https://library.netapp.com/ecmdocs/ECMP1366831/html/GUID-B3C81454-E0F2-49E8-AA2C-316F5E782607.html
To configure virus scanning successfully, you must be aware of the external virus-scanning components (also known as Vscan server components), the components of the system running clustered Data ONTAP, and how these components relate to each other in the antivirus architecture.
Components of the Vscan server
- Clustered Data ONTAP Antivirus Connector
- The Antivirus Connector is installed on the Vscan server to provide communication between the system running clustered Data ONTAP and the Vscan server.
- Antivirus software
- The antivirus software is installed and configured on the Vscan server to scan the files for any viruses or any other malicious data. The antivirus software must be compliant with clustered Data ONTAP. You must also specify the remedial actions to be taken on the infected files in this software. You can install this software based on the vendor.
Components of the system running clustered Data ONTAP
- Scanner pool
- A scanner pool is used to validate and manage the connection between the Vscan servers and the Storage Virtual Machine (SVM). You can create a scanner pool for an SVM and define the list of Vscan servers and privileged users that can access and connect to that SVM.
You can also specify a scan request and scan response timeout period. If the scan response to a scan request is not received within this timeout period, then the scan request is sent to an alternative Vscan server, if available.
- Scanner policy
- A scanner policy defines when the scanner pool will be active. A Vscan server is allowed to connect to an SVM only if its IP and privileged user are part of the active scanner pool list for that SVM.
Note: The scanner policies are all system defined and you cannot create a customized scanner policy.
A scanner policy can have one of the following values:
- Primary: The scanner pool becomes active at all times.
- Secondary: The scanner pool becomes active when none of the primary Vscan servers are connected.
- Idle: The scanner pool becomes inactive all the time.
- On-access policy
- On-access policy defines the scope of scanning the files when accessed by a client. You can specify the maximum size of the file, which must be considered for virus scanning, and file extensions and paths to be excluded from scanning. You can also choose one or more filters from the available set of filters to define the scope of scanning.
The following are the list of available filters:
- scan-mandatory: Enables mandatory scan. File access will be denied if there are no external virus-scanning servers available for virus scanning.
- scan-ro-volume: Enables scan also for read-only volume.
- scan-execute-access: Scans only files opened with execute-access (CIFS only).
Files opened with execute-access (open with execute intent) are different from the execute permission on the file.
You can also choose not to use any of the filters by setting this parameter to "-". This will cause file accesses to be allowed even if the files are not scanned. Also, only read-write volumes are considered for scanning.
- Vscan file-operations profile
- The Vscan file-operations profile (-vscan-fileop-profile) parameter defines which action on the CIFS share can trigger virus scanning. You must configure this parameter while creating or modifying a CIFS share.
This parameter can have one of the following values:
- no-scan: Virus scans are never triggered for this share.
- standard: Virus scans can be triggered by open, close, and rename operations.
This is the default profile.
- strict: Virus scans can be triggered by open, read, close, and rename operations.
- writes-only: Virus scans can be triggered only when a file that has been modified is closed.
The following diagram shows the antivirus architecture and its relation with the Vscan server components:
