Unsolved
This post is more than 5 years old
13 Posts
0
640
CITRIX and AV?
We have millions of tiny files on our Celerra (citrix profiles). Unfortunately AV is having problems keeping up when all the Citrix users logon first thing in the morning. In our viruschecker.conf we have 80 threads. We do scan reads and writes.
Short of moving the profiles to their own dedicated filesystem and turning AV off for just that filesystem does anyone know a way to skip just the CIFS share with the citrix profiles?
Our security team uses SAV for NAS. They mentioned they can exclude the path on the AV servers. I think that is a bad idea, my understanding was the viruschecker.conf had to have either more exclusions or match the exclusions of the SAV for NAS servers. What happens if the AV server is more restrictive than the viruschecker.conf file? Does the poor Celerra keep resending the file to get it scanned?
Any suggestions would be appreciated.
Thanks Sue
umichklewis
1.2K Posts
1
October 4th, 2013 06:00
Do you have a common file extension on the Citrix profile, say, ctxprofile.ctx? You could exclude the extension that way. The problem with excluding the path on the SAV server, is that you might a lot of trouble getting the directory path to match 100%. When you scan files on the CIFS server, the root path start from the CHECK$ share root. Some AV clients won't expand wildcard directories the way you expect, so your directory exclusions may fail. File extensions are the easiest, most-consistent way to go.
In terms of the profile strictness on the AV server side, if you have a file type that's excluded on the AV server, it returns a "success" message and the CIFS server is permitted to pass the file along. For example, if your AV exclusion list includes only .txt files and the SAV exclusion list has .txt and .tmp, any .tmp files sent by the CIFS server to the AV server will not be scanned, but it returns a "success" message.
We had McAfee as our AV client and can see this behavior clearly in our logs.
Let us know if that helps!
Sue5
13 Posts
0
October 4th, 2013 07:00
Thanks Karl good info. I wish we had a common extension for all the tiny files that make up the CITRIX profile. Unfortunately when people logon a bunch (i.e. over one hundred) tiny files get opened per person and they all are scanned at the same time. AV is having problems keeping up. We have 80 threads but wow, that is not enough on peak days. When I issue server_viruschk server_2 -audit command I can see over 500 request in progress.
I think our old Celerra was not the best place to put CITRIX profiles, hopefully we can find a new spot to put them. The folder with all the profiles is pretty small space-wise but had over 11 million tiny files.
umichklewis
1.2K Posts
0
October 7th, 2013 12:00
That sounds like quite a predicament. Is there any thing common about the CITRIX profile from a filename perspective you can use at all? Maybe there's a way to force CITRIX to write the tempfiles with a common name (say. ctxtemp001, ctxtemp002, etc) or with a common extension (.ctx)? If not, your only choice is to consider moving them to another filesystem and disabling AV against that filesystem.
Sue5
13 Posts
0
October 11th, 2013 08:00
Unforunately there is nothing common to filter on except the folder name at a pretty high level.
I think making a new filesystem, turning off AV for that one only, may be the way to go since the critrix servers are scanning them too so we really are double scanning.
Thank you for the input, I really appreciate the 2nd set of eyes.