You are on page 1of 8

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

Home Archives

CAVA Considerations and basic setup


May 3, 2011 | Celerra, EMC, VNX | CAVA, configuration This is the second post out of 3 about CAVA on the Celerra/VNX File. 1. What is CAVA? 2. CAVA Considerations and basic setup (this post) 3. CAVA troubleshooting (which is really why I am doing this) Between the first post and this one EMC has released the new VNX range to replace the CLARiiON and Celerra. So the new version of the Celerra is called VNX File and they have dropped the name Celerra, which is a shame. So from now on I will use VNX File instead of Celerra. This post is a mash of my own notes and quotes from the doco. CAVA is part of the CEE or VEE framework, which is a mix of APIs, agents and events that enable things like quota managements, antivirus and auditing on the VNX File. Mainly its for partners and 3rd party apps to interface with the Celer umm VNX. Bah, this is going to be a hard habit to break. How much do you care about it? Well, if you are just trying to run CAVA then not much, just note that all the CAVA downloads on Powerlink are in the VNX Event Enabler pack. At the time of writing you can still get it via Home > Support > Software Downloads and Licencing > Downloads C > Celerra Anti Virus Agent (CAVA) but that might change when the VNX name starts taking over. The download is an ISO and about 120MB. This includes both the 32 and 64bit versions. I have never understood why they werent individual downloads. Powerlink is a bit slow at the best of times outside the US, and its excruciatingly slow over a 3G card at a customers site when you forgot to download it before you got to site and you only have 3 hours to finish the job. But I would never do that *cough*. Another tool you need is the Celerra MMC on the NAS Tools CD. You will get this as part of your delivery of software when the hardware turns up. Just install that on some machine that you can run it with heightened permissions (domain admin). If you cant find the software then you can download it from Powerlink at Home > Support > Product and Diagnostic Tools > Celerra Tools > NS-960 and get the Celerra Network Server Version 5.6.48.7 Applications and Tools CD (277MB). Thats right, 227MB and from it you want a 2MB file. Handy Hint dont misplace the CDs This version still works fine with the VNX. What do you need: A downloaded copy of the VEE Celerra install Minimum 2 x Windows Servers to run the AV engine software (McAfee, Symmantic etc). A Windows Domain service account to run the AV process and access files on the Velerra. Velerra NAS Tools Microsoft Management Console (MMC) A CIFS server on the data mover NOT in a VDM. A configured and installed viruschecker.conf file. As far as I can tell, even though the names have changed, all these steps are the same for Celerra and VNX. So onto the install. All of these steps are available in more detail in the Using VNX Event Enabler documentation available on Powerlink. This includes detailed instructions on installing and configuring antivirus engines like McAfee and Sofos. Because of this I wont go into to much detail, just highlight the steps.

1 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

Download and install, CAVA, your AV software and the NAS Tools MMC files.
Provision your CAVA Windows servers, either physical or VMs. Install your AV software and then the CAVA agent on each machine. The CAVA install is very basic, next next next finish. For our example Ill call the AV servers AV1 and AV2 with IPs of 10.1.1.1 & 10.1.1.2

Create the CAVA CIFS server


This is the easy bit, you just need a CIFS server on the data mover with an IP address. Thats it. It doesnt need storage but it must be on the physical data mover and not in a VDM. For our example Ill call my CIFS server BOB and its on server_2 with an IP of 10.1.1.10

Create the Domain User Account and grant access


The CAVA installation requires a Windows user account that is recognised by Celerra Data Movers as having the EMC virus-checking privilege. This user account enables the Data Mover to distinguish CAVA requests from all other client requests. To accomplish this, you should create a new domain user, assign to this user the EMC virus-checking right locally on the Data Mover, and run the CAVA service in this user context. For our example I will call the user CAVAservice Using compmgmt.msc and browsing to the CAVA CIFS server (BOB), create a new local group called Viruscheckers and add the CAVAservice user to it. While you are there add the user to the local administrators group on the CAVA AV servers and the CAVA CIFS servers. Using the NAS MMC, browse to the BOB server and add the Viruscheckers group to the EMC Virus Checking section. If you dont have this CAVA no worky. Finally, you need to change the CAVA service on the AV servers to run as the CAVAservice user. You can do this via services.

Viruschecker.conf settings
The viruschecker.conf file defines the Celerra virus-checking parameters for each Data Mover in the domain. This is an example viruschecking.conf configuration file. It lists the AV servers as well as the rules of what to scan. This is a common example of the file and can be customised.
maxthreadWaiting=40 (20 on each AV server) CIFSserver=<CAVA CIFS server name> eg. BOB Addr=<IP addresses of AV engines separated by semi colons> eg 10.1.1.1:10.1.1.2 shutdown=viruschecking excl=*.dwl:*.edb:*.fmb:*.fmt:*.fmx:*.frm:*.inp:*.ldb:*.ldf:*.mad:*.maf:*.mam:*.maq:*.mar:*.mat:*.mda:*.mdb:*.mde: *.mdf:*.mdn:*.mdw:*.mdz:*.ndf:*.ora:*.orc:*.ost:*.pst:*.sc:*.sqc:*.sql:*.sqr:*.stm:*.tar:*.tmp:*.zip:????????:*RECYCLER* masks=*.386:*.ace:*.acm:*.acv:*.acx:*.add:*.ade:*.adp:*.adt:*.app:*.asd:*.asp:*.asx:*.avb:*.ax:*.ax?:*.bas:*.bat: *.bin:*.bo?:*.btm:*.cbt:*.cdr:*.cer:*.cfm:*.chm:*.cla:*.class:*.cmd:*.cnv:*.com:*.cpl:*.cpy:*.crt:*.csc:*.csh:*.css: *.dat:*.dbx:*.der:*.dev:*.dl?:*.dll:*.do?:*.do??:*.doc:*.docx:*.dot:*.drv:*.dvb:*.dwg:*.eml:*.exe:*.fon:*.fxp:*.gadget: *.gms:*.gvb:*.hlp:*.hta:*.htm:*.html:*.htt:*.htw:*.htx:*.im?:*.inf:*.ini:*.ins:*.ins:*.isp:*.its:*.js:*.js?:*.jse:*.jtd: *.lgp:*.lib:*.lnk:*.lnk:*.mad:*.maf:*.mag:*.mam:*.maq:*.mar:*.mas:*.mat:*.mau:*.mav:*.maw:*.mb?:*.mda:*.mdb:*.mde: *.mdt:*.mdw:*.mdz:*.mht:*.mhtm:*.mhtml:*.mod:*.mp?:*.mpd:*.mpp:*.mpt:*.mrc:*.ms?:*.msc:*.msg:*.msh:*.msh1:*.ksh: *.msh1xml:*.msh2:*.msh2xml:*.mshxml:*.msi:*.mso:*.msp:*.mst:*.nch:*.nws:*.obd:*.obj:*.obz:*.ocx:*.oft:*.olb:*.ole: *.ops:*.otm:*.ov?:*.pcd:*.pcd:*.pci:*.pdb:*.pdf:*.pdr:*.php:*.pif:*.pl:*.plg:*.pm:*.pnf:*.pnp:*.pot:*.pot:*.pp?:*.pp??: *.ppa:*.pps:*.pps:*.ppt:*.prc:*.prf:*.prg:*.ps1:*.ps1xml:*.ps2:*.ps2xml:*.psc2:*.pwz:*.qlb:*.qpw:*.reg:*.rtf:*.sbf:*.scf: *.sco:*.scr:*.sct:*.sh:*.shb:*.shs:*.sht:*.shtml:*.shw:*.sis:*.smm:*.swf:*.sys:*.td0:*.tlb:*.tmp:*.tsk:*.tsp:*.tt6:*.url: *.vb:*.vb?:*.vba:*.vbe:*.vbs:*.vbx:*.vom:*.vs?:*.vsd:*.vsmacros:*.vss:*.vst:*.vsw:*.vwp:*.vxd:*.vxe:*.wbk:*.wbt: *.wiz:*.wk?:*.wml:*.wms:*.wpc:*.wpd:*.ws:*.ws?:*.wsc:*.wsf:*.wsh:*.xl?:*.xl??:*.xla:*.xls:*.xlt:*.xlw:*.xml:*.xnk:*.xtp nbthreads=128

You can see thats a large list. Always consult with the antivirus vendor to determine exactly which file types cannot and/or should not be scanned in real-time network scanning and what the workarounds are.

Upload the viruschecker.conf to the data mover


There are three ways of getting the viruschecker.conf file to the data mover. 1. Use server_file server_2 -put viruschecker.conf viruschecker.conf. Think of that command like an FTP, you have to have the file on the control station and its called viruschecker.conf. 2. You can create the viruschecker.conf file on your Windows machine and then copy it to \\BOB\c$\.etc\viruschecker.conf 3. Use the NAS MMC to generate the file and it will save it to the right location.

Start the CAVA service on the data mover.


There are two ways of this 1. Use the NAS MMC to start the service 2. Run server_setup server_2 -P viruschk o start=32. The 32 is the number of CIFS threads you want to use, 32 is the default.

2 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

Check to make sure the sucker is running!


Seems obvious but is often overlooked, especially because the normal behaviour is that if something is wrong, the viruschecking service is stopped and then the Velerra goes about its normal business. What problem, I dont see no stinking problem. Ill go into it more in the troubleshooting post but like everything else Velerra, always run server_log server_2 before you do anything else. If there is anything wrong it wil pop up there. If dont see anything suspicious then use the server_viruschk commands to see if its scanning server_viruschk server_2 server_viruschk server_2 -audit

Thats about it for the installation and setup. There is a lot more detail in Using VNX Event Enabler including command definitions and screenshots.

VNX File CAVA Considerations


Below are some considerations when setting up and deploying CAVA. Virus Checker Configuration File Considerations
(Filename viruschecker.conf, resides on the Data Mover) 01 The mask= parameter can greatly impact virus checking performance. It is recommended that you do not use mask=*.* since this setting scans all files. Many file types cannot harbor viruses, therefore, mask=*.* is not an efficient setting. Most AV engines do not scan all file types. Also scans of file types with an unknown extension will result in the entire file being scanned, increasing network bandwidth and resources. 02 It is recommended that .pst and other similar container files be left out of the scanning queues for the Celerra AV functionality to work properly. McAfee and Symantec do not scan Outlook .pst files and recommend excluding them from scans. Either scan at desktop level or use Exchange server specific products or Exchange client snap-ins. This is good advice for other AV products as well. 03 It is recommended that you do not set up real-time scanning of databases. Accessing a database usually triggers a high number of scans, which in turn can cause a large amount of lag. To ensure that your database files are virus free, you should schedule regular scans for times when the database is not in use. You can schedule scans through your AV engine. See knowledgebase article emc60746 for specific extensions that should be excluded. 04 Most AV vendors recommend excluding real-time network scanning of compressed and/or archive files. Scanning compressed or archive files requires a lot of system resources. In order to scan a compressed or archive files, the AV software must extract the file to a temporary location, scan it, and then replace the file. This functionality requires RAM, drive space, and CPU, thereby degrading the overall performance of the server. 05 Depending on the 3rd party AV package, contents of compressed and/or recursively zipped files may or may not be supported for scanning in real-time for network shares. If the vendor does not support scanning compressed files or recursively zipped files in real-time or if scanning of compressed files is not enabled, they should be excluded from scans. 06 Due to known issues with antivirus software compatibility with Microsoft Excel and MS Project software add the following 8 characters ???????? to the exclude list as a workaround. 07 This is to avoid a timing or deadlock issue with the 8 character temporary file that it created when files are saved or modified. (For more information refer to knowledgebase article emc60253) 08 For maximum protection antivirus software vendors suggest scanning all executable files and files that contain executable code. For maximum performance and to reduce network bandwidth and resources, exclude file types that do not contain executable code. Always consult your antivirus vendor for latest information. 09 Recommend that the shutdown= setting in the viruschecker.conf file is configured to shutdown=virus checking. This is the action to take when the VC client on the Data Mover does its routine polling to determine which AV servers are in ONLINE status and what action to take if it cannot find any ONLINE AV servers. An alert should be configured when this action is triggered for notification and to get the AV servers functioning again. To protect the server during the timeframe the virus checking service was offline, run a manual scan or use the scan on first read feature. 10

3 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

This is recommended over allowing virus checking to continue when no AV servers are available. If all the AV servers are offline for an extended period of time, the file types that meet the criteria for a virus check will wait in the collector queue until an AV server comes back ONLINE. The files in the queue are locked to the user until the file is successfully scanned. Each scan request ties up a thread on the Data Mover which can eventually exhaust all the Data Mover threads over a period of time. Status ONLINE indicates successful communications between the VC client on the Data Mover, CAVA, and the 3rd party antivirus software running on the AV server(s). To verify AV server(s) status at any given time run the server_viruschk server_x command.

AV Server Workstations
1 Make sure all file types that are configured to meet the criteria for a virus check on the Data Mover can be checked on the AV servers. 3rd party antivirus File Types scan and exclude settings should match the viruschecker.conf file settings. The VC client on the Data Mover should not be configured to trigger scan requests of file types that the AV servers antivirus software is not configured to scan. 2 For every AV vendor EXCEPT Trend Micro, you need to install the AV engine first before the CAVA agent. For Trend you have to install CAVA first, then the AV software. This has got us a few times. 3 AV servers should be strictly dedicated for CAVA use only. They should NOT also be used for other windows services such as a Domain Controller, DNS, WINS, backup server, CIFS client, etc. Each AV server should only be running one 3rd party antivirus software product at a time. 4 The dedicated AV user domain account that the CAVA service starts under should always be configured so that the password doesnt expire. Make sure both the CAVA and 3rd party software services on the CAVA server are starting using the AV user domain account, and not a local Admin or AV user account. 5 If the AV servers are managed by a group policy management software package from the AV vendor, the AV servers should be managed in a separate policy to safeguard the required user, permissions, and scanning options required for Celerra virus checking with CAVA from regular workstation settings. 6 The AV server(s) should not be used for copy and/or scanning proof of concept testing. These tests should only be executed on the client side. 7 If an AV server is going to be temporarily or permanently removed, then its IP address should be removed from the viruschecker.conf file before the CAVA service is shutdown.

Datamover Considerations
1 CIFS should be completely configured, tested, and working before setting up virus checker. Before using Celerra virus checking for production use, test the configuration to verify it is suitable for the environment by simulating a production load on the Data Mover(s). 2 Always ensure that the number CIFS threads used are greater than virus checker threads. 3 Do not modify the param maxVCThreads= unless directed by Engineering/TS2. 4 VirusChecker can only be configured on a physical Data Mover using a regular CIFS Server and NOT on a CIFS VDM Server, since only the physical data mover root can host the CHECK$ share used for viruschecking operations.

Other Considerations
1 Monitor the server_log(s) and/or system log (/nas/log/sys_log) for VC: highwater mark reached (peak activity) entries. These messages may indicate the need for additional AV server(s). 2 Avoid using real-time network scanning of Celerra shares in addition to the Celerra virus checker feature. Client AV scanning should be disabled for Celerra CIFS shares, this could result in sharing violations and impact performance. 3 Virus checker must be disabled during migrations. Files should be scanned prior to the migration or after its completed. The virus checker solution assumes you are starting with a clean filesystem. 4 Care must be taken when sizing a virtual machine for a CAVA server. All sizing tools assume a physical machine. 5 Protecting data against viruses is a critical service and you do not want to be in a position where other services running in different VMware machines starves it for resources. If this were to happen then DART queue for scanning requests can build up thus affecting file access. Hence the recommendation will be to run CAVA in a non VMware environment until substantial work is done to understand guidelines for CAVA running in a VMware environment. I hope that helps someone out there. Ill try and create the troubleshooting post as soon as I can. Cheers Daniel Popularity: 67% [?]

Most Popular Posts

4 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

1. 2. 3. 4.

100% What is EMC CAVA? - Celerra Anti Virus Agent 67% CAVA Considerations and basic setup 53% Why we are using VMware Lab Manager. 42% CAVA troubleshooting

17 Comments

1.

BIll May 25, 2011 at 12:53 pm The EMC documentation says that for the viruscheckers.conf file, the list of AV servers should be separated by colons, but you have it set to be separated by commas?

2.

danmoz May 25, 2011 at 1:36 pm Good pickup. Ill fix the post. Thanks

3.

Ed Johnson July 26, 2011 at 3:33 am Create the CAVA CIFS server? So it needs a seperate Cava CIF server or just a CIF Server to run again? I am trying to learn and troubleshoot some issues on our system. We have 2 enviroments with Cava, 1 keeps hitting high water marks on the Vnode, each of the 2 has about the same amount of traffic and the same (3) number of Cava servers. I noticed on the side that doesnt seem to have the issue a CIF Server called govAV01. Is there a command to see which CAVA CIFS server was setup to be used with each install? Thanks Ed

4.

danmoz July 27, 2011 at 8:02 pm Hi You only need a separate CIFS server if you are using VDMs. Saying that, you should split them up, its only going to cost you another IP address. There are two ways to see what config you are using server_viruschk server_x will show you what AV servers you are connected to and if they are talking correctly look at the viruschecker.conf file to see your config. Use server_file server_x -get viruschecker.conf vc_file.conf and it will download the config file from the data mover and put in the current working directory. If its all running like a pig, support should help you out.

5.

Dane August 8, 2011 at 4:42 pm Very thorough walkthrough of setting up CAVA. Thank you. Im having some issues in my own setup whereI can start up CAVA on the datamover and I get a ntStatus=Success. But after 30-60 secs I get the CONNECTION_DISCONNECTED. The AV engine never goes ONLINE. Im thinking its an issue with CAVA not connecting to the AV engine. Im using Mcafee. Do the Mcafee services need to be started with the CAVA domain account ?

6.

danmoz August 11, 2011 at 10:09 am The CAVA service needs to run as the CAVA domain account, but you also have to make sure that the CAVA service starts after the McAfee service. You can do this by adding a dependency with the CAVA service. The full details are in the CAVA doco.

5 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

7.

Bill September 1, 2011 at 1:11 am In the conf file, what takes precedence, the masks or excl ? What the purpose of including extensions in both of those values? Thanks.

8.

Ed September 7, 2011 at 8:25 am Does a full file system scan (using -fsscan) honor the Masks list, or does it scan all files on the file system regardless?

9.

danmoz September 7, 2011 at 8:29 am Yes it does honour the mask list.

10.

danmoz September 7, 2011 at 8:30 am Good question and one I havent even been able to get a straight answer on, which is why I always included both

11.

coolgoose19n September 19, 2011 at 9:50 pm very good doc., thanks a lot for sharing it. I have a question : there are two CAVA windows 2003 servers(Running McAfee antivirus) connected to OLD BOX (NS480). New a new VNX box has to replace NS480, Data replicatioin is going. Can the old OLD BOX (NS480) to New VNX box, share the same two CAVA windows 2003 servers(Running McAfee antivirus)? I thing editing viruschecker.conf should work. Now the question is how to we move the two CAVA windows 2003 servers(Running McAfee antivirus) from OLD BOX (NS480) to New VNX box.

12.

danmoz September 20, 2011 at 4:38 pm You can have both Celerras accessing the AV servers at the same time Think of it as AVaaS (Anti Virus as a Service)

Trying to move the CAVA CIFS servers from the NS480 to the VNX will be far too much hassle cause they run of the physical data mover and you cant just replicate it across. I recommend creating new CAVA servers on the new VNX and then just using the same viruschecker.conf file. Too easy Campese.

13.

CRaig September 30, 2011 at 12:25 am Any issues running CAVA on a 2008 server core install? I see some errors in the log when the AV server: The VCAPS facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The AUDIT facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The CQM facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. The service starts, but not sure if these errors are significant or not. Any help would be appreciated. Craig

6 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

14.

Mushtahir October 29, 2011 at 6:21 pm Hi, I was facing problem with my Symantec scan engine, it was not scanning the files, the server was prepared by Symantec partner and check by Symantec, i contact EMC and they inform me to reinstall/configure the server, after reinstalling the server by myself, it is working fine, Mr. Daniel post help me a lot, Now since few days i am seeing some logs, would please somebody help how resolve this, The CQM facility is enabled, but not configured. The EMC CAVA service will not process events for this facility. Possible Causes: The required vendor information is not present. Or a required component is not installed. Solutions: Check Endpoint entry in registry for CQM facility for vendor names. Install the needed component for the CQM facility if applicable and restart the EMC CAVA service.

15.

Frank December 29, 2011 at 5:59 pm Hi danmoz, very good guideline for the cava stuff. Thank you for publishing. You mentioned that the cava service should start after the av service (MCAfee in youor post). What about other engines like Sophos or Trend Micro?

16.

Dave Grimshaw March 22, 2012 at 1:45 am A great, informative post thanks. One point of note is that I see you have excluded ???????? as a file type from Cava. This is potentially a real show-stopper, and I recommend changing it to >>>>>>>> instead. The problem with using ???????? is that a question mark will search for any character including a . therefore it will exclude abcd.doc as it will abc.docx and neither would get scanned. Using >>>>>>>> instead of ???????? will only search for alpha-numeric characters (1-0,a-z,A-Z), thus removing the problem (i.e. it would scan abcd.doc and abc.docx) There are also arguements over whether *.do* could be used to minimise your mask definition (as it would remove the requirement for *.do?, *.do??, *.doc and *.docx), but I guess thats more down to personal choice/business requirements..

17.

Dave Grimshaw March 22, 2012 at 1:49 am I should add that >>>>>>>> is only available in the Unisphere releases of code..

Trackbacks
1. CAVA troubleshooting | Planetchopstick 2. Understanding the EMC VNX/Celerra AntiVirus Agent (CAVA): Part 2 Common Errors | Thulin' Around Leave a Reply Name required Mail (will not be published) required Website

7 8

12/8/2012 7:11

CAVA Considerations and basic setup | Planetchopstick

http://blog.planetchopstick.com/2011/05/03/cava-consideratio...

Related Posts

CAVA troubleshooting
05/05/2011 | 11 Comments This post is to help you troubleshoot CAVA install and running issues and to give you a set of steps... more

What is EMC CAVA? Celerra Anti Virus Agent


18/10/2010 | 4 Comments I have been asked about this 4 times in the past week, "How do I set up CAVA on the... more Created by Planetchopstick Design (me) top

8 8

12/8/2012 7:11