Redp4084 - N Series Antivirus - Scanning Best Practices Guide

8/12/2019 Redp4084 - N Series Antivirus - Scanning Best Practices Guide

1/16


2/16

2 IBM System Storage N series Antivirus Scanning Best Practices Guide

N series antivirus solution overview

There are two common approaches to scanning data and Internet content:

Scan internal data files and Internet content for viruses at scheduled intervals. Scan files on-the-fly as they are read, created, or modified.

The latter of the two approaches is more effective at detecting viruses before they are able tocompromise data. Moreover, the scanning process occurs on an as-needed basis and thusminimizes the server and network loads observed during intensive file system scans.

Integrated antivirus solutions for the N series help protect your data and systems from

malicious virus code by scanning files on access (as they are accessed) and during thedownload process.

The N series antivirus solution uses an authenticated CIFS connection and RemoteProcedure Calls (RPCs) to communicate with the antivirus scanning servers. This solutionemploys the HTTP-based Internet Content Adaptation Protocol (ICAP) when interacting with

ICAP antivirus servers. CIFS and ICAP are industry standard protocols with features that arebest suited for their respective applications:

CIFS provides a secure, authenticated connection and supports byte-range reads.Byte-range reads streamline the scanning process, resulting in quicker file access.

ICAP provides RPC-like functionality for HTTP-based services and supports a widevariety of applications that offload specialized tasks such as virus scanning.

N series antivirus scanning

Without integrated antivirus functionality, customers can quickly recover from virus incidents

by using the built-in Snapshot technology inherent in the Write Anywhere File Layout (WAFL)file system. If there is a virus incident, users can recover files from their read-only ~snapshot

folders in minutes. Viruses cannot infect files in Snapshot copies because Snapshot copies

and data are read only. Because Snapshot activities are commonly scheduled in weekly,daily, and hourly intervals, backups are automatic, and the drag-and-drop recovery is

immediate and simple.

To detect and stop viruses before they reach the file system, antivirus functionality is

integrated into Data ONTAP, the N series microkernel. N series with integrated antivirussoftware provides additional protection against viruses with files that are accessed fromWindows and CIFS/Server Message Block protocol clients. Integrated antivirus software is

available from Symantec, McAfee, TrendMicro, and Computer Associates. The virus scanningactivity is not apparent to users and occurs before the file is committed to disk (write requests)

or delivered to the requesting user or application (read requests).

Antivirus scanning servers register with the N series using RPCs and either a Microsoft

Windows NT Local Area Network (LAN) Manager (NTLM) connection or aKerberos-authenticated CIFS connection, depending on the Windows domain, ActiveDirectory, and so on. Multiple antivirus scanning servers can be configured to register with the

same N series storage system or with multiple N series storage systems for redundancy andperformance. When multiple antivirus servers are deployed, the N series storage systems

automatically distribute the scanning activity with a round robin load-balancing scheme.

The N series initiates scans by sending a scan command to the scanning servers and waiting

for a reply for files that are created, changed, and opened for read access. These files mustalso meet the following criteria:


3/16

IBM System Storage N series Antivirus Scanning Best Practices Guide3

The file extension is included in the list of to-be-scanned file types.

The file has not already been marked as previously scanned, and no changes have

occurred to the file.

The diagram in Figure 1illustrates the basic steps that occur during the scanning process.

Figure 1 N series integrated virus scanning

When a user tries to open, create, or change a file that matches the scanning criteria, such as

an .exe file, N series notifies a registered antivirus server and provides the path of the file toscan. The antivirus server opens a connection to the file and checks the file for a known virus

signature or virus-like behavior. The scanning engine then notifies the N series storage

system of the results. If no virus is found, the client can open the requested file. If a virus isfound, the antivirus software either quarantines the file or removes the virus. See When a

virus is found on page 3for a description of quarantine and virus removal.

After the files are safely scanned, the N series storage system keeps track of recently

scanned files in memory. This improves performance by minimizing redundant scanningactivity. The scanning process takes a few milliseconds for most files. It might take severalseconds for more complex files such as .zip or .cab files that can contain many other files.

Until the virus has been successfully scanned or removed from a file, the user or applicationis not permitted to open or rename the file. The antivirus software can also be configured to

quarantine files and not allow access until an administrator examines the data and makes adecision.

When a virus is found

The action that is taken on an infected file is not determined by the N series storage system.The settings that affect how a virus is handled are determined by the administrator and stored

as part of the antivirus software configuration. If it is determined that a file is infected, thevirus software typically takes one of two actions. It either quarantines the file or it disinfects

the file by removing the virus code and writing a new file. Table 1 on page 4summarizes thedifferences.

client

desktopAnti-

Virus

server

1.

User

requestsfood.doc

from

storage

2.

Verifies that

food.doc hasnot been

scanned and

checks for the

extension list

3.

Notifies the

AV serverof the file to

be scanned

4.

Finds a virus

and repairs,deletes, or

quarantines

the file

5.

AV serverapprises

appliance of

result

6.

Applianceprepares

answer

7.

Reply toclient

Bottom Line:

Scalable and efficient on-access AV scanning

Choice of AV products

File access is blockeduntil virus scan is

completed

Intelligent approach:

Caches the previousscanned status

Only a portion of fileis sent for virus scan

Ability to send user

notification when virus isfound

Scalable architecture:

many N series storage

systems can share apool of AV scanners

Secure,

authenticated,

private CIFS

connection
http://-/?-http://-/?-


4/16


Table 1 Scanning configuration

Updating virus definitions

Antivirus definitionsare databases that contain information that is used to identify viruses.Antivirus scanning engines are designed to identify specific viruses using these definitions

and by recognizing characterized behavior. Antivirus software vendors release a new virusdefinition (database) for their software products when they find new viruses. Thesevendor-specific database definitions are used by antivirus software to identify known viruses

or virus-like behavior. When information about a specific virus is included in a virus definition,it is said to be a known virus.

When a new virus definition becomes available, the definition update might occurautomatically through the Internet or it might be installed by an administrator. In either case,

when a new definition is applied, the virus software notifies the N series that a new definition

exists. The list of previously scanned files is then flushed, and all subsequent file accessesare scanned with the new virus definition. These actions ensure that new viruses are properlyidentified and removed by the virus software.

Defining scanning criteria

The N series can be configured to exclude certain files based on their extensions so that

those files are not scanned. For example, it might not be necessary to scan graphics filessuch as .jpg or .bmp files because they do not contain executable code. The N series

scanning servers do not scan any files that are on the exclude list.

Antivirus software vendors suggest scanning all executable files or files that containexecutable code. There are many types of executable files. For example, binary executablefiles have the .exe and .com extensions. There are also executable scripts such as .vbs (for

Visual Basic) and .bat (for batch) files. Dynamic loadable modules are files with the .dllextension that contain executable code used by the Microsoft Windows family of operating

systems and applications. And, some applications store executable commands in the form ofmacros within their files or documents.

By default, the file types listed in Table 2 on page 5are scanned for maximum protection.

However, administrators can easily customize the default scanning criteria if they want toinclude or exclude specific types of files.

Scanning configuration Action

Quarantine the file The antivirus scanner quarantines the file in its

present location or moves it to a special location,

and the N series denies the client access. The

administrator must take action.

Disinfect the file The antivirus software removes the virus and

notifies the N series when the file is clean. The N

series then allows the client to open the requested

file.

Note:If the administrator configures the virus software to quarantine a suspected file, theuser sees an access denied message and will be unable to open or create the requested

file. The administrator must then take action to restore a previous version of the file ordisinfect the file with antivirus software.


5/16


Table 2 Default file types for scanning

Use the N series console or the console window of the Web-based FilerView graphic userinterface (GUI) to modify the list of extensions.

Examples

Use the following example commands to add or remove extensions from the list of files toscan on the include list.

Example 1shows how to add extensions on the include list.

Example 1 Add extensions

N series> vscan extensions include add txt

Example 2shows how to remove extensions on the include list.

Example 2 Remove extensions

N series> vscan extensions include remove jpg, gif

The following example commands can be used to exclude extensions from the list of files toscan on the exclude list.

Example 3shows how to add extensions to the exclude list.

Example 3 Adding extensions to the exclude list

N series> vscan extensions exclude add doc

Example 4shows how to remove extensions on the exclude list.

Example 4 Removing extensions from the exclude list

N series> vscan extensions exclude remove jpg, gif

Performance considerations

Virus scanning occurs between the clients request for the file and the response from the N

series storage system. This process results in latency of less than one millisecond (ms) tomany seconds and largely depends on the type of file. However, the amount of input/output(I/O) between the N series storage system and antivirus server is much smaller in proportion

??_ DOT JS? OV? VBS ASP EXE MD?

ARJ BIN CAB CL DL? DRV EML IM?

LZH MD? MPP OFT PIF POT WPD RAR

POT VS? BAT GMS MPP PPL? WXD CDR

GZ? MPT RTF WBK COM HLP MSG SCR

WPD CSC HT? MSO SHS XL? DL? IM?I

OCX SMM XML DOC INI OLE SYS XL?

SWF VS? VXD


6/16


to the data served between the N series and N series clients. This is because the scanning

algorithms often only need to examine a small portion of a file to determine if it is infected,because viruses attach themselves to easily identified locations within different file types.

A number of integral features are designed to maximize performance:

The on-access architecture eliminates the need to perform time consuming, resource

intensive scans of entire volumes. The N series storage system maintains a list of already scanned files to reduce or

eliminate redundant scans.

The scanning algorithms vary by file type and often scan only a small portion of many files.

Using the integrated N series and antivirus solutions, the performance difference in mostcases is measured in milliseconds. Therefore, the entire scanning process might not be

perceivable by most users. During periods of heavy use, the difference might be morenoticeable (in seconds), particularly if users are opening large .cab or .zip files that containmany other files that might have to be extracted and scanned. Moreover, it takes time to

completely remove a virus from an infected file.

Performance varies according to the file types and the speed of the antivirus server, N seriesstorage system, and network. A difference in throughput of up to 10% and a 15% increase inresponse time on unscanned files are not unusual when virus scanning is enabled on a busyN series storage system. For example, 10 ms response times increase to almost 12 ms.

Network connectivity

Network connectivity between the N series storage system and the antivirus server must

consist of at least a 100 Megabyte Ethernet connection. However, Gigabit Ethernet (1000MB) networking is preferable. Connecting through an Ethernet switch, a crossover, or a direct

connection are all options.

Directly connected or private connections between the N series storage system and each

antivirus server provide a clean network. If you are connecting through an Ethernet switch,use a dedicated switch or configure a virtual LAN (VLAN) to separate traffic traveling throughthe switch.

Figure 2 on page 7and Figure 3 on page 7illustrate the different methods that can be used toprovide connectivity between an N series storage system and its antivirus servers.

Important:The network between the N series storage system and the antivirus scanningserver must be clean and free of other traffic. Contention on the N series antivirus serversegment can hinder scanning activity and adversely affect the N series response to clients.
http://-/?-http://-/?-


7/16


Figure 2 Connectivity methods

Figure 3shows the multi-network configuration.

Figure 3 Multinetwork configuration

AV Servers

A dedicated network switch or direct network connections can be

usedIf the direct-connect method is used, a network interface card

(NIC) is required for every connection between the AV servers

and the N series

Direct Network Connections (no switch) become complicated when using

multiple N series and multiple AV servers together.

A dedicated switch guarantees better security and optimal performance

Every filer and AV server require a minimum of two NICs

AV Servers


8/16


N series and antivirus server authentication

The connection between the N series and its antivirus scanning servers is a trustedconnection. Several mechanisms are in place to prevent unauthorized access to the scanning

server:

Scanning servers are subject to authentication and must be members of the backupoperators group on the N series storage system.

Scanning servers register by RPC with the N series storage system.

The antivirus server provides file system, console, and login security.

In addition, locating the antivirus servers in a secure data center that is adjacent to the N

series storage system provides optimal protection. Administrators should secure all networkequipment and servers from unauthorized physical access.

Usage profiles

The N series model and capacity are not as important as the way the data is used. Thenumber of scans that occur is a direct result of how many different files are opened or

changed in a unit of time.

Generally, a larger capacity N series system that is supporting more users will result in higherscanning activity, but the total scans per hour does not necessarily scale with the number ofusers. There is no direct correlation with the N series capacity and the scanning load. The

number of scans per hour is a result of how users access and manipulate data, because only

users that access files trigger virus scans.

Antivirus server hardware

Table 3shows the minimum system requirements for each antivirus server.

Table 3 System requirements

Many inexpensive tower case or 1U rack-mounted computers are available that are qualifiedto run Windows NT or Windows 2000 and antivirus software. You can learn more about these

computers at:

http://www.ibm.com/support/us/

Note:Each direct connection between an N series storage system and associatedantivirus server or servers requires a dedicated Network Interface Card (NIC) in each

computer, for each connection. Moreover, the filer and antivirus servers need connectivityto the corporate network for administration purposes and virus definition updates.

Antivirus server

CPU speed 2.6 Ghz or greater

RAM 1 GB

Hard disk size 9 GB

Network interface

card

100/1000 MB Ethernet
http://www.ibm.com/support/us/http://www.ibm.com/support/us/


9/16


You can find more information about the specific system requirements for the antivirus

software at the vendor Web sites.

The limiting performance factor with antivirus scanners is the processing frequency. Thequantity of virus scan requests that the antivirus scanners can process greatly depends on

their processor speed. Antivirus scanners with the highest processing speed are advisable.

Multiple antivirus servers and multiple N series storage system units

Although it is not necessary, at least two antivirus servers for redundancy and higher

availability are recommended. During normal operation, the N series storage systemautomatically balances the load between multiple antivirus servers.

Antivirus server failures

If one or more scanning servers (Windows computers that run the antivirus software) fail or

are unavailable, the N series storage system times out the connection to the unresponsivescanning servers and continues to use the remaining scanning servers. The default time outperiod is 12 seconds. If no scanning servers are available, the administrator can configure the

N series in one of two ways:

Resume file access without virus scanning Deny all file access

In all cases, the antivirus servers automatically contact and register themselves with theirassociated N series storage system when they are back online. When this occurs, the N

series resumes normal operation with virus scanning enabled.

N series Internet content antivirus scanning

N series storage systems can deliver accelerated content management, content

manipulation, streaming, proxy, and traffic monitoring functionality in a single system. Theycan provide industry leading support for best-of-breed applications that extend functionalityand increase scalability by offloading specialized processes to other computers.

N series storage systems use ICAP (the industry standard) to communicate with

ICAP-enabled antivirus servers. The antivirus servers scan and disinfect incoming contentbefore caching (storing) the content and delivering it to users.

Client browser applications can be configured to use an N series storage system as a proxy,or the N series storage system can be deployed so that it is not apparent to the user.

Application servers

Many collaborative mail and database applications, such as the Microsoft Exchange Server,use a different type of antivirus product. These antivirus products run on the application or

database server and scan the contents of e-mail attachments, for example, that are beingwritten to the mail database or mail files.

The N series on-access solution is designed to scan files accessed by Windows clients.Consult with the specific database, antivirus vendors, or both for e-mail and database-specific

solutions.


10/16


Network File System clients

Data accessed by UNIX and Network File System (NFS) clients is not supported at the timeof this publication and does not trigger a virus scan of a requested file. The risk of virusattacks is low for UNIX and NFS data because few viruses target platforms other than

Windows.

Antivirus vendors

The N series storage system can use antivirus software from Symantec, Trend Micro,McAfee, and Computer Associates to deliver integrated antivirus solutions. ContactSymantec, Trend Micro, McAfee, and Computer Associates for specific product information.

Verifying the licensing plan and the associated costs of integrating antivirus software with theN series storage system can help you select the most cost-effective option.

Table 4shows the N series antivirus partners and their Web sites.

Table 4 N series antivirus partners

Best practices for antivirus scanning

These best practices for antivirus scanning have worked well with heavy loads and withclustered pair configurations. N series storage systems that have been set up based on these

best practices have demonstrated resiliency to failures. In addition, larger enterprisecustomers have used these best practices in their environments and have achieved good

results:

Avoid large antivirus scanning farms in which all N series storage systems are served by

all antivirus scanner servers. Instead, choose a pod design, as described in The followingrelationships are established for each N series storage system and its primary and

secondary antivirus scanner servers; this is what is referred to as a Scanning Pod: onpage 12. This avoids performance spikes, which can be caused if all N series storage

systems choose the same antivirus scanner server at the same time. In this scenario, oneantivirus scanner server can become overwhelmed by many N series user requests. Theperformance spike occurs before the file is committed to disk (write requests) or delivered

to the requesting user or application (read requests).

Dedicate an antivirus scanner server to antivirus scanning only. Do not use this antivirusscanner server for any other jobs such as backup.

Connect to the antivirus scanner server using the N series Internet Protocol address (notthe N series NetBIOS name) to control which N series storage system interface is used.

Antivirus partner/Web site

Symantec

http://www.symantec.com

Trend Micro

http://www.antivirus.com

McAfee

http://www.mcafeesecurity.com/us/products/mcafee/antivirus/desktop/category.htm

Computer Associates

http://www3.ca.com//Solutions/Product.asp?ID=156
http://-/?-http://-/?-http://-/?-http://-/?-http://www.symantec.com/http://www.antivirus.com/http://www.mcafeesecurity.com/us/products/mcafee/antivirus/desktop/category.htmhttp://www3.ca.com//Solutions/Product.asp?ID=156http://-/?-http://-/?-http://-/?-http://www3.ca.com//Solutions/Product.asp?ID=156http://www.mcafeesecurity.com/us/products/mcafee/antivirus/desktop/category.htmhttp://www.antivirus.com/http://www.symantec.com/


11/16


12/16


Figure 5 Scanning Pod for two datacenters in different locations

The following relationships are established for each N series storage system and its primary

and secondary antivirus scanner servers; this is what is referred to as a Scanning Pod:

N series A Primary antivirus scanner: AV1, AV2 Secondary antivirus scanners: AV3, AV4

N series B

Primary antivirus scanner: AV1, AV2 Secondary antivirus scanners: AV3, AV4

N series C

Primary antivirus scanner: AV3, AV4 Secondary antivirus scanners: AV1, AV2

N series D(dedicated primary antivirus scanner because of the load)

Primary antivirus scanners: AV3, AV4, and AV5 Secondary antivirus scanners: AV1, AV2

Benefits of a Scanning PodUsing a Scanning Pod offers these benefits:

The redundancy of the antivirus scanner servers is increased.

If the primary AV scanner server goes down, the other remaining primary scanners canhandle the AV load.

2006 IBM Corporation*

Nseries

N series storage N series storage N series storage N series storage


13/16


If both primary AV scanner servers go down, the N series storage system is scanned

with the remaining secondary scanners.

A ratio of one N series storage system to one antivirus scanner, which minimizes anychance of data outages caused by an antivirus scanner overload, is assured.

Sometimes having one AV scanner server for two N series storage systems is sufficientwith the exception of heavy loads during peak hours, which could overload the AV scannerserver. But depending on the file structure and access pattern, even as many as three

servers per N series storage system can be necessary.

Your antivirus scanner server hardware investment is maximized.

This avoids underutilization of AV scanner hardware.

The "Scanning Pod" model allows for the efficient utilization of hardware whileproviding redundancy.

Scanning Pod requirements and recommendationsThe requirements for using a Scanning Pod are:

The antivirus scanner servers must use Gigabit Ethernet. The connectivity speed of the

antivirus scanner directly impacts N series performance. The N series storage system must have a secondary Gigabit NIC that is dedicated to an

antivirus network. Because antivirus servers require gigabit access to all the N seriesstorage systems in the Scanning Pod, you must not use back-to-back network

configurations. Instead, build an antivirus network for all N series storage systems andantivirus scanner servers in a switched environment.

You must avoid building a Scanning Pod that is too large. This reduces the risk from

failures that cascade to other units of a Scanning Pod.

Increasing backup job performance

It is possible for an N series administrator to specifically disable virus scanning of a particular

share. Antivirus scanning by nature affects the speed of backups on every open file that iscreated by the backup application.

For example, backups might be too slow if files are scanned during the backup over thenetwork. To alleviate this, the administrator can create a normal share, called data, to whichclients and applications have direct access and antivirus scans normally take place. Theadministrator can create a second share, called databackup, that points to the same physicallocation, which has virus scanning disabled on the share (this is configurable on a per sharebasis).

After the administrator sets share permissions that only allow the backup user group to

access the databackup share, normal users are forced to use the protected data share.Meanwhile, the backup user group can use the faster databackup share.

How and when an N series determines to scan a file

Technically, the N series storage system scans files that are opened, renamed, and closed (ifthe file was modified) in the following order:

Note:This does not apply to Network Data Management Protocol (NDMP) backups, onlynetwork mapped backups.


14/16


1. Technically, the NetApp storage system will scan on:

Open

Rename

Close (if the file was modified)

2. The N series storage system scans a file based on the file extensions set by the N series

administrator.

3. The N series storage system scans a file when the file is opened.

4. The N series storage system scans a file when it is renamed to a file name that has one of

the designated file extensions.

5. The N series storage system scans a file when it is closed after being modified. The Nseries does not scan a file after each write, but only when a modified file is closed.

6. Newly created files are not scanned upon creation, but only after data has been written tothem and the file is closed.

7. The N series storage system does not scan a file when the file is accessed from the vscan

server itself.

8. If multiple applications access the same file simultaneously, they all share the same scanresults as the virus scan of the first application. For example, if application 1 requests to

open a file and triggers a scan for viruses, the scan is launched. If application 2 tries toopen the same file, the N series storage system does not launch a second scan, but

instead queues application 2 to wait for the scan that is already active to complete. Whenthe scan completes, both requests continue to be processed by the N series storagesystem.

Summary

The integrated antivirus solutions for IBM System Storage N series enable enterprises to

protect their valuable data from computer viruses. The open, scalable, and high-performancearchitecture allows customers to choose the premier antivirus vendor that best suits their

environment. Companies can deploy N series solutions throughout their enterprises withbest-of-breed antivirus solutions that protect data without affecting the user experience.


15/16

Copyright IBM Corp. 2005, 2007. All rights reserved.15

Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consultyour local IBM representative for information on the products and services currently available in your area. Anyreference to an IBM product, program, or service is not intended to state or imply that only that IBM product,program, or service may be used. Any functionally equivalent product, program, or service that does notinfringe any IBM intellectual property right may be used instead. However, it is the user's responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. Thefurnishing of this document does not give you any license to these patents. You can send license inquiries, inwriting, to:IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where suchprovisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATIONPROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR

IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer ofexpress or implied warranties in cer tain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically madeto the information herein; these changes will be incorporated in new editions of the publication. IBM may makeimprovements and/or changes in the product(s) and/or the program(s) described in this publication at any timewithout notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in anymanner serve as an endorsement of those Web sites. The materials at those Web sites are not part of thematerials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurringany obligation to you.

Information concerning non-IBM products was obtained from the suppliers of those products, their publishedannouncements or other publicly available sources. IBM has not tested those products and cannot confirm theaccuracy of performance, compatibility or any other claims related to non-IBM products. Questions on thecapabilities of non-IBM products should be addressed to the suppliers of those products.

This information contains examples of data and reports used in daily business operations. To illustrate themas completely as possible, the examples include the names of individuals, companies, brands, and products.All of these names are fictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:This information contains sample application programs in source language, which illustrates programmingtechniques on various operating platforms. You may copy, modify, and distribute these sample programs inany form without payment to IBM, for the purposes of developing, using, marketing or distributing application

programs conforming to the application programming interface for the operating platform for which the sampleprograms are written. These examples have not been thoroughly tested under all conditions. IBM, therefore,cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, anddistribute these sample programs in any form without payment to IBM for the purposes of developing, using,marketing, or distributing application programs conforming to IBM's application programming interfaces.

Send us your comments in one of the following ways: Use the online Contact usreview redbook form found at:

ibm.com/redbooks Send your comments in an email to:

[email protected] Mail your comments to:
http://www.redbooks.ibm.com/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/contacts.htmlhttp://www.redbooks.ibm.com/contacts.htmlhttp://www.ibm.com/redbooks/http://www.ibm.com/redbooks/http://www.redbooks.ibm.com/


16/16

IBM Corporation, International Technical Support OrganizationDept. HYTD Mail Station P099650 Harry RoadPoughkeepsie, NY 12601-5400 U.S.A.

Trademarks

The following terms are trademarks of the International Business Machines Corporation in the United States,other countries, or both:

Redbooks (logo)

IBM

Redbooks

System Storage

The following terms are trademarks of other companies:

Microsoft, Visual Basic, Windows NT, Windows, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

Documents

Redp4084 - N Series Antivirus - Scanning Best Practices Guide