Virus Scan recalls archived files

[wankhot]

I am testing HSM client for Windows in Windows 2003 and XP.

HSM version=5.3.2.0

TSM baclient version=5.3.2.0

Migration is set for file modification date older that 600 days, and will replace the file with shortcut (stub).

The migration job seems to ran correctly. However, when scheduled virus scan was excecuted on that particular filespace, all migrated files were recalled and restored back to the host.

The virus scan tool used is Trend Micro OfficeScan. OfficeScan offers 3 options on excluding the file from virus scan: exclude based on files name, exclude the entire folder or exclude based on file extention.

Since we will be using HSM in a large file server, the exclude list will become too large over time and I have yet to come out with an automated process to created the exclude list.

I am wondering if anyone encountered the same issue working with HSM and virus scan tool. Any suggestion or work around is appreciated.

Thanks.

 

[PJ]

I don't know Trend Micro - but is there really no way to exclude offline files? This should be one of the standards on any virus checker.



PJ

 

[chad_small]

Wow, I never thought about Virus Scans and HSM but it makes complete sense. The virus scan tries to read the file to scan it for infection which in turn kicks off the trigger for HSM to return the file. Whoa! That's bad! OK well the only thing I can think of it either exclude the files manually which will be task intensive (because the stubs look like the old file there wont be a way to easily exclude them). Or you could set it to passive mode and turn off active scanning on the specific folder(s) or drive(s). I know some have a passive mode setting where they react to file changes or writes rather then actively scan every file. Since the stubs wont be in use they would be ignored.

 

[PJ]

ANY program written for Windows and accessing files in an automated, read-only fashion should, must, has to accept that the file might be offline and there must be an option to ignore offline files. This is not only true for Virus Scans but for Search Tools as well. Just imagine you use HSM on a fileserver and a user would recall everything because he or she searches for a file containing the string "cheesecake". A Virus Scanner without such an option is simply unusable. HSM is not a new invention. Windows has HSM built in ever since W2000, so every developer should've heard about that flag by now.



Cheers, PJ



(JFS/AIX for example doesn't provide something like an offline flag. Consequently "grepping" through a HSM filesystem usually ends in a catastrophic weekend )

 

[wankhot]

Thanks for the suggestion.



Like ChadSmall said, the stub file looks like the old file and not all files in a directory are migrated, so can't do exclude using file names, extention or directory. Unfortunately both active and passive scan is part of the security policy.

I thought about the keyword search problem as well. If you know of an offline flag, please let me know. I will discuss the option with the security group.



Thanks.

 

[PJ]

The Windows built in search does, by default, recognise offline data and will not search it's content. However the user can override this setting and (afaik) there's no way (registry key or security setting in AD or whatever) to prevent this possibility. As far as virus scanning is concerned... I'd contact Trend Micro and ask for that functionality - and if they can't provide it - I'd switch to a more complete product as soon as possible.



Cheers,

PJ



P.S.: We might want to start another thread discussing the madness of stub-based HSM on fileservers in general...

 

[tmcquaig]

I use McAfee VirusScan 8.0i Enterprise. Trend Micro is not supported by even the latest version of HSM for Windows. Here is a snippet of the README_HSM.TXT. I can perform on demand scans of all of my files even if they have been migrated and are stubs. None of the files are recalled. I migrate files based on access time. The on demand scan does not even modify the access times of the files, which was a concern of mine when picking out the software. For future reference the same goes for DiskExtender from EMC.



I'd agree with PJ that you should ask for the functionality and if they cannot provide it to you in a time acceptable by you then possibly switch to a supported antivirus vendor.



Cheers!



<TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font class="pn-sub">Code:</font><HR></TD></TR><TR><TD><FONT class="pn-sub"><PRE>

The HSM client has been successfully tested for compatibility with

the following Anti Virus Scanner Programs:



- Symantec AntiVirus 8.0 Corporate Edition with the following parameter

settings:

Under "Scan Advanced Options" -> "Storage migration options"

select "Skip offline and sparse files"



- Symantec AntiVirus 9.0 Corporate Edition with the following parameter

settings:

Under "Scan Advanced Options" -> "Storage migration options"

select "Skip offline and sparse files"



- Symantec AntiVirus 10.0 Corporate Edition settings:

Under "Scan Advanced Options" -> "Storage migration options"

select "Skip offline files"

Under "Autoprotect Advanced Options" -> "Scan files when"

uncheck "Opened for backup...."



- Mc Afee VirusScan Enterprise 7.0

- Mc Afee VirusScan Enterprise 8.0



*******************************************************************************

Be aware, that tests of antivirus software have been done with the

1st release version of the AV-software. Updates of virus signatures and AV-scan

engines are not considered and may lead to completely different behavior.

*******************************************************************************



</PRE></FONT></TD></TR><TR><TD><HR></TD></TR></TABLE>

 

[SANMAN]

McAfee VirusScan 8.0i Enterprise latest patches setting to HSM.

Yes, I am experiencing the same problem with HSM file recalls, and I started another thread. I am using McAfee VirusScan 8.0i Enterprise. Does anyone have the setting for McAfee VirusScan 8.0i Enterprise. I understand that it has been tested with v7 and v 8, and I have had a McAfee Engineer to run a couple of analysis tools to check if McAfee is setup correctly. If you are using the latest patches of McAfee VirusScan 8.0i Enterprise I need information on where can I get the correct setting?

 

[rwhtmv]

Holy cow!!!

I posted HSM questions regarding Trend Micro, offline files, and even interaction with DoubleTake, and never got CLOSE the response you got in a few days! Wow. Anyway, to make your HSM work, you need to educate yourself a little on REPARSE POINTS. Trend Micro, along with many other A/V products use reparse points within the NTFS file system. I switched to a supported McAfee 8.7i and thought that would fix the problem, but still seeing the same issue.

Here is the issue I have found with offline files. Retrieval to the HSM gui never EVER fails. Recall (opening the file from a pc) fails SOMETIMES, and God only knows when it will decide to. I stared at enough logs to know it's very intermittent. By fail, I mean the file will not open, and it never gets recalled from HSM. So, IBM won't be much help, since the recall process never happened.

If you can find an A/V product that you can set to "do not follow reparse points" you will be much better off. As for excluding file extension types, well that seems to be defeating the purpose of HSM right? Why exclude .doc, .pdf, .xls from your file server A/V when that is probably 75% of what is on there?

I have been told to stop wasting any more time with HSM and integrations issue with offline files, a/v, file replication (DoubleTake). Shame, because it's a simple, but robust product. Let me know if you find how to make this work.

 

[n9hmg]

Here's the way I'm trying it.
I modified the "trend serverprotect" service to run as a new local admin service username "svctrend". We'll see how that goes.