Antivirus scanning with Symantec Endpoint Protection for ...public.dhe.ibm.com/partnerworld/pub/whitepaper/16be2.pdf · Symantec Endpoint protection products offer advanced threat

Antivirus scanning with Symantec Endpoint Protection for IBM SONAS

Bhushan Pradip Jain Pratap Banthia

ISV Business Strategy April 2010

© Copyright IBM Corporation, 2010. All Rights Reserved. All trademarks or registered trademarks mentioned herein are the property of their respective holders

Table of contents Abstract........................................................................................................................................1

Overview ......................................................................................................................................1

Introduction .................................................................................................................................2 IBM SONAS overview: A global offering with global data access ........................................................... 2 Introduction to Symantec AntiVirus products (SEP and SAVFL) ............................................................ 3

Recommended platforms ...........................................................................................................5 Minimum hardware requirements for Symantec Endpoint Protection ..................................................... 5 Minimum hardware requirements for Symantec AntiVirus for Linux ....................................................... 5

Planning and preparation...........................................................................................................6 Planning the creation of shares ............................................................................................................... 6 Creating and mounting shares................................................................................................................. 7

NFS shares........................................................................................................................ 7 CIFS shares....................................................................................................................... 8

Installation and configuration..................................................................................................10 Installing and configuring Symantec Endpoint Protection (Windows) ................................................... 10

Installing Symantec Endpoint Protection Manager ......................................................... 10 Running the Management Server Configuration Wizard................................................. 10 Running the Migration and Deployment Wizard.............................................................. 10 Running the Push Deployment Wizard ........................................................................... 11 Other configuration and management............................................................................. 11

Installing and configuring Symantec AntiVirus for Linux........................................................................ 11

Symantec Antivirus usage on SONAS clients........................................................................12 Scan files using Windows client (Symantec Endpoint Protection) ........................................................ 12 Scan files using Linux client (Symantec AntiVirus for Linux)................................................................. 17

Recommendations ....................................................................................................................18 Maintaining better scan process performance....................................................................................... 18

Setup for mounting NFS Shares ..................................................................................... 18 Setup for mapping and mounting CIFS Shares .............................................................. 18 User permissions required for scanning.......................................................................... 18

Scanning Windows and Linux files with Windows and Linux scan nodes............................................. 18 Multiple scan processes and load-balancing .................................................................. 19

Summary....................................................................................................................................20

Resources..................................................................................................................................21

About the authors .....................................................................................................................22

Trademarks and special notices..............................................................................................23

Antivirus Scanning with Symantec Endpoint Protection for IBM SONAS


1

Abstract With today’s explosive growth in information come higher risks of virus threats. Enterprises must ensure the integrity and availability of business-critical data against malicious viruses and threats. This technical report details IBM Scale 0ut Network Attached Storage (IBM SONAS) interoperability, support, use-case scenarios and guidelines for using it with Symantec Endpoint Protection Version 11.0 and Symantec AntiVirus for Linux v1.0.7, which is available from Symantec. When used in conjunction with SONAS, these Symantec scanning products help protect the enterprise data stored in SONAS from malicious threats, spyware and virus attacks. The focus of this paper is technical and the reader should be familiar with SONAS system and the Symantec AntiVirus products.

Overview Computer viruses have become an important threat to data, from both internal and external sources. Enterprises must ensure the integrity and availability of business-critical data against malicious viruses

and threats. In many organizations, the data contained in files are growing even faster and require scalable solutions that must be protected from viruses and other threats in a timely manner. It is possible to ensure this by using a good, reliable antivirus product that has proven compatibility in the user’s IT

environment, and then regularly scanning the system for new threats.

The new IBM® Scale Out Network Attached Storage (SONAS) system is a highly scalable storage solution for high-performance file sharing and file services. IBM proactively provides its customers with

the independent software vendors (ISVs) best-in-class application solutions that have been thoroughly tested for interoperability and compatibility — to save them time and mitigate implementation risks. The initial SONAS solutions for antivirus scanning and repair of file data include support for Symantec

Endpoint Protection v11.0 and Symantec AntiVirus for Linux v1.0.7.

SONAS offers antivirus capabilities using the user’s scanning servers, running Symantec Endpoint Protection scan over a Common Internet File System (CIFS) file-access protocol or AntiVirus for Linux®

over an NFS file-access protocol. These combined solutions protect enterprise data (that is accessed over either CIFS or NFS file access protocols and stored on SONAS systems) from virus or spyware threats. It also repairs the files if a virus infection is detected.

This technical white paper details IBM SONAS interoperability, support, use-case scenarios and guidelines for using it with Symantec Endpoint Protection v11.0 and Symantec AntiVirus for Linux v1.0.7. The use-case scenarios describe how IBM clients can protect their file data that is stored in a very high-

performing and highly-available SONAS storage solution from malicious threats and virus attacks. These guidelines are recommendations, not requirements, to better tune the interoperability of Symantec AntiVirus with the SONAS system.

2

Introduction Computer viruses are an important threat to the data from both internal and external sources. These threats are most prevalent where the data are accessed by users over the CIFS, HTTP or FTP file-access

protocols.

Symantec Endpoint Scan Engine lets users scan and protect their stored file data at their discretion — scanning now or according to a preset schedule. This white paper provides guidelines for out-of-band

antivirus scanning of files. An out-of-band scan involves an antivirus process that runs on one or more scan nodes, which are external servers dedicated to virus protection. The scan nodes are connected as a client to the SONAS system. It is recommended that the system be scanned periodically, especially after

every update of the virus signatures. The network file system (NFS) or CIFS shares from SONAS are scanned by the authenticated NFS- and CIFS-connections, using locally-run antivirus processes. The storage administrator can initiate the scan process or schedule it for auto-initiation.

IBM SONAS overview: A global offering with global data access

IBM Scale Out Network Attached Storage (SONAS) is a new state-of-the-art, scale-out network-attached storage system. It combines high-speed interface nodes interconnected with an advanced storage subsystem and IBM General Parallel File System (IBM GPFS™) to deliver both high-performance and

scalable capacity. SONAS is designed to support consolidation, unified management and access to data anywhere in the world. It combines extreme scale-out capability with automated data placement and very fast access to file data that allows users to rapidly expand storage infrastructure by hundreds of terabytes

up to multiple petabytes at a time, with minimal effort. With SONAS, enterprises can independently scale storage infrastructure's capacity and performance for their most demanding applications. SONAS uses a single global namespace to provide fast access to data, irrespective of the physical location of the files,

as well as improved storage utilization, reduced complexity and improved productivity. SONAS supports quick file access and backup for cloud-storage requirements and beyond.

SONAS is preconfigured (see Figure 1) in a 42U Enterprise Rack and includes the following elements: All required SONAS software (GPFS, volume management, I/O protocols, snapshot and more).

The management node is a dedicated server that runs SONAS software; it is the central element manager for the SONAS system. The SONAS system contains at least two (up to a maximum 30)

interface nodes, each of which is connected to the organization’s Ethernet IP network (either 1 or 10 GbE) to provide file-serving capabilities over the IP interface. The interface nodes also support clients that use the NFS, CIFS, FTP, SCP or HTTP file-services protocols.

The interface nodes are connected to a redundant InfiniBand private cluster network. Each interface node is connected, through the redundant IB network, to redundant storage nodes

(also up 30 nodes) within each storage building block. The storage nodes are connected, through

redundant paths, to redundant RAID controllers in the storage building block and the RAID controllers are connected to one or more disk storage enclosures within the storage building block.

1 Gb Ethernet host connectivity with two 1GbE (100/1000) ports available onboard and choice of One Quad-port GbE NIC or one dual-port 10 GbE Converged Network Adapter.


3

Figure 1. SONAS system components

Introduction to Symantec AntiVirus products (SEP and SAVFL)

Symantec Endpoint protection products offer advanced threat protection for endpoints from known and unknown threats, including malware (viruses, worms, Trojan horses, spyware, adware). Two Symantec Endpoint antivirus protection products have been tested by the IBM ISV Enablement team for SONAS

interoperability. Both support file-system or file-level virus protection and scanning through scheduled or manually initiated scans. They are bundled in the same package and are supported for use with SONAS.

Microsoft Windows: Symantec Endpoint Protection or Protection Suite Enterprise (SEP) v11.0

(or higher) for installing in a scan node to protect CIFS mounted shares.

Linux: Symantec AntiVirus for Linux (SAVFL) v1.0.7 or higher is installed in one or more scan nodes running Red Hat Enterprise Linux v5.4. Symantec AntiVirus supports realtime file protection with


4

autoprotect and file-system scanning through manual and scheduled scans. It also supports scan processes on the same Linux scan nodes to scan multiple directories or shares at the same time.

Symantec Endpoint Protection Manager is installed on a dedicated server connected to the SONAS system. Symantec Endpoint Protection Manager communicates with Symantec Endpoint Protection clients and is configured with Symantec Endpoint Protection Manager Console. The Symantec Endpoint

Protection client is installed on the scan nodes, which are used to protect the file data that resides on SONAS. Symantec Endpoint Protection Manager Console lets users centrally manage Symantec Endpoint Protection clients, known as scan nodes. From the console, users install the scan nodes, set

and enforce a security policy and monitor and report on clients. You can run the console from the server that hosts Symantec Endpoint Protection Manager, or you can run it remotely through a Web browser.


5

Recommended platforms Both the Linux and Windows platforms are supported as scan nodes to scan the files located on the NFS and CIFS shares of the SONAS system. Multiple scan nodes can be deployed, depending on the volume

of data being scanned and the performance requirements. See Administration Guide for Symantec Endpoint Protection [7] for guidelines on the sizing and number of scan nodes. The following operating-system platforms are recommended as the scan nodes:

For Symantec Endpoint Protection: Windows Server 2003 Enterprise Edition or later.

For Symantec AntiVirus for Linux: Red Hat Enterprise Linux version 5.4

Minimum hardware requirements for Symantec Endpoint Protection

The minimum hardware requirements for the manager software installation (as mentioned in the

Symantec documentation) are as follows:

Manager:

1 GB RAM (2 to 4 GB recommended)

4 GB on the hard disk for the server, plus 4 GB for the database

VGA (640x480) or higher resolution video adapter and monitor

Windows Server 2003 or later

Scan Nodes: The minimum requirements for scan node (client) software are:

256 MB RAM (1 GB recommended)

600 MB hard disk on 32-bit systems, 700 MB hard disk on 64-bit systems

VGA (640x480) or higher resolution video adapter and monitor

Choice of 1 or 10 GbE network interface cards connected through an Ethernet LAN.

Windows Server 2003 or later

Minimum hardware requirements for Symantec AntiVirus for Linux The minimum requirements for Symantec AntiVirus for Linux are:

Intel® Pentium II 266 MHz or higher processor

256 MB RAM or higher (1 GB recommended)

80 MB free disk space

Choice of 1 or 10 GbE network interface cards connected through an Ethernet LAN.

Red Hat Linux 5.4 or later


6

Planning and preparation Ideally, the files created on the Windows platform are scanned by using a Windows scan node that is installed with Symantec Endpoint Protection, and the files created on the Linux platform are scanned by

using a Linux scan node that is installed with Symantec AntiVirus for Linux. Access permission conflicts can be reduced and platform-specific files can be trustfully scanned if the files that are created on a specific platform are scanned by a scan node on the same platform.

This section explains the planning and preparation required to create and mount CIFS and NFS shares.

Planning the creation of shares You can use Symantec Endpoint Protection or Symantec AntiVirus for Linux in either of two ways to scan selected SONAS CIFS and NFS shares to scan the files contained in them.

Option A: Mount each share separately to different directories or logical drives and then run the scan process to scan all these drives or directories.

Option B: Create a super share on the root level of a directory structure at any level for all the

shares to be scanned, to be accessed by the scan client only. Then mount this share to a single directory or drive and start the scanning process for this directory or drive.

For example, a user has the structure of the file system and shares, as shown in Figure 2. The user also

has the following directories exported as shares:

/ibm/gpfs0/Company/Production

/ibm/gpfs0/Company/Finance

/ibm/gpfs0/Company/Sales

/ibm/gpfs0/Company/Sales/City1

/ibm/gpfs0/Company/Sales/City2

/ibm/gpfs0/Company

/Production

/Finance

/Sales

/City1

/City2

Figure 2. Directory structure


7

In this scenario, the two options work as follows:

For option A, mount each share separately. Use the existing NFS and CIFS shares and mount them on

the corresponding directories (see Table 1). Then, run the scan process for each path.

Share path Windows logical drive Linux directory

/ibm/gpfs0/Company/Production Z:\ /mnt/production

/ibm/gpfs0/Company/Finance Y:\ /mnt/finance

/ibm/gpfs0/Company/Sales X:\ /mnt/sales

/ibm/gpfs0/Company/Sales/City1 W:\ /mnt/city1

/ibm/gpfs0/Company/Sales/City2 U:\ /mnt/city2

Table 1. NFS and CIFS mount mapping

For option B, create a share for the super parent of all the shares to be scanned (that is, /ibm/gpfs0/Company) and mount it on the corresponding directory (see Table 2):

Share path Windows logical drive Linux directory

/ibm/gpfs0/Company Z:\ /mnt/company

Table 2. NFS and CIFS mount mapping

This process permits scanning a single share and all the files on all the five shares are scanned. To scan a particular share only, mount only that share or mount the parent share and give the path to that

particular share for scanning. (Note: Option B is recommended.)

Creating and mounting shares

To create and mount NFS and CIFS shares, follow these steps:

NFS shares

Create NFS shares by running the following command on the management node:

mkexport <Share_name> <Share_path> --nfs “<Client1 FQDN/ip-address>(<NFS options>);<Client2 FQDN/ip-address>(<NFS options>)”

This command is explained next: Share_name: This is the name to be assigned to the share.

Share_path: This is the SONAS/GPFS path to be exported. The path does not need to exist.

The command creates the path in the GPFS directory if it does not exist.


8

FQDN (fully qualified domain name): An FQDN is mandatory only if the two servers (SONAS and the client [scan node]) are in different domains. If the servers are in the same

domain, even short name or host name is sufficient. However, the IP address, as well as FQDN, can be used irrespective of the domain of the two servers.

NFS options: (rw) or (rw,no_root_squash). Typically, to use the quarantine or clean risk feature

from the antivirus software, the client (scan node) must have read and write access to all files.

For example, the following command creates a share named Scan_Share_NFS and exports the /ibm/gpfs0/Company directory through NFS to allow read and write access to client1 (scan node 1)

and client2 (scan node 2).

mkexport Scan_Share_NFS /ibm/gpfs0/Company –-nfs "client1.domain.com(rw);client2.domain.com(rw)”

Use the following command to mount the share on the Linux based client (scan node) server.

mount -t nfs <public ip>:/ibm/gpfs0/Company /mnt/antivirus_scan/

Where:

–t nfs: This specifies the protocol to be used as NFS.

You mount the shared path /ibm/gpfs0/Company on /mnt/antivirus_scan/.

CIFS shares

Create CIFS shares by running the following command on the management node

mkexport <Share_name> <Share_path> --cifs “<cifs options>”

Where:

Share_name: This is the name to be assigned to the share

Share_path: This is the SONAS/GPFS path to be exported. (Note: The path need not exist The mkexport command creates the path in the GPFS directory if it does not exist.)

CIFS options include browseable=yes,read only=no or browseable=no,read only=no.

For example, the following command creates a share named Scan_Share_CIFS and exports the /ibm/gpfs0/Company directory through CIFS to allow read and write access. Typically, to use the

quarantine or clean-risk feature from the antivirus, the user who starts the scan process must have read and write access to all the files. Set the value for read only to no.

mkexport Scan_Share_CIFS /ibm/gpfs0/Company –-cifs “browseable=yes,read only=no”

You can mount this share on a Windows based client system using the following process:

1. Open My Computer.

2. On the Tools menu, click Map Network Drive.

3. In the pop-up window (see Figure 3), for Drive, type or select the drive letter to map to the CIFS share.

4. For Folder, type the public IP address and the share name, in the form of

\\<public ip-address>\share name.


9

5. Click Finish.

6. In the User name and password dialog box, in User name, if prompted, type LDAP/AD as the

user name, if prompted.

7. In Password, type the password.

For additional details, refer to the SONAS Administration Guide for Symantec Endpoint Protection

and Symantec Network Access Control (ftp://ftp.entsupport.symantec.com/pub/support/documentation/Administration_Guide_SEP11.0.5.pdf).

Figure 3. Map network drive dialog


10

Installation and configuration This section explains how to install and configure Symantec Endpoint Protection and Symantec AntiVirus for Linux. Refer to the following documents for additional details for installation and administration.

Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control ftp://ftp.entsupport.symantec.com/pub/support/documentation/Installation_Guide_SEP11.0.5.pdf

Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control

ftp://ftp.entsupport.symantec.com/pub/support/documentation/Administration_Guide_SEP11.0.5.pdf

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control ftp://ftp.entsupport.symantec.com/pub/support/documentation/Client_Guide_SEP11.0.5.pdf

Symantec Endpoint Protection Getting Started Guide

ftp://ftp.entsupport.symantec.com/pub/support/documentation/Getting_Started_SEP11.0.5.pdf

The Symantec Endpoint Protection package includes a CD and DVD for both Windows SEP and

Symantec AntiVirus for Linux.

Installing and configuring Symantec Endpoint Protection (Windows)

These steps discuss installing and configuring Symantec Endpoint Protection Manager and running the installation wizards.

Installing Symantec Endpoint Protection Manager

Install Symantec Endpoint Manager to manage the scan nodes. This can be installed on a scan node. For details, see Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control [6]

(ftp://ftp.entsupport.symantec.com/pub/support/documentation/Installation_Guide_SEP11.0.5.pdf ). For determining the number of scan nodes required, consult the Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control [7].

Running the Management Server Configuration Wizard

Configure database type, server console port and other components. It is advised that you use the embedded database because the number of scan nodes will likely not exceed 5000. Select the database

username and password. Start the Management Server Configuration Wizard by navigating this path:

Start → All Programs →SEP Manager → Management Server Configuration Wizard

Running the Migration and Deployment Wizard

After installing Endpoint Manager, run the Migration and Deployment Wizard to create the client-install package to use for deployment. Provide the path where this package is to be saved. For details, see the

Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control [6] (ftp://ftp.entsupport.symantec.com/pub/support/documentation/Installation_Guide_SEP11.0.5.pdf). Start the Migration and Deployment Wizard by navigating the following path:

Start → All Programs → SEP Manager → Migration and Deployment Wizard


11

Running the Push Deployment Wizard

After the installation package is ready, the Push Deployment Wizard appears. Select the servers to

be used as scan nodes so that the wizard can deploy the installation package on those nodes. For more information, refer to the installation instructions in the Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control [6]

(ftp://ftp.entsupport.symantec.com/pub/support/documentation/Installation_Guide_SEP11.0.5.pdf ).

Other configuration and management

Start the Symantec Endpoint management console by navigating the following path:

Start → All Programs → SEP Manager → SEP Manager Console

Add new policies or edit the existing ones in the Policy tab and then assign the policies to the client groups. You can create groups and add more clients to be managed. You can configure notifications

for threat detection. For more information, refer to the Administration Guide for Symantec Endpoint

Protection and Symantec Network Access Control (ftp://ftp.entsupport.symantec.com/pub/support/documentation/Administration_Guide_SEP11.0.5.pdf) .

Installing and configuring Symantec AntiVirus for Linux

AntiVirus for Linux installed on a Linux scan node should be used to scan NFS files created on Linux or UNIX servers. Refer to the following documents for additional details for installation and administration.

Symantec AntiVirus for Linux Implementation Guide

www.officesoft.gsic.titech.ac.jp/jp/symantec/pdf/SAV_Linux_Impl.pdf Symantec AntiVirus for Linux Client Guide

www.officesoft.gsic.titech.ac.jp/jp/symantec/pdf/SAV_Linux_Client.pdf

The installation package directories for Symantec AntiVirus for Linux are as follows:

1. /deb/ contains the deb packages for both the Debian and Ubuntu distributions.

Ensure that the user is in the sudo-ers list.

For Debian or Ubuntu 32-bit architectures, run the following command: sudo dpkg -i sav-*.i386.deb savap-*.i386.deb savjlu-*.i386.deb savui-*.i386.deb

For Debian 64-bit architecture, run the following command. (Note: The Ubuntu 64-bit

architecture is NOT supported for AntiVirus for Linux v 1.0.7, as of the date that this white paper is published.) sudo dpkg -i sav-*.amd64.deb savap-*.amd64.deb savjlu-*.amd64.deb savui-

*.amd64.deb

2. /rpm/ contains the RPM packages for most Linux distributions that support Red Hat Package Manager.

For i386/i686 32bit architectures, run the following command: rpm -i sav-*.i386.rpm savap-*.i386.rpm savjlu-*.i386.rpm savui-*.i386.rpm

For x86-64 EM64T/AMD64 architectures, run the following command:

rpm -i sav-*.i386.rpm savap-x64-*.x86_64.rpm savjlu-*.i386.rpm savui-*.i386.rpm


12

Symantec Antivirus usage on SONAS clients This section shows how to scan files using the Symantec Endpoint Protection Windows and Linux clients.

Scan files using Windows client (Symantec Endpoint Protection)

Follow the steps discussed here to scan files by using the Symantec Endpoint Protection Windows client

Figure 4. Symante

(see Figure 4).

c Endpoint Protection for SONAS use-case scenario (Windows)

etwork Drive, as explained in

indow by navigating the

3. C

.

ch is located on the IBM SONAS CIFS share; it is mapped

1. On the Windows client, map the CIFS share on IBM SONAS as a Nthe section of this white paper titled Creating and mounting shares.

2. On the Windows client, open the main Symantec Endpoint Protection wfollowing path:

Start →All Programs → Symantec Endpoint Protection →Symantec Endpoint Protection

lick Scan for Threats in the left toolbar (see Figure 5).

4. Click Create a new Scan to create a new scan to be used

5. Select Custom Scan and click Next.

6. Select the directory to be scanned, whias a network drive on the client.


13

Figure 5. Symantec Endpoint Protection main window

7. Click Advanced and then in the Advanced Scan Options pop-up window, click Tuning (see

Figure 6).

8. Because the client nodes use specific scan nodes, it is not necessary to have good application performance, but good scanning performance is important. Therefore, in the Scan Tuning Options

pop-up window, move the slide bar to the top, thus indicating Best Scan Performance and click OK for both the current dialog, as well as the dialog for Advanced Scan Options.


14

Figure 6. Performance tuning for better scan performance

9. On the following panel (see Figure 7), click Actions and then select the actions to be taken if a risk is detected. Click OK. The recommended first action is Clean risk and the Action if first

action fails is Quarantine Risk. You can set the action to be taken for all the three scenarios, viz., Macro virus, Non-macro virus and Security Risks.


15

Figure 7. Actions to be taken on threat detection

10. On the next dialog box of the wizard (see Figure 8), you can schedule scans to run automatically

by selecting At Specified times. Alternatively, you can just create the scan at this point; then, the user can run the scan only when needed — in this case, select On demand.

11. If you select the At Specified times option, select the frequency and the time when the scan is to

be performed and click Next (see Figure 8).


16

Figure 8. Create a Scan Schedule

12. Enter a new name and an optional short description for the scan.

13. Ensure that the Enable the scan checkbox is ticked and click Finish.

Notes: In regard to the Running Multiple Scan Processes option, a user cannot start multiple scan processes on Windows simultaneously. If multiple scan requests are received, the EndPoint Protection client serializes the requests and addresses them one at a time.

To configure Java LiveUpdate, refer to http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006021007250213?Open&seg=ent.

Quarantined files are kept on the local scan node and are deleted from the SONAS exports.

These files are available in the C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine directory.


17

Scan files using Linux client (Symantec AntiVirus for Linux)

Follow these steps to scan files by using the Symantec Endpoint Protection Linux client (see Figure 9).

Figure 9. Symantec AntiVirus for Linux for IBM SONAS use case scenario (Linux)

1. Mount the NFS share on SONAS into a directory, as explained in the section of this white paper entitled Creating and mounting shares.

2. Run the following command from a scan node to start a new scan process:

/opt/Symantec/symantec_antivirus/sav manualscan --scan <Path>

Note: Path is the directory path where the SONAS NFS share to be scanned is mounted on the client.

3. Run the following command from a scan node to schedule a scan process to run:

/opt/Symantec/symantec_antivirus/sav scheduledscan --create <scan_name> --frequency <daily|weekly|monthly> --interval <HH:MM|SUN-SAT|1-31> --time <HH:MM> <Path>

Note: Scan_name is the name given to the scheduled scan to identify it. Path is the path of the directory where the SONAS NFS share to be scanned is mounted on the client.

Notes: In regard to the Running Multiple Scan Processes option, a user can start multiple scan

processes on the same LINUX scan node (to scan multiple directories or multiple shares at the same time). Users can run the command shown in the previous step to manually scan directories several times simultaneously and all scan processes continue scanning

the directories concurrently. This helps the user to improve the scan performance by scanning multiple directories by using different instances of the scan process.

Quarantined files are kept on the local scan node and are deleted from the SONAS

exports. These files are available under the /var/symantec/Quarantine directory.


18

Recommendations This section explains recommendations that helps scan performance.

Maintaining better scan process performance

This section provides an explanation of the setup scenario for SONAS in order to obtain better

performance for the antivirus scanning process.

Setup for mounting NFS Shares

By default, the scan nodes mount a share using the DNS host name, which resolves to one of the

public IP addresses served by the interface nodes. However, the problem is that NFS consists of multiple separate services, protocols and daemons that need to share metadata among each other. If due to client crash, on reboot, the client is redirected to some other Interface node, there is a remote

possibility that the locks are lost from the client but are still present on the previous Interface node creating problems for connection. Therefore, use of DNS host names for mounting NFS shares is not supported. In order to balance the load on SONAS, it is recommended to mount shares using

different IP addresses and leverage the multi-processing capability of AntiVirus for Linux.

Setup for mapping and mounting CIFS Shares

If the shares on all scan nodes are mounted using the same single public IP address, all the requests

for the files being scanned go to a single interface node serving that IP address. This hampers scan performance because of the bottleneck of a single interface node. For better scan performance, mount the shares using the domain name. Because CIFS only uses a single session, DNS host

names can be used. Because the correspondence of the domain name to the public IP address changes, each mount on a different scan node corresponds to a different IP address, which is probably serviced by a different interface node. Thus, the user can improve the scan performance by

distributing the load across various interface nodes.

User permissions required for scanning

The LDAP/AD user, who starts the scan process on the scan node, must have read and write

permissions over the files to be scanned. If the policy is set to delete the risk, it cannot be cleaned or quarantined and, thus, the delete permission must be set, too. Typically, an LDAP/AD user that owns the file has to give the permissions to the scan user for read, write and delete operations.

Scanning Windows and Linux files with Windows and Linux scan nodes

It is recommended that the user scans files created on the Windows platform by using a Windows scan node that is installed with Symantec Endpoint Protection.

Similarly, it is recommended that the user scans files created on the Linux platform by using a Linux scan

node that is installed with Symantec AntiVirus for Linux.

Access permission conflicts can be reduced and platform-specific files can be trustfully scanned if the files that are created on a specific platform are scanned by a scan node on the same platform.


19

Multiple scan processes and load-balancing

Windows scan nodes: There is no inherent load-balancing capability in Symantec Endpoint

Protection (Windows) product and the load balancing if required has to be done manually by starting scans on disjoint directories simultaneously on different scan nodes. Only one scan process can be started on a single scan node in Windows as it does not support multiprocessing on Windows.

Linux scan nodes: Users may start multiple scan processes on same Linux scan nodes to scan multiple directories or multiple shares at the same time. Users can run the command listed in section 6.2 to manually scan directories several times simultaneously, and all the scan processes continue

scanning the directories concurrently. This improves the scan performance by scanning multiple directories by using different instances of the scan.


20

Summary Protecting file data against viruses and other malicious threats is an important challenge for storage administrators who require a tested, reliable antivirus solution for scanning the data. It must also be

scalable to meet the ever-growing size and volume of file data. The IBM Scale out Network Attached Storage (SONAS) system offers a multipetabyte global NAS storage platform that supports extreme scalability for storage infrastructures that require high performance and high availability. To help protect

the data from viruses or other threats, IBM tested SONAS with Symantec Endpoint Protection to proactively provide enterprise users with the best solutions that have been thoroughly tested for interoperability and compatibility to save time and mitigate implementation risk.

The technical content contained herein is intended as a reference for customers who want to use Symantec AntiVirus for scanning the files created on the IBM SONAS system. It should not be treated as a definitive implementation or solution document, because specific configurations and use-case scenarios

can vary, requiring custom implementation or solution-design guidance. For these specific solution designs, contact your IBM representative to arrange discussions with an antivirus-implementation expert.


21

Resources These Web sites provide useful references to supplement the information contained in this document:

1. IBM Systems on IBM PartnerWorld®

ibm.com/partnerworld/systems

2. IBM Publications Center www.elink.ibmlink.ibm.com/public/applications/publications/cgibin/pbi.cgi?CTY=US

3. IBM Redbooks® ibm.com/redbooks

4. IBM developerWorks®

ibm.com/developerworks

5. SONAS User documents including Installation and Administration Guides http://publib.boulder.ibm.com/infocenter/sonasic/sonas1ic/index.jsp

6. Installation Guide for Symantec Endpoint Protection and Symantec Network Access Control ftp://ftp.entsupport.symantec.com/pub/support/documentation/Installation_Guide_SEP11.0.5.pdf

7. Administration Guide for Symantec Endpoint Protection and Symantec Network Access Control

ftp://ftp.entsupport.symantec.com/pub/support/documentation/Administration_Guide_SEP11.0.5.pdf

8. Client Guide for Symantec Endpoint Protection and Symantec Network Access Control ftp://ftp.entsupport.symantec.com/pub/support/documentation/Client_Guide_SEP11.0.5.pdf

9. Getting Started with Symantec Endpoint Protection

ftp://ftp.entsupport.symantec.com/pub/support/documentation/Getting_Started_SEP11.0.5.pdf

10. Symantec AntiVirus for Linux Implementation Guide

www.officesoft.gsic.titech.ac.jp/jp/symantec/pdf/SAV_Linux_Impl.pdf

11. Symantec AntiVirus for Linux Client Guide www.officesoft.gsic.titech.ac.jp/jp/symantec/pdf/SAV_Linux_Client.pdf

12. Configuring Java LiveUpdate http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006021007250213?Open&seg=ent

13. Other Symantec Endpoint Protection documents

www.symantec.com/business/support/documentation.jsp?pid=54619


22

About the authors Bhushan Pradip Jain is an Associate Software Engineer working for the IBM India Software Labs. He is currently working on ISV Certification and Security considerations for IBM SONAS. He has published a

technology named as "Policy-Driven File Encryption Explorer Based on OpenPGP" under IBM alphaWorks® and has also authored articles in IBM developerWorks. Bhushan has completed his B.Tech. in Computer Engineering from College of Engineering, Pune (COEP). You can contact him at

([email protected]).

Pratap Banthia is SONAS ISV Relationships and Enablement Manager. He is responsible for managing interoperability and marketing of targeted ISV solutions for the new IBM Scale Out Network Attached

Storage system. Previously, Pratap managed NAS product lines at SGI and Hitachi Data Systems where he led the development and launch of enterprise-class NAS gateways in a unified storage environment. Pratap achieved his MBA form Pennsylvania State University. Contact Pratap at [email protected].


23

Trademarks and special notices © Copyright IBM Corporation 2010. All rights Reserved.

References in this document to IBM products or services do not imply that IBM intends to make them

available in every country.

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked

terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A

current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the

United States, other countries, or both.

Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, or both.

Other company, product, or service names may be trademarks or service marks of others.

Information is provided "AS IS" without warranty of any kind.

All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance

characteristics may vary by customer.

Information concerning non-IBM products was obtained from a supplier of these products, published announcement material, or other publicly available sources and does not constitute an endorsement of

such products by IBM. Sources for non-IBM list prices and performance numbers are taken from publicly available information, including vendor announcements and vendor worldwide homepages. IBM has not tested these products and cannot confirm the accuracy of performance, capability, or any other claims

related to non-IBM products. Questions on the capability of non-IBM products should be addressed to the supplier of those products.

All statements regarding IBM future direction and intent are subject to change or withdrawal without

notice, and represent goals and objectives only. Contact your local IBM office or IBM authorized reseller for the full text of the specific Statement of Direction.

Some information addresses anticipated future capabilities. Such information is not intended as a

definitive statement of a commitment to specific levels of performance, function or delivery schedules with respect to any future products. Such commitments are only made in IBM product announcements. The information is presented here to communicate IBM's current investment and development activities as a

good faith effort to help with our customers' future planning.



24

Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending

upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput or performance improvements equivalent to the

ratios stated here.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part

of the materials for this IBM product and use of those Web sites is at your own risk.