Information is needed regarding best practices for implementing Symantec Protection Engine for NAS with EMC Celerra Anti-Virus Agent 3.6.x.
NOTE: Before beginning, verify that each machine where you plan to install Protection Engine for NAS 7.x meets the System Requirements. In addition, Symantec always recommends installation in a test environment to identify performance issues before deployment to production systems..
NOTE: Previously, Symantec provided a 32-bit version of the API library only. Starting with build 7.0.1 of Protection Engine for NAS, Symantec provides a 64-bit version of the API library as well. The 64-bit API library provides support for the use of the 64-bit version of the EMC Event Enabler with Protection Engine. Windows does not allow a 64-bit process, like the 64-bit version of EMC Event Enabler, to load a 32-bit dll. If a 64-bit version of EMC Event Enabler is used, please check with EMC support to confirm that it includes the 64-bit Symantec API library.
To identify the current location of the temporary scanning directory of Protection Engine
The folder which Protection Engine uses as a temporary folder for scanning appears in the field labeled 'Temporary directory for scanning:'
To perform initial configuration of Symantec Protection Engine 7.x for NAS
EMC support site
Symantec is not responsible for content available on web sites maintained by other organizations or individuals.
About Container Handling limits
Most antivirus scanning products contain policies to limit the resources spent on scanning a single file. This prevents denial of service attacks with specially crafted malformed container files.
About 'Time to extract file meets or exceeds'
The timer for the 'Time to extract' setting begins when the actual scan of the file begins. This measure does not include time spent transmitting the scan request to Protection Engine, nor does it contain time spent in moving the file to the Protection Engine from the EMC Celerra server or other device. Within the EMC or CAVA settings, the scan timeout setting includes:
1. time spent sending the scan request to Protection Engine,
2. time spent copying the file to the Protection Engine,
3. time spent performing the actual scan of the file once it is local to Protection Engine,
4. and time spent copying a repaired file back to the EMC Celerra server or other device.
To accommodate the difference in what these timeout values actually measure, the timeout value within EMC or CAVA should be three times the value of the 'Time to extract file...' setting within the Protection Engine interface.
About 'Maximum extract depth'
This policy setting helps prevent 'zip of death' style denial of service attacks. A 'zip of death' denial of service attack is a .zip archive with directory pointers which form a circular structure, which may result in an attempt to extract the file forever. As you lower this number, you lower the maximum number of levels scanned within a container file, resulting in a more rapid, but possibly less thorough scan. As you raise this number, you also raise the maximum number of levels Protection Engine examines within a container, resulting in a slower, but more thorough scan. For initial testing, 5 to 10 levels will establish basic function. The maximum value for this setting is 1024. Tune this setting to meet the usage patterns of your environment.
Behavior of block actions specified within Protection Engine 7.x
CAVA sends a FILEMOD command, a policy of 'ScanRepairDelete', and a UNC path and filename to Protection Engine. The Protection Engine adheres to the policy provided by the CAVA connector, which overrides the policy in the Protection Engine web console on the Configuration> Protocol screen. The FILEMOD command of the ICAP protocol directs Protection Engine to scan the file and directly modify it in its current location. Returning a block access response is not possible for Protection Engine in these circumstances. Protection Engine will therefore directly delete the file and report the results of the scan to CAVA. For this reason, Symantec recommends that all Block actions be disabled in the web console for each Protection Engine server supporting a CAVA 3.6 connector.
About compatibility with Symantec Endpoint Protection:
The Email Tools component of Symantec Endpoint Protection is not recommended for Windows Server operating systems. For more, see: