Hi,

This is the viruschecker and CAVA scanning process take place :

1. Virus Checker Agent on Data Mover monitors files and when certain conditions are met (such as when writing to a file, access time,other configuration parameters), will initiate Scan check Request to the CAVA Service that runs on the AV engine, using the ONC/RPC interface protocol, and presenting the file name path using UNC (\\Data Mover\$CHECK\filename) (Path includes the default CHECK$ share location)
2. Next, the CAVA service attempts to open the file using RPC and SMB Read
3. Once file is opened, the AV engine antivirus driver detects the activity, and triggers it to run a Scan. At the same time, it blocks the CAVA services “file open” request from completing until the file is properly scanned.
4. CAVA actually passes a file’s signature to the AV Server, which checks its antivirus definition files for a match. For compressed files, the whole content is passed to the AV Server for scanning.
5. Once scan is complete and AV engine has taken it’s action, it then releases the block on the CAVA “open file”
6. CAVA performs a file request, then closes the file and sends response to Data Mover

SUMMARY OF CAVA PROCESS:

1. Data Mover check request to CAVA
2. CAVA opens file
3. CAVA queries file
4. CAVA closes file
5. CAVA sends response back to Data Mover

EXAMPLE OF VIRUS CHECKING PROCESS:

1. Client has file opened for writing and initiates a close on the file
2. Data Mover obtains exclusive lock and places file into virus checker queue, which is serviced by a dispatch thread
3. RPC call is made by VC to AV Server containing UNC path to file to be checked in the Queue
4. AV Server (via Checker Service) receives RPC call & generates ‘file open’ kernel request using rights of EMC V.Checking User
5. Kernel open is intercepted by VC agent and retrieves portions of locked file for inspection & followup action
Note: AV Server actually opens the file twice (Create AndX), once using CAVA agent, and then again using AV Client
6. Kernel call returns & AV Server Checker Service returns RPC call to Celerra.
7. Celerra receives RPC call and unlocks file

Note :

A file signature is data used for identify or verify the content of a file. In particular, it may refer to:

File magic number: bytes within a file used to identify the format of the file; generally a short sequence of bytes (most are 2-4 bytes long) placed at the beginning of the file;
File checksum or more generally the result of an hash function over the file content: data used to verify that the file content integrity, generally against transmission errors or malicious attacks. The signature can be included at the end of the file or in a separate file.

We use a rule of thumb of a minimum of two CAVA servers, and one additional for each 500 simultaneous users.

Gustavo Barreto.