The following environmental prerequisites and best practices apply to all versions:
Make sure that the storage appliances are registered within ENSSP or VSES using their static IP addresses, and
not their DNS names.
When NetApp C-Mode is configured in any of the following, the storage appliance is the
NetApp Data ONTAP Antivirus Connector, reachable at the local loopback address
127.0.0.1:
- Clustered Data ONTAP
- CDOT
- 8-Mode
- Cluster Mode
Using a local loopback address avoids the following:
- Excessive DNS lookup times
- DNS lookup failures because of DNS server outages
- Use of Kerberos when running in an incompletely provisioned DNS environment
Establish the following service dependencies and recovery options:
Set these services to restart on any failure count:
- ENSSP: MMSinfo handles the service start; you don't need to set a dependency. You can check the status of mfedsp from an elevated command prompt:
C:\Program Files\Common Files\McAfee\SystemCore>mmsinfo.exe -query mfedsp
SERVICE_NAME: mfedsp
SERVICE_STATUS SERVICE_RUNNING
- VSES:
- VSES service
- VSES Monitor service
There are three connection types that a storage appliance can use:
- ICAP - All storage appliances use ICAP, other than in the following RPC or Shim connection types
- RPC - NetApp 7-Mode, Hitachi HNAS in RPC Mode
- Shim - NetApp 8-Mode/C-Mode
NOTES:
- EMC Celerra and CAVA are shim-connected storage appliances. But, they use ENS Threat Prevention and not ENSSP, or VSE and not VSES.
- For a list of supported storage appliances, see the articles below:
Criteria for the default Filer account to scan with ENSSP:
The default Filer account should meet the following criteria to scan a file with ENSSP:
- The user should be in the Privileged Users list to access files. For information about adding the domain/user account to the scanner pool, see the NetApp article on scanner pools.
- The provided domain/user should have interactive logon rights.
- The provided NetApp domain/user password shouldn't be greater than 40 characters.
To validate domain/user credentials from ENSSP:
- Launch the ENS console.
- Go to the Storage protection module Settings page.
- Under Connections, click Add, and enter the name of the Filer or IP address.
- Under "Default Administrator Account," enter the account details.
- Click Test Connection to validate the Filer credentials.
Determine whether to change the user account that the VSES service uses:
The installation-default user account SYSTEM (
LocalSystem) that the VSES service uses might need to be changed. One of the two following scenarios is applicable and must be followed:
- Scenario One — Any deployment where RPC storage appliances aren't present (only ICAP storage appliances are present).
The VSES service must use the default installation-user account SYSTEM (LocalSystem). Confirm by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\McAfee VirusScan Enterprise for Storage
REG_SZ ObjectName = LocalSystem
- Scenario Two - Any deployment where RPC storage appliances are present (at least one RPC or Shim storage appliance is present).
Check A: The VSES service can't use the installation-default user account SYSTEM (LocalSystem). Confirm by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\McAfee VirusScan Enterprise for Storage
REG_SZ ObjectName NOT= LocalSystem
Check B: The user account that the VSES service uses must not be a local user account. To confirm, perform the following action:
- Open the Computer Management administrative tool.
- Go to System Tools, Local Users and Groups, Users. If an account named identically to the ObjectName determined above is in the Users folder, the following statement is true. The user account that the VSES service uses must be either an Active Directory Domain Administrator or Domain User account. To confirm, in the Active Directory Users and Computers administrative tool, search the appropriate Active Directory container objects to find the user account determined by ObjectName above.
Check C: If the user account that the VSES service uses is a Domain User account (
Domain Administrator/Domain User), it must satisfy the criteria below:
- Have read and write permissions on the filer.
- Be a member of the BUILTIN\Backup Operator group on the filer.
- Also be a member of the local Administrators group on the scanner server.
In the local and domain account, use the same
Object Name. This configuration prevents the service from using a local account.
To confirm, perform the steps below:
- Open the Computer Management administrative tool.
- Go to System Tools, Local Users and Groups, Groups, Administrators. The account determined from the ObjectName above must be in the local Administrators group.
Make sure that the Group Policy object "Allow Local System to use computer identity for NTLM" is disabled:
You might see the following error frequently in the Event Management System (EMS) log. This issue occurs if the Group Policy object "Allow Local System to use computer identity for NTLM" is enabled.
[DemoCluster: kernel: Nblade.vscanBadUserPrivAccess:error]: For Vserver "CIFS01", the attempt to connect to the privileged ONTAP_ADMIN$ share by the client "10.10.10.55" is rejected because its logged-in user "demo\av-scanner01$" is not configured in any of the Vserver active scanner pools.
To resolve the issue, disable the following Group Policy setting in the Windows Server: "Network security: Allow Local System to use computer identity for NTLM group policy object."
For more information, see the
NetApp article on error vscanBadUserPrivAccess.