Professional Documents
Culture Documents
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
Home Archives
1 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
Download and install, CAVA, your AV software and the NAS Tools MMC files.
Provision your CAVA Windows servers, either physical or VMs. Install your AV software and then the CAVA agent on each machine. The CAVA install is very basic, next next next finish. For our example Ill call the AV servers AV1 and AV2 with IPs of 10.1.1.1 & 10.1.1.2
Viruschecker.conf settings
The viruschecker.conf file defines the Celerra virus-checking parameters for each Data Mover in the domain. This is an example viruschecking.conf configuration file. It lists the AV servers as well as the rules of what to scan. This is a common example of the file and can be customised.
maxthreadWaiting=40 (20 on each AV server) CIFSserver=<CAVA CIFS server name> eg. BOB Addr=<IP addresses of AV engines separated by semi colons> eg 10.1.1.1:10.1.1.2 shutdown=viruschecking excl=*.dwl:*.edb:*.fmb:*.fmt:*.fmx:*.frm:*.inp:*.ldb:*.ldf:*.mad:*.maf:*.mam:*.maq:*.mar:*.mat:*.mda:*.mdb:*.mde: *.mdf:*.mdn:*.mdw:*.mdz:*.ndf:*.ora:*.orc:*.ost:*.pst:*.sc:*.sqc:*.sql:*.sqr:*.stm:*.tar:*.tmp:*.zip:????????:*RECYCLER* masks=*.386:*.ace:*.acm:*.acv:*.acx:*.add:*.ade:*.adp:*.adt:*.app:*.asd:*.asp:*.asx:*.avb:*.ax:*.ax?:*.bas:*.bat: *.bin:*.bo?:*.btm:*.cbt:*.cdr:*.cer:*.cfm:*.chm:*.cla:*.class:*.cmd:*.cnv:*.com:*.cpl:*.cpy:*.crt:*.csc:*.csh:*.css: *.dat:*.dbx:*.der:*.dev:*.dl?:*.dll:*.do?:*.do??:*.doc:*.docx:*.dot:*.drv:*.dvb:*.dwg:*.eml:*.exe:*.fon:*.fxp:*.gadget: *.gms:*.gvb:*.hlp:*.hta:*.htm:*.html:*.htt:*.htw:*.htx:*.im?:*.inf:*.ini:*.ins:*.ins:*.isp:*.its:*.js:*.js?:*.jse:*.jtd: *.lgp:*.lib:*.lnk:*.lnk:*.mad:*.maf:*.mag:*.mam:*.maq:*.mar:*.mas:*.mat:*.mau:*.mav:*.maw:*.mb?:*.mda:*.mdb:*.mde: *.mdt:*.mdw:*.mdz:*.mht:*.mhtm:*.mhtml:*.mod:*.mp?:*.mpd:*.mpp:*.mpt:*.mrc:*.ms?:*.msc:*.msg:*.msh:*.msh1:*.ksh: *.msh1xml:*.msh2:*.msh2xml:*.mshxml:*.msi:*.mso:*.msp:*.mst:*.nch:*.nws:*.obd:*.obj:*.obz:*.ocx:*.oft:*.olb:*.ole: *.ops:*.otm:*.ov?:*.pcd:*.pcd:*.pci:*.pdb:*.pdf:*.pdr:*.php:*.pif:*.pl:*.plg:*.pm:*.pnf:*.pnp:*.pot:*.pot:*.pp?:*.pp??: *.ppa:*.pps:*.pps:*.ppt:*.prc:*.prf:*.prg:*.ps1:*.ps1xml:*.ps2:*.ps2xml:*.psc2:*.pwz:*.qlb:*.qpw:*.reg:*.rtf:*.sbf:*.scf: *.sco:*.scr:*.sct:*.sh:*.shb:*.shs:*.sht:*.shtml:*.shw:*.sis:*.smm:*.swf:*.sys:*.td0:*.tlb:*.tmp:*.tsk:*.tsp:*.tt6:*.url: *.vb:*.vb?:*.vba:*.vbe:*.vbs:*.vbx:*.vom:*.vs?:*.vsd:*.vsmacros:*.vss:*.vst:*.vsw:*.vwp:*.vxd:*.vxe:*.wbk:*.wbt: *.wiz:*.wk?:*.wml:*.wms:*.wpc:*.wpd:*.ws:*.ws?:*.wsc:*.wsf:*.wsh:*.xl?:*.xl??:*.xla:*.xls:*.xlt:*.xlw:*.xml:*.xnk:*.xtp nbthreads=128
You can see thats a large list. Always consult with the antivirus vendor to determine exactly which file types cannot and/or should not be scanned in real-time network scanning and what the workarounds are.
2 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
Thats about it for the installation and setup. There is a lot more detail in Using VNX Event Enabler including command definitions and screenshots.
3 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
This is recommended over allowing virus checking to continue when no AV servers are available. If all the AV servers are offline for an extended period of time, the file types that meet the criteria for a virus check will wait in the collector queue until an AV server comes back ONLINE. The files in the queue are locked to the user until the file is successfully scanned. Each scan request ties up a thread on the Data Mover which can eventually exhaust all the Data Mover threads over a period of time. Status ONLINE indicates successful communications between the VC client on the Data Mover, CAVA, and the 3rd party antivirus software running on the AV server(s). To verify AV server(s) status at any given time run the server_viruschk server_x command.
AV Server Workstations
1 Make sure all file types that are configured to meet the criteria for a virus check on the Data Mover can be checked on the AV servers. 3rd party antivirus File Types scan and exclude settings should match the viruschecker.conf file settings. The VC client on the Data Mover should not be configured to trigger scan requests of file types that the AV servers antivirus software is not configured to scan. 2 For every AV vendor EXCEPT Trend Micro, you need to install the AV engine first before the CAVA agent. For Trend you have to install CAVA first, then the AV software. This has got us a few times. 3 AV servers should be strictly dedicated for CAVA use only. They should NOT also be used for other windows services such as a Domain Controller, DNS, WINS, backup server, CIFS client, etc. Each AV server should only be running one 3rd party antivirus software product at a time. 4 The dedicated AV user domain account that the CAVA service starts under should always be configured so that the password doesnt expire. Make sure both the CAVA and 3rd party software services on the CAVA server are starting using the AV user domain account, and not a local Admin or AV user account. 5 If the AV servers are managed by a group policy management software package from the AV vendor, the AV servers should be managed in a separate policy to safeguard the required user, permissions, and scanning options required for Celerra virus checking with CAVA from regular workstation settings. 6 The AV server(s) should not be used for copy and/or scanning proof of concept testing. These tests should only be executed on the client side. 7 If an AV server is going to be temporarily or permanently removed, then its IP address should be removed from the viruschecker.conf file before the CAVA service is shutdown.
Datamover Considerations
1 CIFS should be completely configured, tested, and working before setting up virus checker. Before using Celerra virus checking for production use, test the configuration to verify it is suitable for the environment by simulating a production load on the Data Mover(s). 2 Always ensure that the number CIFS threads used are greater than virus checker threads. 3 Do not modify the param maxVCThreads= unless directed by Engineering/TS2. 4 VirusChecker can only be configured on a physical Data Mover using a regular CIFS Server and NOT on a CIFS VDM Server, since only the physical data mover root can host the CHECK$ share used for viruschecking operations.
Other Considerations
1 Monitor the server_log(s) and/or system log (/nas/log/sys_log) for VC: highwater mark reached (peak activity) entries. These messages may indicate the need for additional AV server(s). 2 Avoid using real-time network scanning of Celerra shares in addition to the Celerra virus checker feature. Client AV scanning should be disabled for Celerra CIFS shares, this could result in sharing violations and impact performance. 3 Virus checker must be disabled during migrations. Files should be scanned prior to the migration or after its completed. The virus checker solution assumes you are starting with a clean filesystem. 4 Care must be taken when sizing a virtual machine for a CAVA server. All sizing tools assume a physical machine. 5 Protecting data against viruses is a critical service and you do not want to be in a position where other services running in different VMware machines starves it for resources. If this were to happen then DART queue for scanning requests can build up thus affecting file access. Hence the recommendation will be to run CAVA in a non VMware environment until substantial work is done to understand guidelines for CAVA running in a VMware environment. I hope that helps someone out there. Ill try and create the troubleshooting post as soon as I can. Cheers Daniel Popularity: 67% [?]
4 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
1. 2. 3. 4.
100% What is EMC CAVA? - Celerra Anti Virus Agent 67% CAVA Considerations and basic setup 53% Why we are using VMware Lab Manager. 42% CAVA troubleshooting
17 Comments
1.
BIll May 25, 2011 at 12:53 pm The EMC documentation says that for the viruscheckers.conf file, the list of AV servers should be separated by colons, but you have it set to be separated by commas?
2.
danmoz May 25, 2011 at 1:36 pm Good pickup. Ill fix the post. Thanks
3.
Ed Johnson July 26, 2011 at 3:33 am Create the CAVA CIFS server? So it needs a seperate Cava CIF server or just a CIF Server to run again? I am trying to learn and troubleshoot some issues on our system. We have 2 enviroments with Cava, 1 keeps hitting high water marks on the Vnode, each of the 2 has about the same amount of traffic and the same (3) number of Cava servers. I noticed on the side that doesnt seem to have the issue a CIF Server called govAV01. Is there a command to see which CAVA CIFS server was setup to be used with each install? Thanks Ed
4.
danmoz July 27, 2011 at 8:02 pm Hi You only need a separate CIFS server if you are using VDMs. Saying that, you should split them up, its only going to cost you another IP address. There are two ways to see what config you are using server_viruschk server_x will show you what AV servers you are connected to and if they are talking correctly look at the viruschecker.conf file to see your config. Use server_file server_x -get viruschecker.conf vc_file.conf and it will download the config file from the data mover and put in the current working directory. If its all running like a pig, support should help you out.
5.
Dane August 8, 2011 at 4:42 pm Very thorough walkthrough of setting up CAVA. Thank you. Im having some issues in my own setup whereI can start up CAVA on the datamover and I get a ntStatus=Success. But after 30-60 secs I get the CONNECTION_DISCONNECTED. The AV engine never goes ONLINE. Im thinking its an issue with CAVA not connecting to the AV engine. Im using Mcafee. Do the Mcafee services need to be started with the CAVA domain account ?
6.
danmoz August 11, 2011 at 10:09 am The CAVA service needs to run as the CAVA domain account, but you also have to make sure that the CAVA service starts after the McAfee service. You can do this by adding a dependency with the CAVA service. The full details are in the CAVA doco.
5 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
7.
Bill September 1, 2011 at 1:11 am In the conf file, what takes precedence, the masks or excl ? What the purpose of including extensions in both of those values? Thanks.
8.
Ed September 7, 2011 at 8:25 am Does a full file system scan (using -fsscan) honor the Masks list, or does it scan all files on the file system regardless?
9.
danmoz September 7, 2011 at 8:29 am Yes it does honour the mask list.
10.
danmoz September 7, 2011 at 8:30 am Good question and one I havent even been able to get a straight answer on, which is why I always included both
11.
coolgoose19n September 19, 2011 at 9:50 pm very good doc., thanks a lot for sharing it. I have a question : there are two CAVA windows 2003 servers(Running McAfee antivirus) connected to OLD BOX (NS480). New a new VNX box has to replace NS480, Data replicatioin is going. Can the old OLD BOX (NS480) to New VNX box, share the same two CAVA windows 2003 servers(Running McAfee antivirus)? I thing editing viruschecker.conf should work. Now the question is how to we move the two CAVA windows 2003 servers(Running McAfee antivirus) from OLD BOX (NS480) to New VNX box.
12.
danmoz September 20, 2011 at 4:38 pm You can have both Celerras accessing the AV servers at the same time Think of it as AVaaS (Anti Virus as a Service)
Trying to move the CAVA CIFS servers from the NS480 to the VNX will be far too much hassle cause they run of the physical data mover and you cant just replicate it across. I recommend creating new CAVA servers on the new VNX and then just using the same viruschecker.conf file. Too easy Campese.
13.
CRaig September 30, 2011 at 12:25 am Any issues running CAVA on a 2008 server core install? I see some errors in the log when the AV server: The VCAPS facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The AUDIT facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The CQM facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The service starts, but not sure if these errors are significant or not. Any help would be appreciated. Craig
6 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
14.
Mushtahir October 29, 2011 at 6:21 pm Hi, I was facing problem with my Symantec scan engine, it was not scanning the files, the server was prepared by Symantec partner and check by Symantec, i contact EMC and they inform me to reinstall/configure the server, after reinstalling the server by myself, it is working fine, Mr. Daniel post help me a lot, Now since few days i am seeing some logs, would please somebody help how resolve this, The CQM facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. Possible Causes: The required vendor information is not present. Or a required component is not installed. Solutions: Check Endpoint entry in registry for CQM facility for vendor names. Install the needed component for the CQM facility if applicable and restart the EMC CAVA service.
15.
Frank December 29, 2011 at 5:59 pm Hi danmoz, very good guideline for the cava stuff. Thank you for publishing. You mentioned that the cava service should start after the av service (MCAfee in youor post). What about other engines like Sophos or Trend Micro?
16.
Dave Grimshaw March 22, 2012 at 1:45 am A great, informative post thanks. One point of note is that I see you have excluded ???????? as a file type from Cava. This is potentially a real show-stopper, and I recommend changing it to >>>>>>>> instead. The problem with using ???????? is that a question mark will search for any character including a . therefore it will exclude abcd.doc as it will abc.docx and neither would get scanned. Using >>>>>>>> instead of ???????? will only search for alpha-numeric characters (1-0,a-z,A-Z), thus removing the problem (i.e. it would scan abcd.doc and abc.docx) There are also arguements over whether *.do* could be used to minimise your mask definition (as it would remove the requirement for *.do?, *.do??, *.doc and *.docx), but I guess thats more down to personal choice/business requirements..
17.
Dave Grimshaw March 22, 2012 at 1:49 am I should add that >>>>>>>> is only available in the Unisphere releases of code..
Trackbacks
1. CAVA troubleshooting | Planetchopstick 2. Understanding the EMC VNX/Celerra AntiVirus Agent (CAVA): Part 2 Common Errors | Thulin' Around Leave a Reply Name required Mail (will not be published) required Website
7 8
12/8/2012 7:11
http://blog.planetchopstick.com/2011/05/03/cava-consideratio...
Related Posts
CAVA troubleshooting
05/05/2011 | 11 Comments This post is to help you troubleshoot CAVA install and running issues and to give you a set of steps... more
8 8
12/8/2012 7:11