Information is needed regarding best practices for implementing Symantec Protection Engine for NAS with EMC Celerra Anti-Virus Agent 3.6.x.
NOTE: Before beginning, verify that each machine where you plan to install Protection Engine for NAS 7.x meets the System Requirements. In addition, Symantec always recommends installation in a test environment to identify performance issues before deployment to production systems..
NOTE: Previously, Symantec provided a 32-bit version of the API library only. Starting with build 7.0.1 of Protection Engine for NAS, Symantec provides a 64-bit version of the API library as well. The 64-bit API library provides support for the use of the 64-bit version of the EMC Event Enabler with Protection Engine. Windows does not allow a 64-bit process, like the 64-bit version of EMC Event Enabler, to load a 32-bit dll. If a 64-bit version of EMC Event Enabler is used, please check with EMC support to confirm that it includes the 64-bit Symantec API library.
- Install and license the latest build of Protection Engine 7.x for NAS on at least two computers which meet the system requirements.
- Assign virus checking rights.
- On each server that Protection Engine is installed on be sure to perform the following functions:
- Remove the Email Tools component of Symantec Endpoint Protection, if present
- Exclude the Protection Engine TEMP directory from all local file system utilities such as antivirus, backups, etc.
- Install and configure the Celerra Anti-Virus Agent (CAVA) on the Protection Engine servers
- Test the Protection Engine and CAVA functionality by accessing files
- Perform any fine tuning of Protection Engine and CAVA as needed
To identify the current location of the temporary scanning directory of Protection Engine
- In the Protection Engine interface, click Configuration> Resources
The folder which Protection Engine uses as a temporary folder for scanning appears in the field labeled 'Temporary directory for scanning:'
To perform initial configuration of Symantec Protection Engine 7.x for NAS
- Click Configuration > Protocol
- Click ICAP
- In the 'Port number' field, type: 1344
- Click Policies > Filtering > Container Handling
- In the 'Time to Extract file meets or exceeds' field, type: 30
- In the 'Maximum extract depth', type: 5
- Click Allow access to the file and generate a log entry
- Uncheck 'Deny partial containers'
- Uncheck 'Block malformed containers'
- Uncheck 'Delete encrypted containers'
- Click Policies> Files
- Uncheck 'Block files with the following names (one per line):'
- Uncheck 'Block files with the following sizes (one per line):'
- At the command line, navigate to the installation location of Protection Engine.
- At the command line, type the following command:
- Version 7.0.x:
java -jar xmlmodifier.jar -s /policies/Misc/HonorReadOnly/@value false policy.xml
- Version 7.5.x:
xmlmodifier.exe –s /policies/Misc/HonorReadOnly/@value false policy.xml
- Restart the Symantec Scan/Protection Engine service to make the changes effective.
EMC support site
Symantec is not responsible for content available on web sites maintained by other organizations or individuals.
About Container Handling limits
Most antivirus scanning products contain policies to limit the resources spent on scanning a single file. This prevents denial of service attacks with specially crafted malformed container files.
About 'Time to extract file meets or exceeds'
The timer for the 'Time to extract' setting begins when the actual scan of the file begins. This measure does not include time spent transmitting the scan request to Protection Engine, nor does it contain time spent in moving the file to the Protection Engine from the EMC Celerra server or other device. Within the EMC or CAVA settings, the scan timeout setting includes:
1. time spent sending the scan request to Protection Engine,
2. time spent copying the file to the Protection Engine,
3. time spent performing the actual scan of the file once it is local to Protection Engine,
4. and time spent copying a repaired file back to the EMC Celerra server or other device.
To accommodate the difference in what these timeout values actually measure, the timeout value within EMC or CAVA should be three times the value of the 'Time to extract file...' setting within the Protection Engine interface.
About 'Maximum extract depth'
This policy setting helps prevent 'zip of death' style denial of service attacks. A 'zip of death' denial of service attack is a .zip archive with directory pointers which form a circular structure, which may result in an attempt to extract the file forever. As you lower this number, you lower the maximum number of levels scanned within a container file, resulting in a more rapid, but possibly less thorough scan. As you raise this number, you also raise the maximum number of levels Protection Engine examines within a container, resulting in a slower, but more thorough scan. For initial testing, 5 to 10 levels will establish basic function. The maximum value for this setting is 1024. Tune this setting to meet the usage patterns of your environment.
Behavior of block actions specified within Protection Engine 7.x
CAVA sends a FILEMOD command, a policy of 'ScanRepairDelete', and a UNC path and filename to Protection Engine. The Protection Engine adheres to the policy provided by the CAVA connector, which overrides the policy in the Protection Engine web console on the Configuration> Protocol screen. The FILEMOD command of the ICAP protocol directs Protection Engine to scan the file and directly modify it in its current location. Returning a block access response is not possible for Protection Engine in these circumstances. Protection Engine will therefore directly delete the file and report the results of the scan to CAVA. For this reason, Symantec recommends that all Block actions be disabled in the web console for each Protection Engine server supporting a CAVA 3.6 connector.
About compatibility with Symantec Endpoint Protection:
The Email Tools component of Symantec Endpoint Protection is not recommended for Windows Server operating systems. For more, see: