Transcription
EMC CEEVersion 6.4Using the Common Event Enabler forWindowsP/N 300-000-085 REV. 04
Copyright 2011-2014 EMC Corporation . All rights reserved. Published in USA.Published June, 2014EMC believes the information in this publication is accurate as of its publication date. The information is subject to changewithout notice.The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind withrespect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for aparticular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicablesoftware license.EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and othercountries. All other trademarks used herein are the property of their respective owners.For the most up-to-date regulatory document for your product line, go to EMC Online Support (https://support.emc.com).EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.EMC.com2EMC CEE 6.4 Using the Common Event Enabler for Windows
CONTENTSPrefaceChapter 17Introduction9System requirements. 11Restrictions. 12User interface choices. 13Related information.13Chapter 2Concepts15AntiVirus partners. 16CAVA and Data Mover/NAS server. 16CAVA features. 16Load balancing and fault tolerance. 17Scan-on-first-read. 17Updating virus definition files. 17Scan on write. 17CAVA sizing tool. 17CAVA Calculator. 18Virus-checking continuation.18Scanning after definition file update (manual process).19Virus-checking client. 19The cepp.conf file.21Assign rights. 22Support for third-party applications .22Chapter 3Installing Third-Party Application Antivirus Engines23Computer Associates eTrust. 25F-Secure AntiVirus. 26Kaspersky Anti-Virus. 27McAfee VirusScan. 30Microsoft Forefront Endpoint Protection 2010. 32Microsoft System Center 2012 Endpoint Protection. 33Sophos Anti-Virus. 33Symantec Endpoint Protection .35Set Symantec Endpoint Protection options.35Set Windows Service Control Manager options.36Symantec Protection Engine. 36Setting exclusions.37Setting container handling policies. 37Modifying LimitChoiceStop settings. 37Trend Micro ServerProtect. 38Install Trend Micro ServerProtect. 38Chapter 4Installing the Common Event Enabler41Install CEE. 42Complete the CEE installation for Windows Server. 43EMC CEE 6.4 Using the Common Event Enabler for Windows3
CONTENTSUninstall CEE.44Chapter 5Configuring the Domain User Account45Domain user account overview. 46Determine the interface name on the Data Mover. 46Create a domain user account. 48Create with Active Directory on a Windows Server.48Create from User Manager for Domains. 48Create a local group on each Data Mover.49Assign the EMC virus-checking right to the group. 50Assign local administrative rights to the AV user. 51Chapter 6Configuring viruschecker.conf53Create and edit viruschecker.conf. 54Define AV machine IP addresses in viruschecker.conf. 54Send viruschecker.conf to the Data Mover.54(Optional) Define VC scanning criteria. 55viruschecker.conf parameters. 56Chapter 7Configuring the Event Publishing Agent61Create the cepp.conf file. 62Chapter 8Managing the VC Client67Start the VC client.68Stop the VC client.69Update the viruschecker.conf file. 69Verify the installation. 70Chapter 9Managing CAVA71(Optional) Install VNX File CIFS Management snap-in.72Display virus-checking information.72Audit virus-checking information.73Start, stop, and restart CAVA. 73Perform a full file system scan. 73Verify the status of a file system scan.74Stop a file system scan. 75Enable scan-on-first-read. 75Update virus definition files. 75Turn off the AV engine. 76Turn on the AV engine. 76Manage CAVA thread usage.76Adjust the maxVCThreads parameter.77View the application log file from a Windows Server. 77Enable automatic virus detection notification.78Customize virus-checking notification. 78Customize notification messages. 79Chapter 10Managing the Registry and AV Drivers81EMC CAVA configuration Registry entries. 824EMC CEE 6.4 Using the Common Event Enabler for Windows
CONTENTSEMC AV driver Registry entry. 82Manage the EMC AV driver.82Chapter 11Managing the Event Publishing Agent83Edit the cepp.conf file. 84Assign rights in Windows Server.84Start the CEPA facility. 85Verify the CEPA status. 85Stop the CEPA facility. 85Display the CEPA facility properties. 86Display the CEPA facility statistics. 86Display detailed information for a CEPA pool. 87Chapter 12Managing VCAPS89Set up access.90Chapter 13Managing CEE for RabbitMQ91Set up CEE for RabbitMQ. 92Chapter 14Monitoring and Sizing the Antivirus Agent93Install the CAVA Calculator. 94Start the CAVA Calculator. 95Uninstall the CAVA Calculator.95Configure the sizing tool.95Enable the sizing tool. 96Create the cavamon.dat file.96Start the sizing tool. 97Size the antivirus agent. 97(Optional) Gather AV statistics with cavamon.vbs .97Chapter 15Third-Party Consumer Applications99Overview. 100Set up consumer application access. 100Chapter 16Troubleshooting103EMC E-Lab Interoperability Navigator.104VNX user customized documentation. 104Error messages. 104Known problems. 104EMC Training and Professional Services. 105Index107EMC CEE 6.4 Using the Common Event Enabler for Windows5
CONTENTS6EMC CEE 6.4 Using the Common Event Enabler for Windows
PrefaceAs part of an effort to improve and enhance the performance and capabilities of itsproduct lines, EMC periodically releases revisions of its hardware and software.Therefore, some functions described in this document may not be supported by allversions of the software or hardware currently in use. For the most up-to-date informationon product features, refer to your product release notes.If a product does not function properly or does not function as described in thisdocument, please contact your EMC representative.Special notice conventions used in this documentEMC uses the following conventions for special notices:DANGERIndicates a hazardous situation which, if not avoided, will result in death or seriousinjury.WARNINGIndicates a hazardous situation which, if not avoided, could result in death or seriousinjury.CAUTIONIndicates a hazardous situation which, if not avoided, could result in minor or moderateinjury.NOTICEAddresses practices not related to personal injury.NotePresents information that is important, but not hazard-related.Where to get helpEMC support, product, and licensing information can be obtained as follows:Product information—For documentation, release notes, software updates, or forinformation about EMC products, licensing, and service, go to EMC Online Support(registration required) at http://Support.EMC.com.Troubleshooting—Go to EMC Online Support at http://Support.EMC.com. After loggingin, locate the applicable Support by Product page.Technical support—For technical support and service requests, go to EMC CustomerService on EMC Online Support at http://Support.EMC.com. After logging in, locatethe applicable Support by Product page, and choose either Live Chat or Create aservice request. To open a service request through EMC Online Support, you musthave a valid support agreement. Contact your EMC sales representative for detailsabout obtaining a valid support agreement or with questions about your account.EMC CEE 6.4 Using the Common Event Enabler for Windows7
PrefaceNoteDo not request a specific support representative unless one has already been assigned toyour particular system problem.Your commentsYour suggestions will help us continue to improve the accuracy, organization, and overallquality of the user publications.Please send your opinion of this document to:techpubcomments@EMC.com8EMC CEE 6.4 Using the Common Event Enabler for Windows
CHAPTER 1IntroductionThe EMC Common Event Enabler (CEE) framework is used to provide a workingenvironment for the following facilities:uCommon AntiVirus Agent (CAVA), also referred to as an antivirus agentuCommon Event Publishing Agent (CEPA), which includes sub-facilities for auditing,content/quota management (CQM), and Common Asynchronous Publishing Service(VCAPS)CAVA provides an antivirus solution for EMC systems (for example, the EMC VNX series).It uses industry-standard Common Internet File System (CIFS) protocols in a MicrosoftWindows Server. CAVA uses third-party antivirus software to identify and eliminate knownviruses before they infect files on the system (for example, the EMC VNX series). Thisdocument is intended for VNX CAVA customers. VNXe customers should refer to the VNXedocumentation on EMC Online Support for specific CAVA information.CEPA is a mechanism whereby applications can register to receive event notification andcontext from sources such as VNX. The event publishing agent delivers to the applicationboth event notification and associated context in one message. Context may consist offile metadata or directory metadata needed to decide business policy.The CEPA sub-facilities include:uAuditing—A mechanism for delivering post-events to registered consumerapplications in a synchronous manner. Events are delivered individually in real-time.uCQM—A mechanism for delivering pre-events to registered consumer applications ina synchronous manner. Events are delivered individually in real-time, allowing theconsumer application to exercise business policy on the event.uVCAPS—A mechanism for delivering post-events in asynchronous mode. The deliverycadence is based on a time period or a number of events.uMessageExchange—A mechanism for delivering post-events in asynchronous mode,when needed, without consumer use of the CEPA API. Events are published fromCEPA to the RabbitMQ CEE Events exchange. A consumer application creates a queuefor itself in the exchange from which it can retrieve events.NoteIf both CQM events and Auditing events are present, CEPA delivers events to the CQMapplication first, and then delivers events to the Auditing application.While the CEE framework includes the CAVA and CEPA facilities and their associated subfacilities, they can run independently of each other or run together.This document is intended for use by customers who want to use consumer applications(such as for quotas or content type) to manage content stored on file systems.Topics included are:uSystem requirements. 11Introduction9
Introductionuuu10Restrictions. 12User interface choices. 13Related information.13EMC CEE 6.4 Using the Common Event Enabler for Windows
IntroductionSystem requirementsSystem requirements on page 11 describes the EMC software, hardware, network, andstorage configurations.Table 1 System requirementsSoftwareMicrosoft Windows Server or any Windows operating system compatible with thevendor’s consumer application software.Two kits are available:lEMC CEE Pack Win32 xxxx for installation on Windows 32-bit operatingsystemslEMC CEE Pack x64 xxxx for installation on Windows 64-bit operatingsystemswhere xxxx software version numberYou cannot install both a 32-bit and a 64-bit version of the software on the samemachine.NoteRunning CEE in the Windows on Windows (WOW) environment on a 64-bitplatform is not supported. Search the EMC E-Lab Interoperability Navigator for consumer applicationssupported when using CEE, CAVA, and CEPA.HardwareNo specific hardware requirements.NetworkThe Windows network must contain a domain controller with Active Directory andDNS enabled. VNX and VNXe must be configured with the CIFS protocol. You cannot use aVirtual Data Mover (VDM) for the CIFS protocol. Configuring and Managing CIFS onVNX provides more information on configuring the CIFS protocol on a VNX. Using aVNXe System with CIFS File Systems provides more information on configuring theCIFS protocol on a VNXe.StorageNo specific storage requirements.For the latest system requirements of CAVA, consult the website or documentation of theparticular third-party AntiVirus (AV) engine manufacturer. The AV engine version can bedifferent depending on the operating system.For minimum system requirements of AV engines, contact the appropriate third-partyvendor. The 64-bit CAVA agent cannot work with a 32-bit AV engine. If you are using a 32bit AV engine, then you must use the 32-bit CAVA. Similarly, if you are using a 64-bit AVengine, then you must use the 64-bit CAVA.Windows does not allow a 32-bit driver to be loaded on a 64-bit Windows operatingsystem. When using CAVA with a 32-bit driver-based AV engine, you must load the AVengine and CAVA/CEE on a 32-bit Windows operating system.System Requirements for Windows 8 and Windows Server 2012Windows 8 and Windows Server 2012 install and enable by default the .NET Framework4.5. However, the CEE Framework, "cava.exe", is a .NET Framework 3.5 service. You mustenable .NET Framework 3.5. The Microsoft website contains instructions on enablingthe .NET Framework 3.5 on Windows 8 and Windows 2012 at:System requirements11
hh506443.aspxRestrictionsThe following are known limitations at the time of publication.AV enginesCurrently, no known limitations exist for the number of AV engines configured in theviruschecker.conf file. All AV engines are surveyed every 60 seconds (by default) todetermine which AV engines are online and available. This implies that configuration withmany AV engines can cause some delays due to network latency.CAVA poolEach VNX Data Mover or VNXe NAS server should have a CAVA pool consisting of aminimum of two CAVA servers. This is specified in the Data Mover’s or NAS server'sviruschecker.conf file. Configuring viruschecker.conf on page 53 provides moreinformation.CEPA poolsFor post-events, you can define up to three CEPA pools in the cepp.conf file. For preevents, you can define only one CEPA pool in the cepp.conf file.DatabasesYou should not set up realtime scanning of databases. Accessing a database usuallytriggers a high number of scans, which in turn can cause a large amount of lag whenaccessing data.To ensure that the database files are virus free, use the AV engine to schedule regularscans when the database is not in use.File-level retentionEMC strongly recommends that the AV administrator updates the virus definition files onall resident AV engines in the CAVA pools, and periodically runs a full file system scan ofthe file system to detect infected file-level retention (FLR) files. Using VNX File-LevelRetention provides detailed information about FLR files.To run a full file scan from the Control Station, use the server viruschk -fsscan command.When an infected FLR file is discovered, the resident AV engine records the presence ofthe infection and its location in the log file of the resident scan engine. Although anadministrator cannot fix or remove the infected file, the file's read access can berestricted to make the file unavailable. The infected file can only be deleted after itsretention date has passed.The scan-on-first-read functionality of CAVA does not detect a virus in an FLR file.Non-CIFS protocolsThe EMC antivirus solution is only for the clients running the CIFS protocol. If NFS or FTPprotocols are used to move or modify files, the files are not scanned for viruses.Restricted Group GPOCAVA requires the antivirus domain account (AV user account) to be in the localadministrators group of the CIFS server. If the CIFS server has Restricted Group GPOenforced and the AV user account is removed from the local administrators group, afterthe next CAVA restart the status will change from ONLINE to AV NOT FOUND. To ensurethat the CAVA status remains ONLINE, you must either include the corresponding AV useraccount in the Restricted Group, or remove the Restricted Group.12EMC CEE 6.4 Using the Common Event Enabler for Windows
IntroductionWindows Server 2008If you are using Windows Server 2008, you must manually compile the cava.mof file whileusing the EMC cavamon sizing tool.Configuration fileYou must manually create the cepp.conf file before using the CEPA. Create the cepp.conffile on page 62 provides details.FTP protocolCEPA is only for the clients that run either the CIFS or NFS protocol. If the FTP protocol isused to move or modify files, no events are processed or published for the files.CAVA and CEPA serversEach VNX Data Mover should have:uA CAVA pool consisting of a minimum of two CAVA servers specified in the DataMover’s viruschecker.conf file, oruA CEPA pool consisting of a minimum of two CEPA servers specified in the DataMover’s cepp.conf fileEach VNXe NAS server should have a CAVA pool consisting of a minimum of two CAVAservers specified in the NAS server’s viruschecker.conf file.User interface choicesThe system offers flexibility in managing networked storage based on the supportenvironment and interface preferences. This guide describes how to configure CAVA andCEPA on a VNX by using the command line interface (CLI).You can also perform some of these tasks by using the following managementapplications:uMicrosoft Management Console (MMC) snap-insuActive Directory Users and Computers (ADUC) extensionsInstalling Management Applications on VNX for File includes instructions on launchingEMC Unisphere software, and on installing the MMC snap-ins and the ADUC extensions.For a VNX, this document also describes how to manually create a configuration file,assign the EMC Event Notification Bypass privilege to suppress third-party applicationevents, and issue commands by using the CLI. The EMC VNX Command Line InterfaceReference for File provides full descriptions of the commands.Related informationSpecific information related to the features and functionality described in this guide isincluded in:uParameters Guide for VNX for FileuManaging a Multiprotocol Environment on VNXuConfiguring and Managing CIFS on VNXuEMC VNX Command Line Interface Reference for FileuVNX for File man pagesuMicrosoft website for Windows Management Instrumentation (WMI) informationuComputer Associates eTrust Threat Management Agent documentationUser interface choices13
IntroductionuF-Secure AntiVirus documentationuKaspersky Anti-Virus for Windows Servers Enterprise Edition documentationuMcAfee VirusScan documentationuMicrosoft Forefront Endpoint Protection 2010 documentationuMicrosoft System Center 2012 Endpoint Protection documentationuSophos Anti-Virus documentationuSymantec Endpoint Protection documentationuTrend Micro ServerProtect for EMC documentationEMC VNX documentation on EMC Online SupportThe complete set of EMC VNX series customer publications is available on EMC OnlineSupport. To search for technical documentation, go to http://Support.EMC.com. Afterlogging in to the website, click Support by Product and type VNX series in the Find aProduct text box. Then search for the specific feature required.Use of the term Windows ServerThe term Windows Server is used in the document to depict both Windows Server 2003and Windows Server 2008 operating systems.14EMC CEE 6.4 Using the Common Event Enabler for Windows
CHAPTER 2ConceptsVNX and VNXe are resistant to the invasion of viruses because of their architecture. EachVNX Data Mover or VNXe NAS server runs data access in realtime software, which is anembedded operating system. Resistance to viruses occurs because third parties areunable to run programs containing viruses on a Data Mover or NAS server.NoteThe AV engine machine is used to verify that the files do not reside in a VDM. It must belocated in a physical Data Mover or NAS server.Although the Data Mover or NAS server is resistant to viruses, Windows clients alsorequire virus protection. Virus protection on the client reduces the chance that the clientwill store an infected file on the server, and protects the client if it opens an infected file.VNX/VNXe antivirus solution uses a combination of VNX Data Mover or VNXe NAS server,CAVA agent, and a third-party antivirus engine. The CAVA software and a third-party AVengine must be installed on a Windows machine in the domain.VNX and VNXe are responsible for:uCreating event notifications (event and its associated context)uSending the event package into the CEPA poolThe CEPA pool is responsible for:uMaintaining a topology and state mapping of all consumer applicationsuDelivering event type and associated event metadata through the CEPA APITopics included are:uuuuuuuAntiVirus partners. 16CAVA and Data Mover/NAS server. 16CAVA features. 16Virus-checking client. 19The cepp.conf file.21Assign rights. 22Support for third-party applications .22Concepts15
ConceptsAntiVirus partnersEMC has partnered with and supports the following AV engines:uComputer Associates eTrust Threat Management AgentuF-Secure AntiVirusuKaspersky Anti-Virus for Windows Servers Enterprise EditionuMcAfee VirusScanuMicrosoft Forefront Endpoint Protection 2010uMicrosoft System Center 2012 Endpoint ProtectionuSophos Anti-VirusuSymantec Endpoint ProtectionuSymantec Protection EngineuTrend Micro ServerProtect for EMCThis list was correct at the time of publication. The EMC E-Lab Interoperability Navigatorand the VNX Operating Environment for File Release Notes provide the latest list ofsupported AV engines and versions.Installing Third-Party Application Antivirus Engines on page 23 contains furtherinformation about supported third-party antivirus software.CAVA and Data Mover/NAS serverOn VNX, you can configure a CIFS server on a physical Data Mover or on a VDM. On VNXe,you can configure a CIFS server on a NAS server. Typically, the CIFS servers are configuredon a VDM (one or more VDM on a physical Data Mover) or NAS server. However, for CAVAto work, you need to have a CIFS server configured on the physical Data Mover or NASserver against which the virus checking will be done and the user rights or permissionsneed to be assigned against this CIFS server. This is the global CIFS server or the defaultCIFS server on the physical Data Mover or NAS server.NoteAll file systems or shares
CHAPTER 1 Introduction The EMC Common Event Enabler (CEE) framework is used to provide a working environment for the following facilities: u Common AntiVirus Agent (CAVA), also referred to as an antivirus agent u Common Event Publishing Agent (CEPA), which includes sub-facilities for auditing, content/quota management (CQM), and Common Asynchronous Publishing Service
