Best Practice guide for using Symantec Protection Engine for Network Attached Storage 7.x with EMC Celerra Filer.
Below are some suggestions/best practices we advise to customers,
1. General hardware requirements are 4GB of RAM, 4 CPUs and over 30GB of free disk space. If possible we would recommend giving each scanner 8GB of RAM and 60+GB of free disk space. Symantec Protection Engine reads the files into its temp folder, so under sufficient load Protection Engine can temporarily utilize a lot of disk space.
Performance Protection Engine Settings:
- In the Symantec Protection Engine GUI set Configuration > Resources > “Max RAM used for in-memory file system” from 128MB to 2048MB. Scanning files in memory is always faster than reading the file from the Protection Engine temp folder. Also for scanning purposes, Protection Engine manages its own file system, so while we normally say you can set this parameter up to half the amount of memory the Server has. Symantec does typically not recommended going over 512MB. Due to the overhead of managing the in memory file-system.
- Set Configuration > Resources > “Max file size stored within in-memory file system” from 3MB to 64 to 128 MB.
- Under Resources, Scanning Resources, note that when the threshold number of queued requests is reached, Protection Engine will gracefully reject any new connections until our number of queued requests have dropped back under 100. As far as recommended value for this parameter, leave it at 100.
General Protection Engine Settings:
- Make sure Policies > Filtering > Container Handling > “Time to extract file” (our container timeout) is set to a value that is half 1/2 to 2/3 the value of the EMC Celerra timeout value. The EMC Celerra/CAVA timeout parameter is named “reqTimeout”. This is to prevent the Filer and scanner from getting into a retry loop with each other. I believe EMC has a recommended timeout value for their parameter, just set our value accordingly.
- Under Polices > Filtering > Container Handling, please take a look at all of the settings in there. We do not have any specific recommendations for the rest of the container settings, just be aware of how we handle files (for example by default be will delete encrypted container files).
- Monitors > Logging > Local logging level, we recommend keeping this parameter at the Default Warning. Setting local logging to Verbose is fine, it is just mainly used for troubleshooting. As it can consume a significant amount of disk space over time.
- For Liveupdate, we have three options, Shadow ui (share defs with desktop AV), Java Liveupdate, or Rapid Release. Using any one of these virus definition update methods is fine, we do not recommend using multiple ones at the same time.
- By default Protection Engine honors read only files. Therefore if we catch an infected file that is also read only, will not delete this infected file. This setting can be changed.
- Disable the Symantec Protection Engine parameter, HonorReadOnly. By default if Protection Engine catches an infected file we will not delete the file, if it is read only. The CAVA agent will not sync-up with Protection Engine unless this parameter has been disabled. To disable this parameter,
- In Services stop the Protection Engine service.
- Open a command prompt, and change directories to the Protection Engine install directory, by default this is in the \Program Files\Symantec\Scan Engine\ folder.
- Run the command, “java –jar xmlmodifier.jar –s /policies/Misc/HonorReadOnly/@value false policy.xml”. It is case sensitive.
- Start the Protection Engine service back up.
If you have Symantec EndPoint Protection installed on the same server as Symantec Protection Engine, please review this document as well: https://support.symantec.com/en_US/article.TECH226801.html
Under a lot of load, the machine that the CAVA agent and Symantec Protection Engine are running on can run out of TCP ports fairly quickly, since the default value is 5000 for the machine. The steps to increase this are,
a. To set initial TCP stack settings within Windows registry
b. Open the Windows registry
c. Navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters
d. If the DWORD value "MaxUserPort" does not exist, create it.
e. Set "MaxUserPort" to a decimal value of 60000.
f. If the DWORD value TcpTimedWaitDelay does not exist, create it.
g. Set TcpTimedWaitDelay to a decimal value of 30.
h. Reboot the Server for these changes to take effect.
For more info on this change please view this KB, http://www.symantec.com/docs/TECH93003
For recommended exclusions please refer to this KB, www.symantec.com/business/support/index
To address questions, or for more information please contact Support.