Unsolved
This post is more than 5 years old
1 Rookie
•
107 Posts
1
8495
Isilon and ICAP integration - Policy scans do not work
Hi all,
I have some trouble with an Symantec ICAP integration to the Isilon. At OneFS the ICAP server is configured. The system does recognize the ICAP server, the AV service at the cluster is up and running and there are no error messages at the Isilon log files.
When I do a manual single file scan through the CLI the eicar test virus is identified and quarantined.
But doing a policy scan of that folder does not work. Neither the virus is identified nor any files are scanned. Looking at the av scan details of each file there is always the same output:
Last scan: never
Scan result: never scanned
Last ISTag:
Scan status: not current
Quarantined: false
For the Antivirus scan settings there are no filename restrictions configured and the file size restriction is set as recommended to a maximum file size of 2 GB. On Access Scans are disabled. My policy only contains the directory and no more other specific settings.
I would expect after starting a policy that each file is sent to the ICAP server and is checked there for possible viruses. After the scan, the result of the scan is sent back to Isilon and can be displayed there via CLI for each file. But at the moment it seems that no file is scanned.
I know that there is a scan result caching.
The NAS antivirus service caches scanning results for each clean file. The cached
information includes the date and revision number of the virus definitions that
were used to perform the scan. So, if a second user requests access to a file that
has already been scanned and if the virus definitions have not changed, a
redundant scan is avoided.
But for that caching each file must be scanned at least once, what does not happen currently...
What's going wrong here?
crklosterman
450 Posts
1
May 11th, 2016 07:00
Can all nodes of your cluster talk to all of the ICAP servers configured? I do mean all nodes. ICAP work is sent to every single node whether it has a network connection or not, and regardless of what subnet it's interfaces are on. That's the most common source of problems that I see, people trying to use ICAP with NANON/NENON (not all nodes on network/ not every node on network).
try this:
isi_for_array -s "ping -c 1 "
and make sure it works on every single node.
~Chris
philippspohr
1 Rookie
1 Rookie
•
107 Posts
0
May 11th, 2016 07:00
No, that is not the reason.
All Nodes are connected to the external network and each Node reaches the ICAP server.
scott_owens
60 Posts
0
May 11th, 2016 11:00
Which Symantec product are you using?
Go.Y
2 Intern
2 Intern
•
293 Posts
0
May 11th, 2016 22:00
Phil
As far as I understand, for Policy Scan, you must wait until AVscan operation finished to get which file was affected.
Is the operations already finished?
philippspohr
1 Rookie
1 Rookie
•
107 Posts
0
May 11th, 2016 23:00
Hi go.y,
each policy scan only needs less than a second until it finished although there are some files and of course the test virus files at the scanned folders. Here is one report output:
I would expect that all files of that folder and of all subfolders are sent to the ICAP server for the scan. The file count and the "Sent Bytes" should not be zero.
philippspohr
1 Rookie
1 Rookie
•
107 Posts
0
May 11th, 2016 23:00
Hi scott,
we are using Symantec(TM) Protection Engine for Network Attached Storage (NAS) version 7.5.
The isi config output is
Go.Y
2 Intern
2 Intern
•
293 Posts
0
May 12th, 2016 00:00
Phil,
Could you also provide following information if possible?
# isi avscan policy
# sqlite3 /ifs/.ifsvar/modules/avscan/isi_avscan.db .dump
# isi verison
philippspohr
1 Rookie
1 Rookie
•
107 Posts
0
May 12th, 2016 00:00
Hi go.y, of course.
The policies are
Here is the db dump:
As we can see in the dump, the manual singe file scan and the scan on access seems to be working, but not the policy scans.
And here is the OneFS version:
Go.Y
2 Intern
2 Intern
•
293 Posts
2
May 12th, 2016 01:00
Phil,
It looks like, policy Test and Test2 seems to scan same path.
If yes, delete "Test" policy, and add a copy of a infected eicar file as "eicar3" under the path.
Then run the Test2 policy again.
If it doesn't work try following.
1. access to CLI as root user.
2. stop isi_avscan_d service
# isi services -a isi_avscan_d disable
3. rename the isi_avscan.db .dump
# cd /ifs/.ifsvar/modules/avscan/
# mv isi_avscan.db isi_avscan.db.bk
4. restart isi_avscan_d
# isi services -a isi_avscan_d enable
5. Start Test2 policy
philippspohr
1 Rookie
1 Rookie
•
107 Posts
0
May 12th, 2016 02:00
Hi go,y,
thanks a lot. I think stopping and restarting the service daemon fixed the issue.
I have deleted all policies, disabled the service, enabled the service again, created a new policy and surprise: Now the policy is working with the same settings.
Go.Y
2 Intern
2 Intern
•
293 Posts
0
May 12th, 2016 02:00
Phil,
I'm glad to hear that.
Next time same thing happen, I think you should open a SR and find the root cause with EMC.
tim.koopman
73 Posts
0
April 22nd, 2019 13:00
Go. Y,
I had similar issue after upgrading from 8.0.0.4 to 8.1.2.0 OneFS. My scheduled Avscan jobs would start, run, in one minute and complete successful. The issue is the job was not scanning files. I stopped the service, moved the database, and restarted the service and now the one avscan job that I have ran is working. Thank you for your earlier post.