Redbooks Paper

IBM System Storage N series Antivirus Scanning Best Practices Guide

Introduction
IBM System Storage N series solutions include integrated antivirus functionality to protect corporate data from computer viruses. The combined solutions are designed to detect and prevent the spreading of malicious virus code before data is compromised. The antivirus architecture for the N series is designed to protect data accessed by Microsoft Windows software-based clients or other clients that access data with the Common Internet File System (CIFS) protocol. This architecture also protects against viruses by initiating scans on content downloaded from the Internet. N series systems offload the antivirus scanning activity to antivirus (AV) servers for maximum scalability and performance. Best-of-breed antivirus solutions are available from Symantec, McAfee, Trend Micro, and Computer Associates. These solutions augment the existing antivirus infrastructures that companies use and deploy today. This IBM Redpaper describes the integrated antivirus architectures for the System Storage N series. It also presents several best practices for deploying these solutions.

Copyright IBM Corp. 2005, 2007. All rights reserved.

ibm.com/redbooks

N series antivirus solution overview

There are two common approaches to scanning data and Internet content: Scan internal data files and Internet content for viruses at scheduled intervals. Scan files on-the-fly as they are read, created, or modified. The latter of the two approaches is more effective at detecting viruses before they are able to compromise data. Moreover, the scanning process occurs on an as-needed basis and thus minimizes the server and network loads observed during intensive file system scans. Integrated antivirus solutions for the N series help protect your data and systems from malicious virus code by scanning files on access (as they are accessed) and during the download process. The N series antivirus solution uses an authenticated CIFS connection and Remote Procedure Calls (RPCs) to communicate with the antivirus scanning servers. This solution employs the HTTP-based Internet Content Adaptation Protocol (ICAP) when interacting with ICAP antivirus servers. CIFS and ICAP are industry standard protocols with features that are best suited for their respective applications: CIFS provides a secure, authenticated connection and supports byte-range reads. Byte-range reads streamline the scanning process, resulting in quicker file access. ICAP provides RPC-like functionality for HTTP-based services and supports a wide variety of applications that offload specialized tasks such as virus scanning.

N series antivirus scanning

Without integrated antivirus functionality, customers can quickly recover from virus incidents by using the built-in Snapshot technology inherent in the Write Anywhere File Layout (WAFL) file system. If there is a virus incident, users can recover files from their read-only ~snapshot folders in minutes. Viruses cannot infect files in Snapshot copies because Snapshot copies and data are read only. Because Snapshot activities are commonly scheduled in weekly, daily, and hourly intervals, backups are automatic, and the drag-and-drop recovery is immediate and simple. To detect and stop viruses before they reach the file system, antivirus functionality is integrated into Data ONTAP, the N series microkernel. N series with integrated antivirus software provides additional protection against viruses with files that are accessed from Windows and CIFS/Server Message Block protocol clients. Integrated antivirus software is available from Symantec, McAfee, TrendMicro, and Computer Associates. The virus scanning activity is not apparent to users and occurs before the file is committed to disk (write requests) or delivered to the requesting user or application (read requests). Antivirus scanning servers register with the N series using RPCs and either a Microsoft Windows NT Local Area Network (LAN) Manager (NTLM) connection or a Kerberos-authenticated CIFS connection, depending on the Windows domain, Active Directory, and so on. Multiple antivirus scanning servers can be configured to register with the same N series storage system or with multiple N series storage systems for redundancy and performance. When multiple antivirus servers are deployed, the N series storage systems automatically distribute the scanning activity with a round robin load-balancing scheme. The N series initiates scans by sending a scan command to the scanning servers and waiting for a reply for files that are created, changed, and opened for read access. These files must also meet the following criteria:

IBM System Storage N series Antivirus Scanning Best Practices Guide

The file extension is included in the list of to-be-scanned file types. The file has not already been marked as previously scanned, and no changes have occurred to the file. The diagram in Figure 1 illustrates the basic steps that occur during the scanning process.

File access is blocked until virus scan is completed Intelligent approach: 1. User requests food.doc from storage 2. Verifies that food.doc has not been scanned and checks for the extension list 3. Notifies the AV server of the file to be scanned 4. Finds a virus and repairs, deletes, or quarantines the file Caches the previous scanned status Only a portion of file is sent for virus scan Ability to send user notification when virus is found Scalable architecture: many N series storage systems can share a pool of AV scanners

client desktop

7. Reply to client

6. Appliance prepares answer

5. AV server apprises appliance of result

AntiVirus server

Bottom Line:
Secure, authenticated, private CIFS connection

Scalable and efficient onaccess AV scanning Choice of AV products

Figure 1 N series integrated virus scanning

When a user tries to open, create, or change a file that matches the scanning criteria, such as an .exe file, N series notifies a registered antivirus server and provides the path of the file to scan. The antivirus server opens a connection to the file and checks the file for a known virus signature or virus-like behavior. The scanning engine then notifies the N series storage system of the results. If no virus is found, the client can open the requested file. If a virus is found, the antivirus software either quarantines the file or removes the virus. See When a virus is found on page 3 for a description of quarantine and virus removal. After the files are safely scanned, the N series storage system keeps track of recently scanned files in memory. This improves performance by minimizing redundant scanning activity. The scanning process takes a few milliseconds for most files. It might take several seconds for more complex files such as .zip or .cab files that can contain many other files. Until the virus has been successfully scanned or removed from a file, the user or application is not permitted to open or rename the file. The antivirus software can also be configured to quarantine files and not allow access until an administrator examines the data and makes a decision.

When a virus is found

The action that is taken on an infected file is not determined by the N series storage system. The settings that affect how a virus is handled are determined by the administrator and stored as part of the antivirus software configuration. If it is determined that a file is infected, the virus software typically takes one of two actions. It either quarantines the file or it disinfects the file by removing the virus code and writing a new file. Table 1 on page 4 summarizes the differences.

IBM System Storage N series Antivirus Scanning Best Practices Guide

Table 1 Scanning configuration Scanning configuration Quarantine the file Action The antivirus scanner quarantines the file in its present location or moves it to a special location, and the N series denies the client access. The administrator must take action. The antivirus software removes the virus and notifies the N series when the file is clean. The N series then allows the client to open the requested file.

Disinfect the file

Note: If the administrator configures the virus software to quarantine a suspected file, the user sees an access denied message and will be unable to open or create the requested file. The administrator must then take action to restore a previous version of the file or disinfect the file with antivirus software.

Updating virus definitions

Antivirus definitions are databases that contain information that is used to identify viruses.
Antivirus scanning engines are designed to identify specific viruses using these definitions and by recognizing characterized behavior. Antivirus software vendors release a new virus definition (database) for their software products when they find new viruses. These vendor-specific database definitions are used by antivirus software to identify known viruses or virus-like behavior. When information about a specific virus is included in a virus definition, it is said to be a known virus. When a new virus definition becomes available, the definition update might occur automatically through the Internet or it might be installed by an administrator. In either case, when a new definition is applied, the virus software notifies the N series that a new definition exists. The list of previously scanned files is then flushed, and all subsequent file accesses are scanned with the new virus definition. These actions ensure that new viruses are properly identified and removed by the virus software.

Defining scanning criteria

The N series can be configured to exclude certain files based on their extensions so that those files are not scanned. For example, it might not be necessary to scan graphics files such as .jpg or .bmp files because they do not contain executable code. The N series scanning servers do not scan any files that are on the exclude list. Antivirus software vendors suggest scanning all executable files or files that contain executable code. There are many types of executable files. For example, binary executable files have the .exe and .com extensions. There are also executable scripts such as .vbs (for Visual Basic) and .bat (for batch) files. Dynamic loadable modules are files with the .dll extension that contain executable code used by the Microsoft Windows family of operating systems and applications. And, some applications store executable commands in the form of macros within their files or documents. By default, the file types listed in Table 2 on page 5 are scanned for maximum protection. However, administrators can easily customize the default scanning criteria if they want to include or exclude specific types of files.

IBM System Storage N series Antivirus Scanning Best Practices Guide

Table 2 Default file types for scanning ??_ ARJ LZH POT GZ? WPD DOT BIN MD? VS? MPT CSC JS? CAB MPP BAT RTF HT? OV? CL OFT VBS DL? PIF ASP DRV POT EXE EML MD? IM?

WPD RAR

GMS MPP PPL? WXD CDR WBK COM MSO DOC SHS INI HLP XL? OLE MSG SCR DL? SYS IM?I XL?

OCX SMM XML SWF VS? VXD

Use the N series console or the console window of the Web-based FilerView graphic user interface (GUI) to modify the list of extensions.

Examples
Use the following example commands to add or remove extensions from the list of files to scan on the include list. Example 1 shows how to add extensions on the include list.
Example 1 Add extensions N series> vscan extensions include add txt

Example 2 shows how to remove extensions on the include list.

Example 2 Remove extensions N series> vscan extensions include remove jpg, gif

The following example commands can be used to exclude extensions from the list of files to scan on the exclude list. Example 3 shows how to add extensions to the exclude list.
Example 3 Adding extensions to the exclude list N series> vscan extensions exclude add doc

Example 4 shows how to remove extensions on the exclude list.

Example 4 Removing extensions from the exclude list N series> vscan extensions exclude remove jpg, gif

Performance considerations
Virus scanning occurs between the clients request for the file and the response from the N series storage system. This process results in latency of less than one millisecond (ms) to many seconds and largely depends on the type of file. However, the amount of input/output (I/O) between the N series storage system and antivirus server is much smaller in proportion

IBM System Storage N series Antivirus Scanning Best Practices Guide

to the data served between the N series and N series clients. This is because the scanning algorithms often only need to examine a small portion of a file to determine if it is infected, because viruses attach themselves to easily identified locations within different file types. A number of integral features are designed to maximize performance: The on-access architecture eliminates the need to perform time consuming, resource intensive scans of entire volumes. The N series storage system maintains a list of already scanned files to reduce or eliminate redundant scans. The scanning algorithms vary by file type and often scan only a small portion of many files. Using the integrated N series and antivirus solutions, the performance difference in most cases is measured in milliseconds. Therefore, the entire scanning process might not be perceivable by most users. During periods of heavy use, the difference might be more noticeable (in seconds), particularly if users are opening large .cab or .zip files that contain many other files that might have to be extracted and scanned. Moreover, it takes time to completely remove a virus from an infected file. Performance varies according to the file types and the speed of the antivirus server, N series storage system, and network. A difference in throughput of up to 10% and a 15% increase in response time on unscanned files are not unusual when virus scanning is enabled on a busy N series storage system. For example, 10 ms response times increase to almost 12 ms.

Network connectivity
Network connectivity between the N series storage system and the antivirus server must consist of at least a 100 Megabyte Ethernet connection. However, Gigabit Ethernet (1000 MB) networking is preferable. Connecting through an Ethernet switch, a crossover, or a direct connection are all options. Directly connected or private connections between the N series storage system and each antivirus server provide a clean network. If you are connecting through an Ethernet switch, use a dedicated switch or configure a virtual LAN (VLAN) to separate traffic traveling through the switch. Important: The network between the N series storage system and the antivirus scanning server must be clean and free of other traffic. Contention on the N series antivirus server segment can hinder scanning activity and adversely affect the N series response to clients. Figure 2 on page 7 and Figure 3 on page 7 illustrate the different methods that can be used to provide connectivity between an N series storage system and its antivirus servers.

IBM System Storage N series Antivirus Scanning Best Practices Guide

AV Servers

A dedicated network switch or direct network connections can be used If the direct-connect method is used, a network interface card (NIC) is required for every connection between the AV servers and the N series
Figure 2 Connectivity methods

Figure 3 shows the multi-network configuration.

AV Servers

Direct Network Connections (no switch) become complicated when using multiple N series and multiple AV servers together. A dedicated switch guarantees better security and optimal performance Every filer and AV server require a minimum of two NICs

Figure 3 Multinetwork configuration

IBM System Storage N series Antivirus Scanning Best Practices Guide

Note: Each direct connection between an N series storage system and associated antivirus server or servers requires a dedicated Network Interface Card (NIC) in each computer, for each connection. Moreover, the filer and antivirus servers need connectivity to the corporate network for administration purposes and virus definition updates.

N series and antivirus server authentication

The connection between the N series and its antivirus scanning servers is a trusted connection. Several mechanisms are in place to prevent unauthorized access to the scanning server: Scanning servers are subject to authentication and must be members of the backup operators group on the N series storage system. Scanning servers register by RPC with the N series storage system. The antivirus server provides file system, console, and login security. In addition, locating the antivirus servers in a secure data center that is adjacent to the N series storage system provides optimal protection. Administrators should secure all network equipment and servers from unauthorized physical access.

Usage profiles
The N series model and capacity are not as important as the way the data is used. The number of scans that occur is a direct result of how many different files are opened or changed in a unit of time. Generally, a larger capacity N series system that is supporting more users will result in higher scanning activity, but the total scans per hour does not necessarily scale with the number of users. There is no direct correlation with the N series capacity and the scanning load. The number of scans per hour is a result of how users access and manipulate data, because only users that access files trigger virus scans.

Antivirus server hardware

Table 3 shows the minimum system requirements for each antivirus server.
Table 3 System requirements Antivirus server CPU speed RAM Hard disk size Network interface card 2.6 Ghz or greater 1 GB 9 GB 100/1000 MB Ethernet

Many inexpensive tower case or 1U rack-mounted computers are available that are qualified to run Windows NT or Windows 2000 and antivirus software. You can learn more about these computers at:
http://www.ibm.com/support/us/

IBM System Storage N series Antivirus Scanning Best Practices Guide

You can find more information about the specific system requirements for the antivirus software at the vendor Web sites. The limiting performance factor with antivirus scanners is the processing frequency. The quantity of virus scan requests that the antivirus scanners can process greatly depends on their processor speed. Antivirus scanners with the highest processing speed are advisable.

Multiple antivirus servers and multiple N series storage system units

Although it is not necessary, at least two antivirus servers for redundancy and higher availability are recommended. During normal operation, the N series storage system automatically balances the load between multiple antivirus servers.

Antivirus server failures

If one or more scanning servers (Windows computers that run the antivirus software) fail or are unavailable, the N series storage system times out the connection to the unresponsive scanning servers and continues to use the remaining scanning servers. The default time out period is 12 seconds. If no scanning servers are available, the administrator can configure the N series in one of two ways: Resume file access without virus scanning Deny all file access In all cases, the antivirus servers automatically contact and register themselves with their associated N series storage system when they are back online. When this occurs, the N series resumes normal operation with virus scanning enabled.

N series Internet content antivirus scanning

N series storage systems can deliver accelerated content management, content manipulation, streaming, proxy, and traffic monitoring functionality in a single system. They can provide industry leading support for best-of-breed applications that extend functionality and increase scalability by offloading specialized processes to other computers. N series storage systems use ICAP (the industry standard) to communicate with ICAP-enabled antivirus servers. The antivirus servers scan and disinfect incoming content before caching (storing) the content and delivering it to users. Client browser applications can be configured to use an N series storage system as a proxy, or the N series storage system can be deployed so that it is not apparent to the user.

Application servers
Many collaborative mail and database applications, such as the Microsoft Exchange Server, use a different type of antivirus product. These antivirus products run on the application or database server and scan the contents of e-mail attachments, for example, that are being written to the mail database or mail files. The N series on-access solution is designed to scan files accessed by Windows clients. Consult with the specific database, antivirus vendors, or both for e-mail and database-specific solutions.

IBM System Storage N series Antivirus Scanning Best Practices Guide

Network File System clients

Data accessed by UNIX and Network File System (NFS) clients is not supported at the time of this publication and does not trigger a virus scan of a requested file. The risk of virus attacks is low for UNIX and NFS data because few viruses target platforms other than Windows.

Antivirus vendors
The N series storage system can use antivirus software from Symantec, Trend Micro, McAfee, and Computer Associates to deliver integrated antivirus solutions. Contact Symantec, Trend Micro, McAfee, and Computer Associates for specific product information. Verifying the licensing plan and the associated costs of integrating antivirus software with the N series storage system can help you select the most cost-effective option. Table 4 shows the N series antivirus partners and their Web sites.
Table 4 N series antivirus partners Antivirus partner/Web site Symantec http://www.symantec.com Trend Micro http://www.antivirus.com McAfee http://www.mcafeesecurity.com/us/products/mcafee/antivirus/desktop/category.htm Computer Associates http://www3.ca.com//Solutions/Product.asp?ID=156

Best practices for antivirus scanning

These best practices for antivirus scanning have worked well with heavy loads and with clustered pair configurations. N series storage systems that have been set up based on these best practices have demonstrated resiliency to failures. In addition, larger enterprise customers have used these best practices in their environments and have achieved good results: Avoid large antivirus scanning farms in which all N series storage systems are served by all antivirus scanner servers. Instead, choose a pod design, as described in The following relationships are established for each N series storage system and its primary and secondary antivirus scanner servers; this is what is referred to as a Scanning Pod: on page 12. This avoids performance spikes, which can be caused if all N series storage systems choose the same antivirus scanner server at the same time. In this scenario, one antivirus scanner server can become overwhelmed by many N series user requests. The performance spike occurs before the file is committed to disk (write requests) or delivered to the requesting user or application (read requests). Dedicate an antivirus scanner server to antivirus scanning only. Do not use this antivirus scanner server for any other jobs such as backup. Connect to the antivirus scanner server using the N series Internet Protocol address (not the N series NetBIOS name) to control which N series storage system interface is used.

10

IBM System Storage N series Antivirus Scanning Best Practices Guide

For multi N sereis storage system-multi scanner environment, make all AV scanners, which are connected with similar high performing network connection, as primary to all the N series storage systems. This will improve the performance by load sharing.Figure 4 shows this arrangement.

N series A

N series B

N series C

N series D

24

2005 IBM Corporation

Figure 4 Antivirus Scanning Pod

If you have two different data centers in two different locations (Local and Remote), then make all the local AV scanners as primary to all local N series storage systems and make those as secondary to all remote N sereies storage systems and vice versa. Also, Depending on the amount of vscan requests some N series storage systems may require additional dedicated scanners that aren't to be shared with other N series storage systems as secondary scanners.

Antivirus Scanning Pod

Figure 5 on page 12 shows how you can use the N series storage systems console or the Web-based FilerView GUI console window to modify the list of extensions.

IBM System Storage N series Antivirus Scanning Best Practices Guide

11

e i r N s

N series storage

N series storage

N series storage

N series storage

2006 IBM Corporation

Figure 5 Scanning Pod for two datacenters in different locations

The following relationships are established for each N series storage system and its primary and secondary antivirus scanner servers; this is what is referred to as a Scanning Pod: N series A Primary antivirus scanner: AV1, AV2 Secondary antivirus scanners: AV3, AV4 N series B Primary antivirus scanner: AV1, AV2 Secondary antivirus scanners: AV3, AV4 N series C Primary antivirus scanner: AV3, AV4 Secondary antivirus scanners: AV1, AV2 N series D (dedicated primary antivirus scanner because of the load) Primary antivirus scanners: AV3, AV4, and AV5 Secondary antivirus scanners: AV1, AV2

Benefits of a Scanning Pod

Using a Scanning Pod offers these benefits: The redundancy of the antivirus scanner servers is increased. If the primary AV scanner server goes down, the other remaining primary scanners can handle the AV load.

12

IBM System Storage N series Antivirus Scanning Best Practices Guide

 If both primary AV scanner servers go down, the N series storage system is scanned with the remaining secondary scanners. A ratio of one N series storage system to one antivirus scanner, which minimizes any chance of data outages caused by an antivirus scanner overload, is assured. Sometimes having one AV scanner server for two N series storage systems is sufficient with the exception of heavy loads during peak hours, which could overload the AV scanner server. But depending on the file structure and access pattern, even as many as three servers per N series storage system can be necessary. Your antivirus scanner server hardware investment is maximized. This avoids underutilization of AV scanner hardware. The "Scanning Pod" model allows for the efficient utilization of hardware while providing redundancy.

Scanning Pod requirements and recommendations

The requirements for using a Scanning Pod are: The antivirus scanner servers must use Gigabit Ethernet. The connectivity speed of the antivirus scanner directly impacts N series performance. The N series storage system must have a secondary Gigabit NIC that is dedicated to an antivirus network. Because antivirus servers require gigabit access to all the N series storage systems in the Scanning Pod, you must not use back-to-back network configurations. Instead, build an antivirus network for all N series storage systems and antivirus scanner servers in a switched environment. You must avoid building a Scanning Pod that is too large. This reduces the risk from failures that cascade to other units of a Scanning Pod.

Increasing backup job performance

It is possible for an N series administrator to specifically disable virus scanning of a particular share. Antivirus scanning by nature affects the speed of backups on every open file that is created by the backup application. Note: This does not apply to Network Data Management Protocol (NDMP) backups, only network mapped backups. For example, backups might be too slow if files are scanned during the backup over the network. To alleviate this, the administrator can create a normal share, called data, to which clients and applications have direct access and antivirus scans normally take place. The administrator can create a second share, called databackup, that points to the same physical location, which has virus scanning disabled on the share (this is configurable on a per share basis). After the administrator sets share permissions that only allow the backup user group to access the databackup share, normal users are forced to use the protected data share. Meanwhile, the backup user group can use the faster databackup share.

How and when an N series determines to scan a file

Technically, the N series storage system scans files that are opened, renamed, and closed (if the file was modified) in the following order:

IBM System Storage N series Antivirus Scanning Best Practices Guide

13

1. Technically, the NetApp storage system will scan on: Open Rename Close (if the file was modified) 2. The N series storage system scans a file based on the file extensions set by the N series administrator. 3. The N series storage system scans a file when the file is opened. 4. The N series storage system scans a file when it is renamed to a file name that has one of the designated file extensions. 5. The N series storage system scans a file when it is closed after being modified. The N series does not scan a file after each write, but only when a modified file is closed. 6. Newly created files are not scanned upon creation, but only after data has been written to them and the file is closed. 7. The N series storage system does not scan a file when the file is accessed from the vscan server itself. 8. If multiple applications access the same file simultaneously, they all share the same scan results as the virus scan of the first application. For example, if application 1 requests to open a file and triggers a scan for viruses, the scan is launched. If application 2 tries to open the same file, the N series storage system does not launch a second scan, but instead queues application 2 to wait for the scan that is already active to complete. When the scan completes, both requests continue to be processed by the N series storage system.

Summary
The integrated antivirus solutions for IBM System Storage N series enable enterprises to protect their valuable data from computer viruses. The open, scalable, and high-performance architecture allows customers to choose the premier antivirus vendor that best suits their environment. Companies can deploy N series solutions throughout their enterprises with best-of-breed antivirus solutions that protect data without affecting the user experience.

14

IBM System Storage N series Antivirus Scanning Best Practices Guide

Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to IBM's application programming interfaces. Send us your comments in one of the following ways: Use the online Contact us review redbook form found at: ibm.com/redbooks Send your comments in an email to: redbook@us.ibm.com Mail your comments to:

Copyright IBM Corp. 2005, 2007. All rights reserved.

15

IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 650 Harry Road Poughkeepsie, NY 12601-5400 U.S.A.

Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
Redbooks (logo) IBM Redbooks System Storage

The following terms are trademarks of other companies: Microsoft, Visual Basic, Windows NT, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others.

16

IBM System Storage N series Antivirus Scanning Best Practices Guide