ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Best Practices for implementing Symantec Protection Engine for Network Attached Storage with a NetApp Filer


Article ID: 152420


Updated On:


Protection Engine for NAS


What are some best practices for implementing Symantec Protection Engine (SPE) for Network Attached Storage (NAS) with a NetApp Filer?



  • SPE-NAS 8.0.x or later installed on Windows 2016 Server -or- SPE-NAS 8.0.1 or later installed on Windows 2019 Server
  • ONTAP 9.2 or later in cluster mode - see supported device matrix


  1. Ensure the server is a dedicated scanner. It should not have other applications and features installed except those necessary for scanning or required by your organization for security.
  2. Ensure that the Protection Engine resides on a network containing only the storage system and the Protection Engine as recommended by NetApp.
  3. Ensure the scanner meets system requirements
    • At least 40 GB free on the drive where SPE is installed.
    • At least 16 GB of RAM
    • At least 4 CPU cores
  4. If the SPE server is a guest virtual machine (VM), ensure that all resource (RAM, CPU cores, and HD space) are reserved by the hypervisor for exclusive use by the SPE guest VM.
  5. The "Symantec Protection Engine" Windows service should be configured to run with a service account.
    • The account must satisfy the following requirements:
      • Be a member of the Backup Operators group on the NetApp filers
      • Be a local administrator on the Protection Engine server
    • Use the following steps to change the service account
      1. Open the Windows Service control panel (services.msc).
      2. Right click on Symantec Protection Engine and click on Properties.
      3. On the Log On tab, enter the service account name and password.
      4. Click the OK button to save the change and close the properties dialog box.
      5. Restart the Symantec Protection Engine service.
  6. Configure SPE to register with the NetApp filer.
    • From the Centralized Console
      1. Create an asset. The asset represents either a filer if using 7-mode or the ONTAP AV Shim if using Cluster mode (C-mode)
        1. Go to Assets -> Assets
        2. Click the + button on the right-hand side.
        3. Enter a Name for the asset. Optionally give a description and version.
        4. Set Type to NAS
        5. Set Subtype to either NetApp 7G or NetApp CMode.
        6. Set Scan request IPs to either the address of the filer if in 7-mode or to if in C-mode. Then click Add
        7. Set RPC client IPs to the filer address is using 7-mode.
        8. Click Next.
        9. Select the scanner group with your scanners and then click Done.
    • Using XMLModifier
      1. Open CMD or PowerShell as Administrator
      2. Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
      3. Set the communication protocol to RPC with the following command:
        • .\xmlmodifier.exe -s /configuration/ProtocolSettings/Protocol/@value "RPC" configuration.xml
      4. Add localhost as an RPC client to enable communication with the OTAP connector (necessary for Cluster Mode and Mixed mode)
        • .\xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items configuration.xml
      5. Add any filers that use 7-mode:
        • .\xmlmodifier.exe -c /configuration/ProtocolSettings/RPC/ClientList/items <ip address of 7-mode filer> configuration.xml
      • Note: The "Symantec Protection Engine" service must be restarted for any changes with xmlmodifier to take effect.
  7. Tune performance settings for SPE
    • From the Centralized Console
      • Most of these settings must be set from the commandline. Follow the instructions under Using XMLModifier. The articles in that section contain the Centralized Console instructions if the setting can be set from the Centralized Console.
    • Using XMLModifier
      1. Open CMD or PowerShell as Administrator
      2. Navigate to the SPE installation directory (normally C:\Program Files\Symantec\Scan Engine)
      3. Determine how many CPU cores the server has.
        • You can do this with the following command from within CMD/PowerShell:
          • WMIC CPU Get DeviceID,NumberOfCores
      4. Set maximum scanning threads to 3 * number of CPU cores or 24, whichever value is higher:
        • .\xmlmodifier.exe -s /configuration/Resources/System/MaxThreads/@value <calculated threads> configuration.xml
      5. Set queued request threshold to 3 * number of CPU cores or 24, whichever value is higher:
        • .\xmlmodifier.exe -s /configuration/Resources/System/LoadMaximumQueuedClients/@value <calculated value> configuration.xml
      6. Set memory settings:
      7. Set the filer performance threshold
  8. Configure NetApp filer timeouts. The default settings are optimal. NetApp recommends that they should not be changed unless NetApp support recommends changing them.
    1. Use the vscan scanner-pool show -instance command on the NetApp filer to view the timeouts:
      ::*> vscan scanner-pool show -instance
      javascript:void('Edit Link') 
                                               Vserver: svm1
                                          Scanner Pool: pool1
                                        Applied Policy: primary
                                        Current Status: on
                    Cluster on Which Policy Is Applied: node1
                             Scanner Pool Config Owner: vserver
                  List of IPs of Allowed Vscan Servers:
      List of Host Names of Allowed Vscan Servers:
                              List of Privileged Users: domain\administrator
                               Request Service Timeout: 30s
                                    Scan Queue Timeout: 20s
                                 Session Setup Timeout: 10s
                              Session Teardown Timeout: 10s
      Max Number of Consecutive Session Setup Attempts: 5
    2. Take note of Request Service Timeout. You will use this value when configuring the Protection Engine timeout.
      • Note: The **Request Service Timeout value is how long NetApp will wait for a scan verdict. For more information about this and other timeout settings, see NetApp's article regarding timeouts.
  9. Configure SPE's timeouts.
    • SPE 7.9 and older
      1. Calculate 2/3 of the NetApp Filer Request Service Timeout value. For example, if the Request Service Timeout is set to the default of 30 seconds, your value should be 20 seconds. Use the following command, replacing <timeout> with your calculated value:
        • .\xmlmodifier.exe -s //filtering/Container/MaxExtractTime/@value <timeout> filtering.xml
    • SPE 8.0
      1. Follow the instructions above for setting the timeout in SPE 7.9 and older
      2. Apply the following hotfix:
      3. Download the category3.xml from that same page and place it in the install diriectory.
      4. Open category3.xml in a text editor and set ScanTimeoutInSeconds to 2/3 of the NetApp Filer Request Service Timeout value.
      5. Restart the Symantec Protection Engine service.
    • SPE 8.0.1
      1. Follow the instructions above for setting the timeout in SPE 7.9 and older
      2. Download the category3.xml from the following page and place it in the install directory but do not apply the hotfix
      3. Open category3.xml in a text editor and change the version to 080001.
      4. Set ScanTimeoutInSeconds to 2/3 of the NetApp Filer Request Service Timeout value.
    • SPE 8.2+
      1. The old timeout setting is no longer available and has been replaced. Use the following article to set the ScanTimeoutInSeconds value to 2/3 of the NetApp Filer Request Service Timeout
  10. Ensure exclusions for file types that should not be scanned are set in the NetApp configuration. See Best practice for file type exclusions for Symantec recommended exclusions, NetApp vscan file path exclusions, and NetApp vscan file extension exclusions for details on how to implement the recommendations in the NetApp vscan configuration.
  11. Ensure a sufficient number of Symantec Protection Engine servers have been configured and added to the vscan scanner pool to handle the expected scanning load without impacting real-time availability of files. See attached file SPE_NAS_Sizing_Calculator_NetApp.xlsx for additional details on this requirement.
  12. The Protection Engine should now be ready for vscan to be set to on:
    • vscan on

For installation/configuration documentation provided by NetApp or for information regarding what versions of ONTAP that NetApp has certified to work with SPE, please see the following page:

Additional Information

About Windows versions:

  • Microsoft moved Windows Server 2012 and Windows Server 2012 R2 from main support to extended support on October 9 of 2018 - see here
  • Microsoft ended extended support (including writing vulnerability fixes) for Microsoft Windows 2008 on January 14 of 2020 - see here


About certification

NetApp Filer certifies each version of ONTAP with Symantec Protection Engine. Certification information from NetApp specifies versions of ONTAP, but not versions of OnTap AV Connector. The latest matric of certified implementations can be found here:




1600970282305__SPE_NAS_Sizing_Calculator_NetApp.xlsx get_app