I have been asked about this 4 times in the past week, "How do I set up CAVA on the Celerra?” I actually thought there must have been a post somewhere in the bloggy universe about CAVA but I couldn’t find anything so I think it’s time to fix that. Also, I’m supposed to be studying for this bloody CCNA exam I failed by 3 points but that can wait
CAVA stands for Celerra Anti Virus Agent, which is exactly what it says, its Anti Virus for your little (or big) NAS box. It has actually changed it’s name a little, if you are looking for it on EMC Powerlink it’s now called Celerra Event Enabler (CEE) CAVA. Don’t ask me why.
Even though there isn’t much to set up with CAVA, it’s quite an important part of your NAS solution and if implemented wrong it can affect your performance (on the NAS, not the bedroom – don’t stress). It’s useful to know how it scans your files and essential to know how to troubleshoot it and check its performance.
I’m going to break this up into three posts
What is CAVA? (this post)
CAVA Considerations and basic setup
CAVA troubleshooting (which is really why I am doing this)
The official spiel is this:
The EMC® Celerra® AntiVirus Agent (CAVA) provides an antivirus solution to clients using an EMC Celerra Network Server using industry-standard CIFS (Common Internet File System) protocols, in a Microsoft Windows server. CAVA uses third-party antivirus software to identify and eliminate known viruses before they infect files on the storage system
Clear as mud? Here is a pretty picture of the main parts.
So, here are the main points and I’ll expand on some of it later:
CAVA is a mixture of a process that runs on the Celerra in conjunction with a Windows server running an AntiVirus(AV) engine like Symantec or Trend with a CAVA agent to handle the conversation.
CAVA is CIFS only.
A service account needs to be created in your AD domain (eg svc_cava). This user must be a local admin on the AV server, as well as VirusChecking rights on the CAVA CIFS server.
The Windows server runs a CAVA agent that allows the Celerra and AV engine to get all close and personal and chat about the weather. The EMC CAVA service must be changed to “Run As” the service account.
A CIFS server must be created to facilitate the scans. This is the CAVA CIFS server and is in addition to your existing production CIFS servers.
Notice I used the word facilitate in the previous post. Yeah I know, awesome.
This next statement is very important; the CAVA CIFS server MUST run on the physical data mover. It cannot be in a VDM (Virtual Data Mover). This rule is only for the CAVA CIFS server, your other CIFS servers can go where you please. Except the pub cause they can’t hold their liquor, one drink and they’re CIFS faced.
You need to configure the viruschecker.conf file on the datamover. This can be done by uploading a txt file, or using the EMC Celerra MMC*.
The Windows AV engine can be a VM, but it can be network intensive. You should have at least 2 for redundancy and support. CAVA will load balance VC scans across the two.
EMC best practice is that nothing else runs on these servers EXCEPT the AV engine and CAVA service.
* Celerra AntiVirus Configuration Management snap-in: A Microsoft Management Console (MMC) snap-in to the Celerra Management Console. You can use the Celerra AntiVirus Configuration Management snap-in with CAVA and a third-party AV engine. It’s also use to configure Home Directories (homedir) and user permissions. It can be installed on any Windows machine in the domain. It’s located on the Celerra Tools CD.
As of 15/Oct/2010 CAVA supports the following AV providers
So, how does CAVA scanning work?
User performs an action that meets checking condition (a write, access time etc).
Data Mover sends a check file request to CAVA service.
CAVA opens file, queries it and sends file signature to the AV server. For compressed files, the entire file is sent to the AV server.
CAVA closes the file and sends response back to data mover.
File is released to the user like a tiny butterfly fluttering gently over the interweb searching desperately for a funny cat picture.
Some common events that will trigger a virus check event
Modifying & Closing an existing file.
Creating and saving a file.
Moving or Copying a file.
Restoring a file from backup.
Renaming a file with different extension.
Scan on Read if Access time is earlier than reference time for CIFS clients. This means that if a file has been scanned before, and a new virus definition has been downloaded, then that file will be scanned again when the file is read. How often your virus definitions are updated by your AV provider can be configured in your AV software.
For a more detailed description of the steps and points here, the Using Celerra AntiVirus Agent documentation is a great document, and it has guides for installing and configuring CAVA for all the AV vendors. https://community.emc.com/docs/DOC-4664
I’m working on the next two posts now…