helps to unify things a bit when the SHTF as we had last week...
We run 4 CAVA VMs against our ns40 and 960 with about 1500 concurrent users.
0 Kudos
riker82
2 Iron

Re: CAVA Tuning

Jump to solution

Hi,

can you post those tweaks for Symantec Scan Engine (I'm using 5.2 version) ? I'm just using only one CAVA server with SAV for NAS for 800 of users (and mask=*.* and no exclusions). Do you suggest me to add another cava server? Should I install another SAV for NAS on the secondary CAVA server too?

thanks!

0 Kudos
Peter_EMC
3 Zinc

Re: CAVA Tuning

Jump to solution
Please read emc210117 for port usage of SAV on W2K3.
0 Kudos
riker82
2 Iron

Re: CAVA Tuning

Jump to solution

Hi,

I did the tweaks you suggest me.. But I still receive "Scan Engine scanning feature hung or scan engine is overloaded" message from sav and files not checked on control station. Other suggestions?

0 Kudos
kensagle
2 Iron

Re: CAVA Tuning

Jump to solution


Don't overlook the threads as well.  There is a default number of CIFS threads for AV scanning.  You can add more scanners but it does not increase the number of threads.  If the current AV servers are handling the load, you may look at increasing the threads before adding more CAVA servers.

Sagle

0 Kudos