Symantec Scan Engine 5.2 does not scan some files when installed on Windows 2008
Last Updated December 04, 2013
After installing and running Symantec Scan Engine on Windows 2008 with EMC Cava Agent ( version 22.214.171.124) The EMC Celerra server (Version 5.6.48) is available and when users copy files over the NAS, some random files are not scanned by the Scan Engine and are copied on the shares.
Both the Celerra NAS server and Windows 2008 Server are using SMB2, rather then SMB1 like Windows Server 2003.
When looking over the Celerra Server logs you notice 'ACCESS_DENIED' when the VC (VirusChecker) was requesting the file to be scanned. As the example below:
You have logged to the NAS Celerra Server, and run the following command:
server_logs 'Data Mover Name'
2010-06-16 23:19:32: VC: 3: 32: Server '126.96.36.199' returned error 'ACCESS_DENIED' when checking file '\root_vdm_1\path_to_the _file\eicar.com'
As a result, the Scan Engine does not scan the requested file and left the file to be copied over the shares.
One of the Windows Server 2008 changes is that the SMB version 2.0 is enabled by default. Additionally, one of the features in SMB2 is Client Redirector Caches.
The solution is to disable this cache when using SMB2, or to disable SMB2. To disable the Microsoft Redirector cache.
1.Open the Registry Editor on the Symantec Scan Engine server.
2.Go to, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanworkstation\Parameters.
3.Create entry "DirectoryCacheLifetime", and set it to "0".
4.Create entry "FileInfoCacheLifetime", and set it to "0".
5.Also create entry, "FileNotFoundCacheLifetime" to "0".
6.Close the registry, and restart the Server.
1 - Similar behavior for Celerra NAS Version (Fixed in 5.6.49)
EMC Ref : emc238805
Virus is not detected on Nested Mount File System (NMFS)
Error message in server_log : VC: 3: 32: Server '188.8.131.52' returned error 'ACCESS_DENIED' when checking file '\root_vdm_1\nmfs_long_mountpoint\FileSystem_long_mountpoint\eicar.com'
With the release of SMB 2.0 in Windows Vista® and Windows Server 2008, three file metadata caches were implemented to speed up the return of the most recently accessed file and directory information. These caches also reduce the number of interactions a client requires with a SMB server for common file browsing operations. This has value in a scenario such as a client browsing a network file directory while connected via a low bandwidth or high latency connection. For common network file browsing scenarios, the default values are sufficient and should not be altered. Changing these cache timeout values can have significant performance implications to many network file scenarios. As each of these caches is designed to reduce the number of SMB server requests, they are important not only in client response time evaluation, but also in overall SMB server scalability and performance.
Useful command on the Celerra NAS:
How to check the SMB version is used, log as nasadmin over the NAS Type the following command : server_cifs 'Data Mover Name'
Example : server_cifs server_2
256 Cifs threads started Security mode = NT Max protocol = NT1 I18N mode = UNICODE Home Directory Shares DISABLED Usermapper auto broadcast enabled etc...
NT1 means that the SMB1 is set and used.
You can set the SMB2 protocol manually by running :