This post is more than 5 years old
44 Posts
0
1564
Does CEE 4.2.2 work for CIFS Shares on VDMs?
Hello All,
I recently opened up a support case SR# 30339240, to address a CAVA implementation question. We got to talking and I asked him how one would verify CAVA's functionality he showed me the 'server_viruscheck -audit' function, but after looking one step further he found that the majority of our CIFS shares are mounted on a VDM.
He pointed me to emc192425, which states that CAVA on VDM's isn't support and doesn't work. Can someone else confirm if this article is valid and if you are using CAVA with VDMs?
I took his word and the emc document as bond, but after looking at our McAfee statistics on our CAVA servers it seems like CAVA is passing VDM shares paths through our CAVA mount points.
(ie. \\TOWNAS1F2\CHECK$\root_vdm_5\TOWFILGROUPS_root\{somefile} )
CAVA mount point = \\TOWNAS1F2\CHECK$
vdm mount = \root_vdm_5\TOWFILGROUPS_root\{somefile}
From this window it appears like McAfee is scanning the files so I'm confused by the contradiction in statements and what I see on my screen. Can you tell me what type of behavior am I supposed to see out of the CAVA server when it discovers a virus?
Environment Details
Celerra OS: DART 5.6.42-5
Celerra Events Enabler: 4.2.2
McAfee Enterprise 8.5.0.781
Thanks in advance,
I recently opened up a support case SR# 30339240, to address a CAVA implementation question. We got to talking and I asked him how one would verify CAVA's functionality he showed me the 'server_viruscheck -audit' function, but after looking one step further he found that the majority of our CIFS shares are mounted on a VDM.
He pointed me to emc192425, which states that CAVA on VDM's isn't support and doesn't work. Can someone else confirm if this article is valid and if you are using CAVA with VDMs?
I took his word and the emc document as bond, but after looking at our McAfee statistics on our CAVA servers it seems like CAVA is passing VDM shares paths through our CAVA mount points.
(ie. \\TOWNAS1F2\CHECK$\root_vdm_5\TOWFILGROUPS_root\{somefile} )
CAVA mount point = \\TOWNAS1F2\CHECK$
vdm mount = \root_vdm_5\TOWFILGROUPS_root\{somefile}
From this window it appears like McAfee is scanning the files so I'm confused by the contradiction in statements and what I see on my screen. Can you tell me what type of behavior am I supposed to see out of the CAVA server when it discovers a virus?
Environment Details
Celerra OS: DART 5.6.42-5
Celerra Events Enabler: 4.2.2
McAfee Enterprise 8.5.0.781
Thanks in advance,
umichklewis_ac7b91
300 Posts
0
July 10th, 2009 12:00
In my environment, I have my hidden CHECK$ share on the physical DM, server_2. However, I have many vdms in use, vdm_1 through vdm_11 today. Each VDM hands files to be scanned to the CAVA servers via the hidden share. In your case, the CAVA servers are looking at \\TOWNAS1F2\CHECK$ and seeing files on the vdm mount point, i.e. \root_vdm_5\etc. This is expected behavior.
In my environment, I run CEE 4.0.2 and McAfee Enterprise 8.5i. My CAVA mount is \\engin-cava\CHECK$. My VDMs have CIFS server will all kinds of names, but in every case, all I see in the McAfee statistics are files checked from \\engin-cava\CHECK$.
The info you see seems 100% correct; I think your CAVA setup is running correctly - he might have missed that your CAVA CHECK$ share was on the physical DM, not a VDM.
Please let us know if this helps!
nandas
1.5K Posts
1
July 10th, 2009 12:00
Once you have done that it will provide AV checking for ALL CIFS servers (or better said file systems) on that data mover - no matter if they are in a VDM or not.
Unless you specifically mount a file system using the noscan option - if you want to exlude any file system from Scanning, you can do this.
So - your configuration is correct as you see.
Thanks,
Sandip
AAdedipe
44 Posts
0
July 11th, 2009 05:00
On our clients when a virus is found, McAfee erases the virus. When I placed a virus test file on the share McAfee didn't blink an eye. What could cause this? We have 3 CAVA servers for a total of 5000 users.
BillStein-Dell
Moderator
Moderator
•
285 Posts
0
July 12th, 2009 02:00
1. First, double-check the setup. Go through the CAVA install manual step by step and ensure your setup is correct with respect to the AV user, its permissions and group memberships. Remember that you need an AV local group on the Data Mover and your AV user needs to be a member of that group. The group then needs to have the CAVA scanning rights granted to it by using the Celerra management MMC snap-in.
2. If the setup all checks out, you can increase logging for CAVA; this will show you the transactions between the Data Mover and the scan engine. Take a look at emc50334 for more information. Once increased logging is enabled, you can see where the process is failing.
3. If all else fails, open a Service Request.
-bill
umichklewis_ac7b91
300 Posts
0
July 13th, 2009 08:00
We have 4 CAVA servers for 8000 users and typically see 18000us or so per scan. We scan just about everything, so that's response time isn't too bad.
AAdedipe
44 Posts
0
July 15th, 2009 11:00
delete. McAfee seems to have no trouble deleting
files when found. What do you see in your OnAccess
Protection log? Do you have the checkbox in OnAccess
checked for "check network drives"? Without this,
McAfee will cheerfully ignore files.
We have 4 CAVA servers for 8000 users and typically
see 18000us or so per scan. We scan just about
everything, so that's response time isn't too bad.
umichklewis: We have the "check network drives" option ticked. So I'm good on that.
After doing some more digging to verify things, I did find by looking at the "On-Acess Scan Statistics" that the CAVA servers are checking files and folders listed on other shares but the expected behavior which is to remove detected virii isn't occurring.
Do you know if a virus is flagged on any logs on the Celerra when found or is that data only sent to the McAfee log servers. My latencies are listed below
NS80-1
min=228 uS, max=15021990 uS, average=17081 uS
NS80-2
min=222 uS, max=5170512 uS, average=77741 uS
I assume that is acceptable but I don't have any frame of reference.
Thanks In Advance
umichklewis_ac7b91
300 Posts
1
July 15th, 2009 19:00
[nasadmin@NS80-CS0 ~]$ server_uptime server_2
server_2 : up 123 days 14 hours 43 min 25 secs
[nasadmin@NS80-CS0 ~]$ server_viruschk server_2 -audit
server_2 :
Total Requests: 152893552.
Requests in progress: 0.
NO ANSWER from the Virus Checker Servers: 0.
ERROR_SETUP: 0.
FAIL: 0.
TIMEOUT: 0.
Total Infected Files: 30.
Deleted Infected Files: 27.
Renamed Infected Files: 0.
Modified Infected Files: 3.
min=128 uS, max=7958772 uS, average=13915 uS
As you can see, we were able to clean three files, but deleted 27. To answer your question - yes, the VC log on the Celerra will show you a message when a file was modified (either deleted or cleaned), the user and client machine hostname and so forth. I don't any recent files to show you an example - sorry about that. Check McAfee and make sure On-Access Scanner is set to "Scan all files" - use the viruschecker.conf to exclude any filetypes you wish to ignore. This ensures that McAfee scans every file type you want (I had a issue with conflicts between the local McAfee exclude list and the viruschecker.conf exclude list).
Your latencies seem okay, so I don't think that's an issue. If you don't see viruses being deleted, check the log file for VC facility messages. I prefer 'server_log server_x |grep VC'.
Karl
Rainer_EMC
8.6K Posts
0
July 24th, 2009 00:00
everything, so that's response time isn't too bad.
Interesting - are these 8000 concurrent active users or do you know how many CIFS connections you normally have ?
AAdedipe
44 Posts
0
July 27th, 2009 10:00
or do you know how many CIFS connections you normally
have ?
My apologies globally we have 8000 potential users that have access to our NAS devices. We have a solid 1100-1200 open connections during peak hours (ie 9am-5pm) according to Celerra Monitor on the datamover with the most activity.
The other datamovers have negligible connection counts so I based all of my numbers on this DM and sized our CAVA environment accordingly.
umichklewis_ac7b91
300 Posts
0
July 27th, 2009 14:00