Protecting CIFS Clients From Viruses Using Sun StorageTek NAS OS

Print-friendly Version

Computer viruses are a menace to the security of personal and corporate data. The antivirus features of the Sun StorageTek 5000 NAS Appliance provide a scalable solution to protect files accessed by Common Internet File System (CIFS) clients, by efficiently scanning these files for viruses in real time. This solution is designed to be more secure and less time-consuming and I/O-intensive than traditional scheduled on-demand scans.

These antivirus features are a standard part of the Sun StorageTek 5000 NAS Appliance's Operating System and are collectively known as the NAS Anti Virus Agent (NAS AVA). This article provides a brief overview of antivirus software, how the antivirus scanning works using the NAS AVA, and the list of antivirus software supported by the latest Sun StorageTek NAS OS 4.21 release.

At a high level, antivirus software searches files for infections using sophisticated search techniques and a catalog of known virus definitions. The virus definitions are updated frequently, typically automatically, by the virus scanner using a subscription service.

There are two common approaches to virus scanning:

• On-demand scan - The on-demand scan method searches all or part of a file system when requested, checking files of selected types and modification dates. This is typically performed at scheduled intervals.
• Real-time scan - The real-time scan method scans files as they are accessed. Files can be scanned when they are opened and after they are closed.

The real-time scan method, which the NAS AVA supports, has the benefit that files are scanned with the latest virus definitions before being used. This approach is more effective at detecting viruses before they are able to compromise data and has the additional benefit of not generating the very heavy I/O loads of on-demand scans.

If required, on-demand scans of the Sun StorageTek 5000 NAS Appliance can be performed by a CIFS client by scanning shares off the appliance.

Let's look at the real-time virus scanning process that is performed by the NAS AVA:

1. A file becomes a candidate for scanning when it is opened or when it is closed (if the file was modified).
2. If the NAS AVA determines that the file needs to be scanned, the NAS AVA off-loads the scanning process to servers that run the antivirus software, which are known as Scan Engines. The NAS AVA communicates with Scan Engines using the Internet Content Adaptation Protocol (ICAP). You can read about the ICAP protocol at the ICAP Forum web site.
3. When a Scan Engine receives a file, the Scan Engine scans the file for viruses.
4. If the file is not infected, then a good scan status is returned by the Scan Engine to the NAS AVA and we skip to step 6.
5. If the file is infected, depending on your Scan Engine's policy, the next steps are as follows:
• The Scan Engine removes the virus from the file, which is known as repairing, cleaning, or curing the file. Once the file is repaired, it is returned back to the appliance along with its scan status. The NAS AVA replaces the original file with the repaired file.
• The Scan Engine does not remove the virus from the file and returns a scan status to the NAS AVA telling it to delete or quarantine (deny access to) the file. Since the NAS AVA does not support file deletion, the file will always be quarantined, even when it is instructed to delete the file.
6. The NAS AVA tags the file with a scan status, known as a scanstamp.
   
   The scanstamp on the file remains current as long as the virus definitions on the Scan Engines are not updated. The next time the file becomes a candidate for virus scanning, the NAS AVA checks if the file's scanstamp is current (or expired) and if the file is the same since its last scan. If both of these conditions are met, the operation is allowed to proceed without scanning the file; if not, then the file must be scanned before allowing the operation.

The following diagram shows the scan-on-open workflow for an infected file with the Scan Engine set to repair the file.

Figure 1: Scan-on-Open Workflow Using Scan Engine

The following antivirus software is certified and can be used with the Sun StorageTek NAS OS 4.21 release:

• Symantec AntiVirus Scan Engine v4.3 and v5.1 on Scan Engines running Microsoft Windows, Linux, and Solaris
• Computer Associates eTrust Antivirus Scan Engine v7.1 on Scan Engines running Microsoft Windows
• Trend Micro InterScan Web Security Suite (IWSS) v2.5 on Scan Engines running Microsoft Windows

Consult the documentation from the antivirus software vendors for details on which Scan Engine operating system releases are supported.

For more information about Sun storage products, go to www.sun.com/storage.