Virus scanning overview

Antivirus Administration Guide for Hitachi NAS Platform

Part Number

The server itself does not perform any scanning of the files, but rather provides a connection with configured Virus Scan Engines on the network:

You can configure multiple Virus Scan Engines to enhance both the performance and to maintain high-availability of the server. If a Virus Scan Engine fails during a virus scan, the storage server automatically redirects the scan to another Virus Scan Engine.

The server maintains a list of file types, the Inclusion List, that allows the administrator to control which files are scanned (for example, .exe, .dll, .doc, and so forth). The default Inclusion List includes most file types commonly affected by viruses.

When virus scanning is enabled, the server must receive notification from a Virus Scan Engine that a file is clean before allowing access to the file. As a result, if virus scanning is enabled and there are no Virus Scan Engines available to service the virus scans, CIFS clients may experience a temporary loss of data access. To ensure maximum accessibility of data, configure multiple Virus Scan Engines to service each EVS on which virus scanning has been enabled.

If virus scanning is temporarily disabled, files continue to be marked as needing to be scanned. In this way, if virus scanning is re-enabled, files that were changed are re-scanned the next time they are accessed by a CIFS client.

The Hitachi NAS platforms storage systems proactively submit files for scanning to the scan engine (SAVSE) on both read (open) and changes and modifications associated with a write (close). If a file has not been verified by a virus scan engine as clean, it will need to be scanned before it can be accessed. However, scanning for viruses when a client is trying to access the file can take time (on read only). To reduce this latency, files are automatically queued to be scanned as soon as they are created or modified, and then closed (on writes). Queued files are scanned promptly, expediting the detection of viruses in new or modified files and making it unlikely that a virus infected file will remain dormant on the system for a long period of time.

Virus Scanning statistics for the storage server (in 10-second time slices) are available for activity since the previous reboot or since the point when statistics were last reset.

Note: When a virus is detected, a severe event is placed in the Event Log, identifying the path of the infected file and the IP address of the infected machine. For information on accessing the event log, see the Server and Cluster Administration Guide.

You can also set a list of file types on a file system that will be excluded from being sent for scanning by antivirus servers. With an exclusion list you can scan all files except those with certain file extensions, for example, those containing application data. This helps reduce the load on the virus scanning engines and network.

As with the inclusion list, the exclusion list will support wildcarding. The exclusion list is configurable using the command line interface.