We use Macfee for Netapp v7.1 currently.  We have assigned a VM box with a 1gb connection to each filer.  Each filer also has secondary connections configured over normal Production interfaces to non-primary servers.  This mesh ensures no disruptions if the primary drops its connection.  We have mandatory_scan=yes.  

Some issues we ran into:

1.  7.1 has no upgrade path that I know of.  Our server/desktop environment is supported via EPO, and in the latest release (4.0) there is no support for 7.1 Netapp agent.  This means we will need to manually manage the AV settings outside of the normal process
2.  Bug with resetting the LAD date on Excel files.  Fixed with - priv set diag; setflag smb_ignore_vscan_set_mtime 1; priv set
3.  Bug with resetting the LAD on manual scans.  Fixed with patch from Macfee (can't remember the #)
4.  Random service crashes/stops/hangs on the AV servers.  Can't determine an exact cause, but each filer will lose connection.  Happens randomly about twice a week across 16 filers.  Having secondary_scanners enabled helps with the problem.

Regards,
Scott


Internet
thelastman@gmail.com

Sent by: owner-toasters@mathworks.com

07/11/2008 02:14 PM

To
Grant.Warkentin
cc
Mark.Neis, toasters
Subject
Re: CIFS virus scan




I'm looking to deploy some windows homdir filers with virus scan
protection.  I'm curious what people think of McAfee's product.
-Blake
On Fri, Jul 11, 2008 at 10:47 AM, Warkentin, Grant
<Grant.Warkentin@calgary.ca> wrote:
> We currently use etrust antivirus 8.1 from Computer Associates.
> Using two HP DL 380's as virus scanners (redundancy and load balancing).
> The product works pretty good but does tend to have some odd issues.
>
> 1. Sometimes complaining that it cannot update the virus definitions.
>        - This situation caused a denial of service to CIFS files on the filer a couple of times.
>                (even with "vscan options mandatory_scan  =  off")
>        - This DOS happened with version 7.
>        - Have upgraded to version 8, the update issue just re-occurred yesterday.
>        - Mitigation, we have a *NIX script that monitors the filer's syslog. If the script detects that one of the virus scanners has disconnected, the script issues a "vscan off" command to the filer. Usually a reboot of the scanner box that is having problems fixes this. I have found when this starts happening, I need to go look for a driver update on CA's site and get it installed. When the newer driver is installed, the problem goes away for several months.
>
> 2. Configuration options are limited.
>        - cannot exclude files that are greater than $Size
>                - Old version had problems scanning big files. 100 meg or so. PPT files were especially bad.
>                - New version has similar issues. Have had to exclude .zip .tar .rar as well as .ppt from scanning. Run Norton corporate AV on the desktops which limits our exposure slightly.
>        - Alerting is difficult to configure - product is very noisy by default.
>
> 3. Product also complains about being unable to scan files when it's trying to scan things like Microsoft Word droppings - those ~file.tmp files that office creates. The weird thing is that it only complains about this once in a while. When it dos complain, it complains a lot. The error message is also odd too something like "File Infected with <space character> detected".
>
> Over all, the product works okay. If I have my say, I would prefer using something else.
> Our organization bought it because it was cheap. You get what you pay for.
>
> PS.
> Current vscan options
> vscan options timeout:          10 sec
> vscan options abort_timeout:    10000 sec
> vscan options mandatory_scan    off
> vscan options client_msgbox     off
>
>
> NOTICE -
> This communication is intended ONLY for the use of the person or entity named above and may contain information that is confidential or legally privileged. If you are not the intended recipient named above or a person responsible for delivering messages or communications to the intended recipient, YOU ARE HEREBY NOTIFIED that any use, distribution, or copying of this communication or any of the information contained in it is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and then destroy or delete this communication, or return it to us by mail if requested by us. The City of Calgary thanks you for your attention and co-operation.
>
> -----Original Message-----
> From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Neis, Mark
> Sent: Friday, July 11, 2008 9:42 AM
> To: toasters@mathworks.com
> Subject: CIFS virus scan
>
> Hi guys,
>
>
> We have been using the Symantec scan engine for NetApp for several
> years now, but we've met more and more problems as of late. As the
> next license upgrade will be due in a couple of months, that might
> be a good opportunity to replace it by a different brand altogether.
>
> Hence my question to the list:
> Which antivirus product do you use and how satisfied are you with it?
>
>
> Kind regards,
> Mark Neis
>
> --
>
> Mark Neis
> System Administrator
> GISA GmbH
> Chemnitztalstr. 13
> D-09114 Chemnitz
> Tel. +49.(0)371.482.6737
> Fax  +49.(0)345.585.100.6737
>
>
> GISA GmbH - Geschäftsführer: Michael Krüger; Sitz der Gesellschaft: Halle (Saale); Registergericht: Amtsgericht Stendal; Handelsregister-Nr. HRB 208414; UST-IdNr: DE 158253683
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Empfänger sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail oder des Inhalts dieser Mail sind nicht gestattet. Diese Kommunikation per E-Mail ist nicht gegen den Zugriff durch Dritte geschützt. Die GISA GmbH haftet ausdrücklich nicht für den Inhalt und die Vollständigkeit von E-Mails und den gegebenenfalls daraus entsehenden Schaden. Sollte trotz der bestehenden Viren-Schutzprogramme durch diese E-Mail ein Virus in Ihr System gelangen, so haftet die GISA GmbH - soweit gesetzlich zulässig - nicht für die hieraus entstehenden Schäden.
>
>
>
>
> 


This message and any attachments (the "message") is intended solely for 
the addressees and is confidential. If you receive this message in error, 
please delete it and immediately notify the sender. Any use not in accord 
with its purpose, any dissemination or disclosure, either whole or partial, 
is prohibited except formal approval. The internet can not guarantee the 
integrity of this message. BNP PARIBAS (and its subsidiaries) shall (will) 
not therefore be liable for the message if modified. Please note that certain 
functions and services for BNP Paribas may be performed by BNP Paribas RCC, Inc.