Unsolved
This post is more than 5 years old
85 Posts
1
11426
VNX-File/Celerra antivirus with Symantec Endpoint protection 12
Hi all,
I just setup a CAVA environment on a new VNX-File implementation. The whole setup seems to run fine. server_viruschk -audit lists that all files are processed normally. No errors. However when checking a virusfile (eicar) it's not detected.
Further investigation found out that there is communication between the CAVA agent on the Antivirus server, but there are actually no files being scanned by the antivirus software. When writing 1000 exe-files of 100kB each files to the shares (100MB) only 0,5 Mbytes of datatraffic is being seen between the datamover and the antivirus scanning server. So my conclusion is that there is only metadata communication (CAVA/CEE), but no real scanning from the AV-software.
There are no errors in VNX-file regarding to viruschecking, and also no errors on the antivirus server. Windows event logs and Symanteclogs are clean.
When shutting down the server the antiviruschecker automatically stops at datamover level.
When files are written the number of processed files increases normally as expected (visible with server_viruschk -audit)
The setup:
- VNX-File, running 7.1.65.8 code with CIFS server on physical datamover. Shares active on VDM and on phyical datamover. Problem is for VDM and for non-VDM shares.
- viruschecker.conf configured with mask *.* and pointing to antivirus server, with shutdown option set if no antivirusserver is answering.
- antivirusserver is Win2008 R2 64bit VM on VMware, with 64bit VEE/CAVA 5.1.0. and 64bit Symantec Endpoint protection with registry key disablealertsuppression set
My question is: anybody experience with a similar issue and/of environment?
Thanks,
Jan-Pieter
Chetan676767
7 Posts
1
April 22nd, 2013 01:00
Hi,
I am Chetan Savade from Symantec Technical Support team.
Here is our document on hos to configure Scan Engine to use CAVA:
Best Practices for initial installation and testing of Symantec Scan Engine 5.x in a CAVA 3.6.x environment
http://www.symantec.com/docs/TECH89267
Threads for the reference:
https://www-secure.symantec.com/connect/forums/emc-celerra-and-scan-engines-running-redhat
Scan Engine, SAV for NAS, or both? | Symantec Connect Community
Scan Engine - How to Know it's Working | Symantec Connect Community
Thanks & Regards,
Chetan Savade
IPMJARL
8 Posts
0
May 30th, 2013 08:00
Hi, we've found a similar issue and found symantec TECH170861
Environment
Cause
IPMJARL
8 Posts
0
June 10th, 2013 08:00
Hi all,
According to support, the workaround to get it working until further release,is: VEE agent 32 bit in the 64 bit server with the 64 bit AV engine;
We've tried it and the av engine started to report
: we already had some infections.....
jpveen
85 Posts
0
June 10th, 2013 08:00
Hi all,
We tried to setup Symantec Endpoint Protections and not SPE/SSE, and followed all best practices and procedures. Also including http://www.symantec.com/business/support/index?page=content&id=TECH158216
The problem seems related to TECH170861, this also describes that number of scanned files within the AV engine stays 0 while the Celerra datamover reports that all files get scanned successfuly without errors.
Problem here is that we have a 64bit Windows OS, so we have to use 64bit VEE and 64bit SEP engine. The advice from the TECH170861 to use 32bit VEE agent conflicts with the advice in TECH89267 which says never to mix 32bit and 64bit due to Windows-restrictions.
So the question is what approach to follow to get the config working?
Rainer_EMC
8.6K Posts
0
June 10th, 2013 10:00
what version of SEP are you using ?
I thought 64bit VEE and 64bit Symantec Endpoint 12.1 should work.
mithunsanghavi1
1 Message
0
June 11th, 2013 05:00
Hello,
This is Mithun Sanghavi from Symantec Technical Support Team.
Could you please let us know if you are running Symantec Scan Engine or Symantec Endpoint Protection 12.1??
VNXe support team can assist you in depth.
Symantec Endpoint Protection 12.1 has been tested and qualified to work with Cava/Celerra.
However, try following the steps below: (In case of Symantec Endpoint Protection 12.1 installed)
Please go through the steps below:-
1. Install the Symantec Endpoint software.
2. Open the Windows Registry Editor and navigate to:
• For 32-bit operating systems:
HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint
Protection\AV\Storages\Filesystem\RealTimeScan
• For 64-bit operating systems:
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Symantec\Symantec
Endpoint Protection\AV\Storages\Filesystem\RealTimeScan
3. Set the RealTimeScan value:
• For Symantec Endpoint Protection version 11.04, right-click RealTimeScan and select
New ➤ Binary Value.
• For Symantec Endpoint Protection versions 11.06 and 12.1, right-click RealTimeScan
and select New ➤ DWORD Value.
4. In the Value name text box, type DisableAlertSuppression.
5. In Value data, type a value of 01.
6. Click OK.
Set Symantec Endpoint Protection options
For Symantec Endpoint Protection versions 11.04, 11.06, and 12.1, perform the following steps:
1. Open Symantec Endpoint Protection.
2. For Symantec Endpoint Protection versions 11.04 and 11.06, click Antivirus and Antispyware Protection Options.
For Symantec Endpoint Protection version 12.1, click Virus and Spyware Protection Options.
3. Click Change Settings.
4. For Symantec Endpoint Protection versions 11.04 and 11.06, select the File System
Auto-Protect tab.
For Symantec Endpoint Protection version 12.1, select the Auto-Protect tab.
5. Select Enable File System Auto-Protect.
6. In the File Types section, select All Types.
7. For Symantec Endpoint Protection versions 11.04 and 11.06, in the Options section, ensure
that Scan files on network drives is selected.
For Symantec Endpoint Protection version 12.1, in the Options section, ensure that:
a. Scan files on remote computers is selected.
b. Only when files are executed is cleared.
8. Click Advanced.
9. In the Scan files when section, select Scan when a file is accessed or modified.
10. Click OK to close the Auto-Protect Advanced Options window.
11. Click OK to close the Protection Settings window
Secondly, I would suggest you to check these Articles as well:
EMC® VNX™ Series Release 7.0 - VNX Event Enabler
http://corpusweb130.emc.com/upd_prod_VNX/UPDFinalPDF/jp/Event_Enabler.pdf
EMC® VNX™ Series 7.1 - VNX Event Enabler
https://community.emc.com/docs/DOC-19755
Hope that helps!!
thoratvikas
18 Posts
0
January 18th, 2017 12:00
Hi Mithun,
Can you please, help to setting SEP 12.1 for my CEE / CAVA services.
I am using CEE 8.0.0 and followed all steps still I am getting below Offline errors.
2 Checker IP Address(es):
XX.XX.XX.XX OFFLINE at Thu Jan 1 02:00:00 1970 (GMT+02:00)
Unknown protocol, CAVA version: ?, httpStatus: ????
AV Engine:
Server Name: XX.XX.XX.XX
No signature date
XX.XX.XX.YY OFFLINE at Thu Jan 1 02:00:00 1970 (GMT+02:00)
Unknown protocol, CAVA version: ?, httpStatus: ????
AV Engine:
Server Name: XX.XX.XX.YY
No signature date
Want to use SEP 12.1 for my CIFS share scanning.
Also, note I have Windows 2012 R2 64 bit VM with CEE 8.0.0 64bit and SEP 12.1 64 bit.
Will this combination work? Or I need to change it to CEE 8.0.0 32 bit???
thoratvikas
18 Posts
0
January 18th, 2017 12:00
Hi JP,
Please, let me know the above combination worked for you that time???
SEP + VEE (CAVA)
It will help me to progress further.
Thanks.
thoratvikas
18 Posts
0
January 18th, 2017 12:00
Hi Jarodrigues,
Will your environment worked with SEP + VEE (CAVA)???
Thanks.
IPMJARL
8 Posts
0
January 18th, 2017 13:00
server 64bit, SEP 12 and 32 bit version for CEE worked fine....
IPMJARL
8 Posts
0
January 18th, 2017 13:00
sorry typo...
server 64 bit, SEP and VEE 32 bit version worked fine...
thoratvikas
18 Posts
0
January 20th, 2017 01:00
Thanks a lot Jarodriguez for response.
I have resolved my issue yesterday.
I installed and configured CEE 8.0.0 64bit, Windows 2012 R2 64 bit and SEP 12.1 64bit without much issues.
However, CAVA services where not recognized by Data Mover.
After doing some Network level review it got resolved.
Cheers!