March 4, 2012

Debugging EMC Celerra CAVA scanning in the logs

While exploring a CAVA issue with an EMC support guy, I had the opportunity to understand something more on this often under documented but important security feature of Celerra.

CAVA related actions are all recorded in the server logs. By default, only file writes are logged because it is assumed only write functions may introduce virus into the NAS storage. 

It is possible to have file reads be logged by turning on debugging for CAVA scanning. This is disabled by default (and EMC recommended) because of three impact to the Celerra system:
  1. The system resources (or overhead) for CAVA scanning operations will increase because every single CAVA scan operation will be logged
  2. Files can only be accessed after the CAVA scan entries are logged
  3. The server log size will also increase a lot as a result. This may cause other important log entries to get overwritten or missed by storage administrators




When debugging is disabled for CAVA scans, only warnings and errors are recorded when CAVA scans for file writes.

Below is an example of how the server logs would look like with debugging turned on:


2007-06-19 14:04:15: VC: 4:[vdm_1] UNC='\\NLU11002\CHECK$\root_vdm_1\fs01\test_virenscan\eicar12.exe'
2007-06-19 14:04:15: VC: 4:[vdm_1] ------> waiting to be checked
2007-06-19 14:04:15: VC: 4: (av004) UNC='\root_vdm_1\fs01\test_virenscan\eicar12.exe'
2007-06-19 14:04:15: VC: 4: ------> Sent to checker <ip address>
2007-06-19 14:04:15: VC: 4: (av004) UNC='\root_vdm_1\fs01\test_virenscan\eicar12.exe'
2007-06-19 14:04:15: VC: 4: ------> Checker
<ip address> answers SUCCESS
2007-06-19 14:04:15: VC: 4: ------> File status=OK




No comments:

Post a Comment