By Thomas Hanvey
The Sun ZFS Storage Appliance from Oracle features a built-in scanning service that can communicate with external virus scanning engines to ensure protection against the threat of viruses and other malware on the appliance's CIFS or NFS shared volumes.
This article describes the installation and configuration of Sophos Anti-Virus software on Microsoft Windows, Linux, and UNIX operating systems for use as a virus scan engine with the Sun ZFS Storage Appliance VSCAN service.
Efficient protection of electronic data against threats from malware is as important to an enterprise as a comprehensive backup/restore and disaster recovery process. Computer viruses, phishing, adware, and spyware can put electronic data at risk of being manipulated or destroyed, impact the operation and availability of data services, and result in unwanted disclosure of information and exposure to unsolicited content. The ability to protect content in electronic data repositories against corruption by malicious software and the ability to isolate and dispose of files that impose potential risks are essential components of any enterprise’s data protection strategy.
The Sun ZFS Storage Appliance provides protection against computer viruses using an integrated on-demand virus scanning service called VSCAN. The VSCAN service is based on the Internet Content Adaptation Protocol (ICAP) and works together with an external virus scanning engine, which, for performance and security reasons, should be running on another host located on the same LAN segment as the Sun ZFS Storage Appliance. The solution described in this paper uses Sophos Anti-Virus software as the external virus scanning engine.
Sophos Anti-Virus analyzes any files in question for suspicious patterns and passes the scan results back to the VSCAN service. Based on the scan result, VSCAN makes the file accessible to users or blocks access by quarantining the file. A file quarantined by the VSCAN service is not accessible to users regardless of the access protocol used (CIFS or NFS).
When virus scanning is enabled on a populated volume, a scan is not initiated across all files. Instead, the VSCAN service initiates a request for a virus scan to the virus scanning engine (in this case, Sophos Anti-Virus) each time a "file open" or a "file close" request is issued. Thus, only files that are created, modified, or opened for read operations are scanned.
This approach ensures efficiency in that files are only scanned on demand. However, it does not support a pre-emptive scan of file system contents. A second limitation is that only shares using access protocols that issue "file open" and "file close" requests, such as CIFS and NFS v4, are candidates for virus protection using the VSCAN service. A share that is published using NFS v3 cannot be scanned using VSCAN because NFS v3 does not issue the "file open" or "file close" requests that trigger the ICAP client.
Note: As an alternative, a share can be scanned by mounting or mapping it to a host server running a Sophos client and then scanning it locally.
The VSCAN service maintains several file attributes that it uses when processing the results of a scan. These attributes describe:
modifiedattribute, which the file system sets when the file has been changed or renamed. After a successful scan of a file, the VSCAN service clears the
A file is scanned when a "file open" or "file close" request is initiated and one of the following is true:
scanstampof the file does not match the virus pattern and scan options (
ISTagstring) specified in the current configuration of the virus scan engine.
modifiedattribute of the file is not cleared.
The VSCAN service communicates with the virus scan engine using ICAP. The Sun ZFS Storage Appliance acts as an ICAP client and the virus scan engine acts as the ICAP server. When the ICAP client requests that a file be scanned, the file is transmitted without encryption to the ICAP server for analysis.
While a request to scan a file is being fulfilled by the ICAP server, access to the file is denied. The user privileges defined in the access control list (ACL) for the file are irrelevant as long as the ICAP client is waiting for the ICAP server to respond.
Note: To avoid data becoming unavailable when a virus scan engine does not respond to ICAP requests, we recommend that you configure the VSCAN service to use two virus scan engines.
An ICAP server does not require registration or authentication with an ICAP client to serve scan requests. However, if the virus scan engine is registered, connection issues are logged in the log file
/var/ak/logs/system.sys on the Sun ZFS Storage Appliance (a corresponding entry is not created in the GUI-based log for the VSCAN service).
Figure 1 shows the interaction between an ICAP client and an ICAP server when a NAS client requests access to data on a virus-protected share of the Sun ZFS Storage Appliance. The workflow comprises five steps initiated by a request from the NAS client to access a file on a shared volume using NSF v4 or CIFS protocol. The file is scanned by the ICAP server and then, assuming no viruses are detected requiring quarantine, it is delivered to the NAS client.
Figure 1. Virus Scanning Workflow on the Sun ZFS Storage Appliance Using ICAP and VSCAN with the Sophos Anti-Virus Software
The Sophos Anti-Virus software offers high performance scanning of files for malware viruses. It can protect data stored on a network file storage system from viruses and spyware with a single scan. Sophos uses the same anti-virus engine in Sun ZFS storage systems as it does for all Sophos protection--across servers, gateways, and endpoints.
The Sophos Anti-Virus Dynamic Interface (SAVDI) enables Sun ZFS storage systems to integrate with the Sophos anti-virus engine using the industry standard ICAP interface. Scanning is carried out intelligently. The Sophos engine recognizes the file type even if a file has an incorrect file extension, ensuring all infect-able files are scanned. The engine also detects if a file is unchanged since a previous scan, allowing it to scan only those files that need to be scanned.
Sophos Anti-Virus runs on a wide array of versions of Windows, Linux, and UNIX operating systems providing a range of options for protecting data on Sun ZFS Storage Appliances. The software is easy to set up and supports failover and load balancing if required. Updates to protect against new malware are small, frequent, and automatic, providing protection with minimal impact on the system or administrator.
The procedures in this section describe how to install and configure the Sophos Anti-Virus software on a Sun ZFS Storage Appliance.
To install and configure the Sophos Anti-Virus software on Microsoft Windows, complete these steps:
savdid.conf, and restart the service.
When the Sophos anti-virus engine is not registered as a Windows service, SAVDI can be run interactively as a server from the command line using these commands:
net stop savdid
savdid.exe -l -c savdid.conf
-c option specifies the configuration file to use in place of the default configuration file. The
-l option causes messages to be output to the console rather than using the logging mechanism configured in
Note: In this mode,
savdid.exe can be stopped by using CTRL+C.
If required, you can reinstall SAVDI as a service and run it non-interactively using the commands below:
net start savdid
Once the SAVDI service is running, test it with a sample application to see if you need to change any configuration settings, such as the TCP/IP port or host name.
To install and configure the Sophos Anti-Virus software on a Linux or other UNIX platform, complete the procedure below. Installing Sophos Anti-Virus provides:
Complete these steps:
root, run the install script. The script installs the Sophos Anti-Virus software and tests the installation.
./savdid -l -c savdid.conf
savdidto send the log to the terminal. The
-c savdid.confoption tells
savdidto use the specified configuration file.
savdidwith a sample application.
To enable virus protection for files on a volume of a Sun ZFS Storage Appliance, you will first configure and start the VSCAN daemon and then enable virus scanning for the shares to be scanned as described in these steps:
Figure 2. Selecting the Virus Scan Service to Configure the VSCAN Daemon
Figure 3. Configuring the Host(s) for the Scanning Engine(s)
If this is the first time the service has been started, a prompt is displayed to enable the service, as shown in Figure 4.
Figure 4. Enabling the Virus Scanning Service
The drop-down dialog shown in Figure 5 allows you to view ICAP or VSCAN log activity. The ICAP log shows connectivity to the ICAP server and the VSCAN log shows virus scan activity.
Figure 5. Selecting a Virus Scan Log to View
Figure 6. Selecting a Share to Access Its Properties
Figure 7. Enabling Virus Scanning for a Share
Note: Virus scanning can be enabled at the project level for multiple shares.
Using Sophos Anti-Virus with the Sun ZFS Storage Appliance provides a scalable and reliable virus scanning solution for protecting valuable data stored on network attached storage devices. Some of the key benefits to using this solution are that you can offload the burden of scanning the files onto the the ZFSSA, thereby reducing network traffic, while taking advantage of the ZFSSA's hardware to perform scanning of files.
This solution lets you move the file scanning task to the Sun ZFS Storage Appliance, reducing network traffic, while taking advantage of the Sun ZFS Storage Appliance’s integrated VSCAN virus scanning service to manage disposition of files based on scan results from Sophos Anti-Virus.
The solution has been certified by Sophos and Oracle to detect viruses, worms, and Trojan horses in files of all major file types, including mobile code and compressed file formats, ensuring fast virus resolution to reduce the risk of financial, data, and productivity loss.
For more information, visit the Web resources listed in Table 1.Table 1: Web Resources for Further Information
|Web Resource Description||Web Resource URL|
|Sun Unified Storage Web page||http://www.oracle.com/us/products/servers-storage/storage/unified-storage/index.html|
|Sophos Web site||http://www.sophos.com|
|Sophos product reviews||http://www.sophos.com/products/reviews/|
|Revision 1, 06/08/2011|