As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
This article is a consolidated list of common questions and answers. It's intended for users who are new to the product, but can be of use to all users.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents:
Click to expand the section you want to view:
Can RPC storage appliances, for example, NetApp ONTAP and ENSSP scanners, be in the same Active Directory (AD) domain?
Yes. This configuration is recommended for the following reasons:
Security — If the storage appliances and the ENSSP scanners and NAS reside in different AD domains, you must make sure that authentication is unhindered.
Performance — The closer the storage appliances and ENSSP scanners are, both logically (security boundaries) and physically (router hops), the more optimum the performance.The RPC design choice involves the following protocols and their dependencies:
AD
CIFS/SMB
Named Pipes
NetBIOS over TCP/IP
RPC
This design choice confers permanent throughput benefits over competing designs such as ICAP. The storage appliances, network, Windows operating system, and the ENSSP scanner product must fulfill the prerequisites. The same prerequisites exist, regardless of the vendor; these requirements aren't specific to ENSSP.
Are read-only storage appliance volumes supported?
No. Any read-only volume on a storage appliance isn't a candidate for ENSSP scanning and must be excluded in ENSSP. Examples of such volumes are a NetApp ONTAP SnapMirror volume and a NetApp ONTAP Snapshot volume. For more information, see KB60568 - Files in a NetApp Filer snapshot folder aren't accessible.
Does ENSSP work successfully in the presence of SMB3?
Yes. But, whether ENSSP works successfully depends on the filer. If the filer supports SMB3, and can successfully negotiate with the operating system used for the ENSSP scan server, ENSSP continues to function as normal.
Can I use two ENSSP scanners for monitoring one storage appliance?
Yes. Having two scanners is actually the best configuration to obtain good performance. See the NetApp best practices article.
Is the NetApp policy in ePolicy Orchestrator (ePO) related to the Network Appliance filer AV Scanner feature in the local ENSSP scanner UI?
Yes. The NetApp policy is what propagates to the Network Appliance filer AV Scanner in the local ENSSP scanner UI. Both the ICAP AV Scanner and Network Appliance filer AV Scanner are configured using two separate policies in ePO.
Do I need to enable Interactive Logon for the ENSSP account, when using RPC-based or NetApp ONTAP controllers?
The account specified in policy item "Administrator account common to all filers" should be set up as an interactive logon account, not a service account
This requirement is for the account to apply successfully within the Network Appliance AV Scanner plug-in, in the ENSSP console. Certain restrictions can prevent the account from applying during Trellix Agent policy enforcement, and when manually entering the credentials in the NetApp plug-in, without Interactive Log on being enabled. See KB84418 - Environmental prerequisites and best practices for the scanner.
Can I enable the scan on network drives feature for ENS Threat Prevention when these products are installed on the client systems accessing the filer that ENSSP protects?
This option is configurable within ENS Threat Prevention but, we don't support the scan on network drives feature when the network share is already protected by a separate real-time scanner such as ENSSP . For example, when ENSSP protects the storage device, enabling scan on network drives doesn't provide any added malware detection capability. When you enable this feature, it might introduce performance and file-locking issues. The issues are caused because these products try to scan files simultaneously, when the user accesses them.
How should I configure the NetApp feature vscan - scan - mandatory (on/off)?
When enabled, this feature denies all file access to any file that doesn't return a virus scan result of "clean." Any service interruption with the scan servers (for example, a disconnect) can result in a denial-of-service. A denial-of-access can also happen when a result such as a scan time-out occurs. Anything that prevents scanning of the files and the scanner's ability to return a result of "clean" results in the user being denied access to the files. When turned off, file access resumes without any scanning occurring. If users need the ability to access files even when scanning isn't occurring (for any reason), this feature must remain off. The administrator must determine whether turning on this feature outweighs any potential impact on file access.
Does ENSSP share a global cache like MOVE AV?
No. The storage appliance keeps the clean file cache if there's one configured for the storage appliance. ENSSP sends a notification to the storage appliance when DATs are updated. It's up to the storage appliance to delete its cache when notified and isn't the responsibility of ENSSP.
How does ENSSP scan large files?
Only a small subset of a file is scanned. The engine determines which parts the RPC storage appliances allow ENSSP to access their file systems directly, greatly enhancing the scan request fulfillment speed. ICAP storage appliances must copy the whole file to be scanned to the ENSSP scanner first, before the engine can scan it. So, scan request fulfillment times are longer than that with RPC. So, file size and network saturation are more important in an ICAP scenario.
Does ENSSP load its own DAT and Engine or does it use what the McShield service loads?
ENSSP uses the McShield service as its DAT and Engine server.
Does ENSSP use threads from the McShield service if there's excessive load?
The McShield service spawns scan threads to serve each ENSSP scan request that it receives. This thread count is irrespective of other scan threads related to local ENS scanning.
What is the relevance of the ENSSP scan thread configuration and how does it affect the needed scanner count?
Depending on your environment, you must plan for ENSSP to handle the expected load. You determine this load as follows:
You have y number of physical filers.
You have z number of discrete filer IP addresses that send scan requests.
For ICAP
Deploy 2x(y) scanners. Configure each scanner's ICAP scan thread count for 20*x(z) threads.
For NetApp
Deploy 2x(y) scanners. Configure each scanner's NetApp scan thread count for 50*x(z) threads.
IMPORTANT: The asterisk (*) in the above formulas refers to the maximum number of simultaneous requests expected from each discrete filer IP address. The filer vendor must fill this number based on how many simultaneously outstanding scans request the filer's operating system version issues from a discrete filer IP address.
ENSSP ICAP and RPC scanners can each be configured with a maximum of 800 threads. These threads act as buffers for incoming rushes of requests. This thread count doesn't indicate how many scan threads can be handled in a manner conducive to performance.
Test in the working environment. If the default logs ICAPStats_Activity.log 'threads used' counter + NetAppStats_Activity.log 'threads used' counter is greater than or equal to 40 threads consistently in use over many logging increments, it indicates server stress (dependent on the robustness of the physical hardware of the ENSSP scanner). To distribute the load so that service dropouts don't occur during peak load periods, consider adding ENSSP scanners.
NOTE: If the scanner only scans ICAP or NetApp filers, only the ICAPStats_Activity.log or the NetAppStats_Activity.log respectively, need to be considered.