Panzura Best Practices: ICAP

Supported ICAP Vendors

The following vendor has been certified to work with the Panzura Freedom NAS Series and is supported by the Antivirus and Malware Scanning provider:

β€’ McAfee VirusScan Enterprise 8.8 with VirusScan Enterprise for Storage. You can configure a filer to use McAfee VirusScan Enterprise (VSE) 8.8 for antivirus and malware scanning. When you install the ICAP license on the filer, you are prompted for configuration information.

For more information, visit McAfee VirusScan Enterprise (VSE) 8.8 Support.

The following vendors are compatible and have been tested with the Panzura Freedom NAS Series:

β€’ Symantec Protection Engine for Network Attached Storage 7.5. Compressed and container files have additional options on Symantec. For example, you can control a maximum size as well as how to treat files that can’t be uncompressed.

For more information about size configuration, visit Setting Container File Limits.

For more information about how files are uncompressed, visit Malformed Container Files.

Panzura recommends excluding common container and compressed file types because of additional handling.

β€’ Trend Micro, Server Protect 6.0. Compressed files have additional options in Trend Micro that changes how the scanner handles them.

For more information, visit Compression Violations Solution.

Panzura recommends excluding common container and compressed file types because of additional handling.

General ICAP License Setup

To set up a general ICAP license:

1. Enter the IP address of the scanner into the Hostname setting of the ICAP license. 

If you have multiple scanners and want to load balance between them, enter the IP addresses in the Hostname field separated by commas.

2. If you do not want to scan on writes, enter no for Scan on Write.

By default, the ICAP license scans files when a read or write occurs.

3. After you configure the settings, select the ICAP license checkbox.

4. Activate the license at the top of the License Manager page.

This enables virus scanning immediately. If you need to change the settings later, enter new values and click Activate Selected at the top of the License Manager page. It is not necessary to deactivate the license to make configuration changes.

Security

Scan-on-Read is a minimum to ensure a secure policy, and only enabling scan-on-write will not allow a typical environment to identify and prevent the spread of an infected file. If only scan-on-write is enabled, the file might be read by client to client PCs or other storage where it can then infect other users or applications. This can be prevented if the client machine or other storage also has AV Scanning available.

Since AV rules get updated on the servers, it is recommended that you scan on reads. Not scanning on writes will help avoid slowing down data ingest onto the file system.

Limitations for SMB and CIFS Clients

SMB and CIFS file servers have a limited number of error codes that can be sent in response to requests that can't be completed. The protocol does not support an error notification when a file is inaccessible due to an AV Scanner. When a file has been quarantined or an error occurs with deny-on-error enabled, Access Denied errors display for these files. Keep this in mind so that you can check your AV Server and the Panzura for quarantined files or errors when diagnosing these issues.

When the ICAP service or daemon sends a scan file request to the AV server, the server has less than 60 seconds before the SMB/CIFS protocol timeout. This scanning operation must be completed before this duration otherwise the SMB/CIFS session will timeout.

Performance

Scan-on-write is meant to provide a performance enhancement over a pure scan-on-read in environments where there are writes followed by many reads.

This will take advantage of the background-scan preventing an inline-scan for that file. If the files are mostly read-only or are rarely accessed, scan-on-write can diminish performance. In this circumstance, resources that would be better spent performing inline-scans are taken up by background-scans that are not effective since the same file will likely require an inline-scan the next time the file is accessed. In use cases where there are more writes than reads, it is recommended to disable scan-on-write and enable scan-on-read.

File Filters

If these common file types are present in your environment, they might effect client performance during inline-scans due to the limitations for clients mentioned above. Archive files must be opened up to scan the individual files in the archive. This process adds time to the scan.

On the license page of the Controller under the ICAP license, you can configure file types that should be included or excluded from scans. If any of these file types are from a trusted source and can be excluded from scanning, you can configure them to improve scan performance. Add additional files in the exclusion list according to your environment.

The following are database files:

β€’ .ldb

β€’ .mdb

β€’ .pst

β€’ .nsf

The following are archives or large files:

β€’ .7z

β€’ .tar

β€’ .cab

β€’ .tgz

β€’ .iso

β€’ .vhd

β€’ .jar

β€’ .vmdk

β€’ .rar

β€’ .zip