This post is more than 5 years old
10 Posts
0
3083
CAVA Tuning
A long time ago I saw a whitepaper (maybe internal, don't remember) that was on CAVA performance tuning. Specifically, where it was appropriate to do either inclusive or exclusive scanning of files (masks= vs excl=). In looking at all the documentation, it *seems* to point toward inclusive scanning, but there is nothing I've found that specifically says "EMC recommends this or this." I have also run into a lot of places where both the masks and excl parameters are set (which makes no sense to say "scan only this, but be sure to exclude these).
Personally, I have run into nothing but trouble when I set mask=*.* and performance drops off quickly and have always recommended inclusive. I'm looking for recommendations (or that paper) to that effect.
At the end of the virusckecker.conf file there is this list of masks which makes me think *.* is a bad idea.
# masks=*.EXE:*.COM:*.DOC:*.DOT:*.XL?:*.MD?:*.VXD:*.386:*.SYS:*.BIN
# masks=*.RTF:*.OBD:*.DLL:*.SCR:*.OBT:*.PP?:*.POT:*.OLE:*.SHS:*.MPP
# masks=*.MPT:*.XTP:*.XLB:*.CMD:*.OVL:*.DEV
# masks=*.ZIP:*.TAR:*.ARJ:*.ARC:*.Z
Personally, I have run into nothing but trouble when I set mask=*.* and performance drops off quickly and have always recommended inclusive. I'm looking for recommendations (or that paper) to that effect.
At the end of the virusckecker.conf file there is this list of masks which makes me think *.* is a bad idea.
# masks=*.EXE:*.COM:*.DOC:*.DOT:*.XL?:*.MD?:*.VXD:*.386:*.SYS:*.BIN
# masks=*.RTF:*.OBD:*.DLL:*.SCR:*.OBT:*.PP?:*.POT:*.OLE:*.SHS:*.MPP
# masks=*.MPT:*.XTP:*.XLB:*.CMD:*.OVL:*.DEV
# masks=*.ZIP:*.TAR:*.ARJ:*.ARC:*.Z
Disk Jockey
92 Posts
0
August 14th, 2009 07:00
*.*
62 Excluded File(s):
*.CAB *.CTR *.DCB *.DCT *.DIR *.EDB *.FMB *.FMT *.FMX *.FRM *.FYI *.FZY *.GZ
*.INP *.IVT *.JPG *.KEY *.LDB *.LFP *.LOG *.MAD *.MAF *.MAM *.MAQ *.MAR *.MAT
*.MDA *.MDB *.MDE *.MDN *.MDW *.MDZ *.MEG *.NDX *.NSF *.OPT *.ORA *.ORC *.OST
*.PDF *.PST *.RAR *.SC *.SEC *.SFP *.SQC *.SQL *.SQR *.STM *.STP *.TAG *.TAR
*.TEX *.TIF *.TMP *.TRK *.VOL *.VOL *.XFD *.XFS *.ZIP ????????
Confirmed by someone VERY familiar with CAVA, EMC dev I think.
Don't forget the tuning on the CAVA servers. For Symantec there are some tcp tweaks, exclude the temp scanning directory from the host vscan, use lots of RAM for scanning, etc.
I can post details if you are interested.
There is a batch file on SAV SE servers to configure SAV SE pick up any IU updates pushed out to clients managed by SSC. Helps to unify things a bit when the SHTF as we had last week...
We run 4 CAVA VMs against our ns40 and 960 with about 1500 concurrent users.
TF-9l6i4
54 Posts
0
August 7th, 2009 01:00
Here's my setup:
excl=*.dtl:*.err:*.lnk:*.out
masks=*.*
Which means I fall into the "exclude" camp. maybe this is why we need to run 7 CAVA servers to keep things moving????
Be interested to hear other's findings.
umichklewis_ac7b91
300 Posts
0
August 7th, 2009 08:00
masks=*.*
excl=*.tmp:????????:*journal:*.dotm
I just ignore .tmp files and M$ temp files. We scan everything because we can't be guaranteed CIFS clients have A/V software installed - we have Macs and Linux hosts that have clearly transferred files to the Celerra that CAVA has deleted.
RogerLBenson
10 Posts
0
August 11th, 2009 05:00
The exclude option only works if mask=*.*, so that's "scan everything but x, y, & z".
If you specify something in mask=, then exclude does not work. So excl=*.tmp,*.~?? etc with a mask=*.do?,*.ex? etc ONLY scans what's in the mask= field. Haven't determined if doing that slows things down (and I suspect it does because it has to look at both instruction sets to scan, but not much), but it is sloppy.
Each CAVA server scans one file at a time, using round robin to decide who scans what. A good argument for using the the sizing tool.
I haven't found out if the server_viruschk -all command bypasses the mask & excl options, but I suspect it does. Also, the rules for scan on demand are scan on first read, write, and modify, but I haven't determined if a previous the -all bypasses that also. Again, I suspect it does otherwise new virus definitions might never get a crack at older files.
Still no EMC best practices.
RogerLBenson
10 Posts
0
August 11th, 2009 05:00
emc62326: What are the best practices for Celerra virus checking?
http://knowledgebase.emc.com/emcice/documentDisplay.do;jsessionid=C4ECA4A393FF3ACEB382912BD01107E2?docType=1006&clusterName=DefaultCluster&resultType=5002&groupId=1&page=&docProp=$solution_id&docPropValue=emc62326&passedTitle=null
And what I was looking for:
2.) The mask= parameter can greatly impact virus checking performance. It is recommended that you do not use mask=*.* since this setting scans all files. Many file types cannot harbor viruses, therefore, mask=*.* is not an efficient setting. Most AV engines do not scan all file types. Also scans of file types with an unknown extension will result in the entire file being scanned, increasing network bandwidth and resources.
And there are some good links down at the bottom on CAVA too.
riker82
75 Posts
0
November 25th, 2009 02:00
Hi,
can you post those tweaks for Symantec Scan Engine (I'm using 5.2 version) ? I'm just using only one CAVA server with SAV for NAS for 800 of users (and mask=*.* and no exclusions). Do you suggest me to add another cava server? Should I install another SAV for NAS on the secondary CAVA server too?
thanks!
Peter_EMC
674 Posts
0
November 25th, 2009 03:00
riker82
75 Posts
0
November 25th, 2009 03:00
Hi,
I did the tweaks you suggest me.. But I still receive "Scan Engine scanning feature hung or scan engine is overloaded" message from sav and files not checked on control station. Other suggestions?
kensagle
59 Posts
0
November 25th, 2009 10:00
Don't overlook the threads as well. There is a default number of CIFS threads for AV scanning. You can add more scanners but it does not increase the number of threads. If the current AV servers are handling the load, you may look at increasing the threads before adding more CAVA servers.
Sagle
Peter_EMC
674 Posts
0
November 25th, 2009 22:00
If this message "Scan Engine scanning feature hung or scan engine is overloaded" is reliable, then increasing the threads and increasing the load will not help.
riker82
75 Posts
0
November 29th, 2009 23:00
Ok, so what have I to take care?
Consider that the message "Scan Engine scanning feature hung or scan engine is overloaded" arrives to me when I move some files... But however, it alerts me so much...
Consider that my CAVA servers are two (virtual machines, on ESX enviroment) but they are scanning only mine robocopy (or emcopy). Nothing else. Is It possibile to receive that message with only the load of 1 robocopy (of several files)?
During this message, I've checked the workload on those servers (they have 2 vcpus, 2 gb of ram and lie on CX3-40 very high speed disks...) and I cannot see no problems (cpu, memory and network activity very low... ); so where's the problem?
thanks again