Trouble with ICAP AV scanning using McAfee VirusScan Enterprise for Storage

[Pedro Pagan]

Hello all,

Does anyone have experience getting on-close ICAP AV scanning to work using "McAfee VirusScan Enterprise for Storage"? We're having trouble with TCP buffer overruns on our scan servers and the Isilon handles it poorly (it produces IO errors for our end users).

We did packet captures while running a constant low-throughput test scan. Even at <1MB/s to a dedicated 2.3GhZ quad-core, 6G RAM, 10G link scan server, TCP Zerowindow errors. MTUs match and I've tried increasing the Rx buffers to no avail. The server stats show that its resources are barely being touched while scanning. This happens on both hardware and VM environments running Windows Server 2012. The Isilons used in testing were running 7.1.1.2 and 7.1.1.4.

Is there a way to get the Isilon to throttle its scans as the Rx buffer fills? Any idea on why the scan server's Rx buffer is filling in the first place?

Thanks,

PJ

[Peter Serocka]

You have probably seen this document for Isilon AVscan sizing

considerations:

https://support.emc.com/docu45800_White-Paper:-Antivirus-Solutions-With-EMC-Isilon-Scale-Out-NAS-.pdf?language=en_US

There is also an older KB article (KB88861, ICAP and AVScan performance and server considerations)

which explicitly mentions some kinde of load throttling on the Isilon side:

<avscand-worker-count><value></avscand-worker-count>

Sets the amount of threads per node that can be sent to the ICAP server.

20

to be set in the file  /etc/mcp/override/avscan.xml 

I just checked and found this file still exists in OneFS 7.2,

but better check with EMC whether the advise from

the KB article is still valid. I'd be in good hope for this.

Cheers

-- Peter

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pedro Pagan]

Hey Peter,

Thanks for the links, but that's one of the earliest things I've tried. No success with it though. The way I set up my most recent test is to force a single node to send only 1MB/s of data. If the scans consistently succeed with such a small amount a data I can't image a full scale scan succeeding even with worker thread tweaks...