antivirus softwarevirus scanning This chapter provides information about using antivirus software, and covers the following topics:About Virus Scanning About the Vscan Service Using the Vscan Service virus scanningfiles Data is protected from viruses by a scanning service, vscan, that uses various scan engines. A scan engine is a third-party application, residing on an external host, that examines a file for known viruses. A file is a candidate for virus scanning if the file system supports the vscan service, the service has been enabled, and the type of file has not been exempted. The virus scan is then performed on a file during open and close operations if the file has not been scanned with the current virus definitions previously or if the file has been modified since it was last scanned.The vscan service can be configured to use multiple scan engines. It is recommended that the vscan service use a minimum of two scan engines. The requests for virus scans are distributed among all available scan engines. Table 4–1 shows the scan engines that are supported when configured with their most recent patch. virus scanningengines Antivirus Software ICAP Support Symantec Antivirus Scan Engine 4.3 Is supported Symantec Antivirus Scan Engine 5.1 Is supported Computer Associates eTrust AntiVirus 7.1Computer Associates Integrated Threat Management 8.1 Is not supportedRequires installation of the Sun StorageTek 5000 NAS ICAP Server for Computer Associates Antivirus Scan Engine. Get the package from the Sun Download Center:. Trend Micro Interscan Web Security Suite (IWSS) 2.5 Is supported McAfee Secure Internet Gateway 4.5 Is supported virus scanningdescribed The benefit of the real-time scan method is that a file is scanned with the latest virus definitions before it is used. By using this approach, viruses can be detected before they compromise data.The following describes the virus scanning process:When a user opens a file from the client, the vscan service determines whether the file needs to be scanned, based on whether the file has been scanned with the current virus definitions previously and if the file has been modified since it was last scanned.If the file needs to be scanned, the file is transferred to the scan engine. If a connection to a scan engine fails, the file is sent to another scan engine. If no scan engine is available, the virus scan fails and access to the file might be denied. If the file does not need to be scanned, the client is permitted to access the file. The scan engine scans the file using the current virus definitions.If a virus is detected, the file is marked as quarantined. A quarantined file cannot be read, executed, or renamed but it can be deleted. The system log records the name of the quarantined file and the name of the virus and, if auditing has been enabled, an audit record with the same information is created. If the file is not infected, the file is tagged with a scan stamp and the client is permitted to access the file. virus scanningconfiguring Scanning files for viruses is available when the following requirements are met:At least one scan engine is installed and configured. The files reside on a file system that supports virus scanning. Virus scanning is enabled on the file system. The vscan service is enabled. The vscan service is configured to scan files of the specified file type. The following table points to the tasks you perform to set up the vscan service.Task Description For Instructions Install a scan engine. Install and configure one or more of the supported third-party products listed in Table 4–1. See the product documentation. Enable the file system to allow virus scans. Use the file system command to enable virus scans if necessary. For example, scans are disabled by default in the ZFS file system. How to Enable Virus Scanning on a File System Enable the vscan service. Use the svcadm1M command to start the scan service. How to Enable the Vscan Service Add a scan engine to the vscan service Use the vscanadm1M command with its add-engine subcommand to include the scan engine in the vscan service. How to Add a Scan Engine Configure the vscan service. Use the vscanadm1M command to view and change vscan properties. How to View Vscan PropertiesHow to Change Vscan Properties Configure the vscan service for specific file types. Use the vscanadm1M command to set the file type. How to Exclude Files From Virus Scans file systemsscanning for viruses Use the file system command to allow virus scans of files. For example, to include a ZFS file system in a virus scan, use the zfs1M command. &rolestepz;Enable virus scanning on a ZFS file system, for example, pool/volumes/vol1.# zfs set vscan=on path/pool/volumes/vol1 file systemsenabling virus scanning &rolestepv;Use the svcadm1M command to enable virus scanning.# svcadm enable vscan file systemsadding a virus scan engine &rolestepv;To add a scan engine to the vscan service with default properties, type:#vscanadm add-engine engine_IDSee the manpage for the vscanadm1M command for a description of the command. View the properties of the vscan service, of all scan engines, or of a specific scan engine.To view the properties of a particular scan engine, type:# vscanadm get-engine engineID To view the properties of all scan engines, type:# vscanadm get-engine To view one of the properties of the vscan service, type:# vscanadm get -p propertywhere property is one of the parameters described in the manpage for the vscanadm1M command.For example, if you want to see the maximum size of a file that can be scanned, type:# vscanadm get max-size You can change the properties of a particular scan engine and the general properties of the vscan service. Many scan engines limit the size of the files they scan, so the vscan service's max-size property must be set to a value less than or equal to the scan engine's maximum allowed size. You then define whether files that are larger than the maximum size, and therefore not scanned, are accessible. &rolestepv;View the current properties by using the vscanadm show command. Set the maximum size for virus scans to, for example, 128 megabytes.# vscanadm set -p max-size=128M Specify that access is denied to any file that is not scanned due to its size.# vscanadm set -p max-size-action=denySee the manpage for the vscanadm1M command for a description of the command. file systemsexcluding files from virus scans When you enable antivirus protection, you can specify that all files of specific types are excluded from the virus scan. Because the vscan service affects the performance of the system, you can conserve system resources by targeting specific file types for virus scans. &rolestepv;View the list of all file types included in the virus scan.# vscanadm get -p types Specify the types of files to be scanned for virus:Exclude a specific file type, for example the JPEG type, from the virus scan.# vscanadm set -p types=-jpg,+* Include a specific file type, for example executable files, in the virus scan.# vscanadm set -p types=+exe,-* See the manpage for the vscanadm1M command for a description of the command.