Information is needed regarding best practices for implementing Symantec Protection Engine (SPE) for NAS with EMC Celerra Anti-Virus Agent (CAVA) 3.6.x

NOTE: Before beginning, verify that each machine where you plan to install Protection Engine for NAS 8.2.2 meets the System Requirements. In addition, BROADCOM always recommends installation in a test environment to identify performance issues before deployment to production systems..

NOTE: The 64-bit API library provides support for the use of the 64-bit version of the EMC Event Enabler with Protection Engine.  Windows does not allow a 64-bit process, like the 64-bit version of EMC Event Enabler, to load a 32-bit dll.  If a 64-bit version of EMC Event Enabler is used, please check with EMC support to confirm that it includes the 64-bit Symantec API library.  

1. For High Availability, install and license the latest build of Protection Engine 8.2.x for NAS on at least two computers which meet the system requirements.
2. Assign virus checking rights.
3. On each server that Protection Engine is installed on be sure to perform the following functions:
   
   - From Symantec Endpoint Protection client or Symantec Endpoint Security agent, remove all components except Core Files and Threat Defense for Active Directory.
   - Exclude the Protection Engine TEMP scanning directory from all local file system utilities such as antivirus, backups, etc.
   - Install and configure the Celerra Anti-Virus Agent (CAVA) on the Protection Engine servers
   - Test the Protection Engine and CAVA functionality by accessing files
   - Perform any fine tuning of Protection Engine and CAVA as needed

To identify the current location of the temporary scanning directory of Protection Engine

1. In the bash or cmd prompt, use the cd command to navigate to the install folder of Protection Engine. By default, this path is:
   Windows: C:\Program Files\Symantec\Scan Engine
   Linux: /opt/SYMCScan/bin
   
   
2. To query the location, type:
   Windows: xmlmodifier.exe -q //configuration/Resources/System/TempDir/@value configuration.xml
   Linux: ./xmlmodifier -q //configuration/Resources/System/TempDir/@value configuration.xml
   
   

To perform initial configuration of Symantec Protection Engine 8.2.2 for NAS

1. At the command line, navigate to the installation location of Protection Engine.
2. To set protocol, type:
   Windows: xmlmodifier.exe -s //configuration/ProtocolSettings/Protocol/@value "ICAP" configuration.xml
   Linux: ./xmlmodifier -s //configuration/ProtocolSettings/Protocol/@value "ICAP" configuration.xml
   
   
3. To set ICAP port, type:
   Windows: xmlmodifier.exe -s //configuration/ProtocolSettings/ICAP/Port/@value 1344 configuration.xml
   Linux: ./xmlmodifier -s //configuration/ProtocolSettings/ICAP/Port/@value 1344 configuration.xml
   
   
4. Click Policies > Filtering > Container Handling
5. In the 'Time to Extract file meets or exceeds' field, type: 30
6. To set 'Maximum extract depth', type:
   Windows: xmlmodifier.exe -s //filtering/Container/MaxExtractDepth/@value 5 filtering.xml
   Linux: ./xmlmodifier -s //filtering/Container/MaxExtractDepth/@value 5 filtering.xml
   
   
7. Click Allow access to the file and generate a log entry
8. Uncheck 'Deny partial containers'
9. Uncheck 'Block malformed containers'
10. Uncheck 'Delete encrypted containers'
11. Click Policies> Files
12. Uncheck 'Block files with the following names (one per line):'
13. Uncheck 'Block files with the following sizes (one per line):'
14. At the command line, type the following command:
    Windows: xmlmodifier.exe -s //policies/ThreatPolicies/Actions/HonorReadOnly/@value false policy.xml
    Linux: ./xmlmodifier -s //policies/ThreatPolicies/Actions/HonorReadOnly/@value false policy.xml
    
    
15. Restart the Symantec Scan/Protection Engine service to make the changes effective.

Legacy version?

• For v7.x, see: Best Practices for initial installation and testing of Symantec Protection Engine 7.x with EMC CAVA

EMC Unity?

As of this writing, EMC has not certified EMC Unity for use with SPE for NAS. Support has heard anecdotal reports that this works for at least one customer in the field, without known issues unique to EMC Unity over any other EMC CAVA environment.