Currently Being Moderated

In case you don’t know, NetApp Data ONTAP has supported array-based antivirus (AV) scanning for several years. In ONTAP 8.1 running in cluster-mode, we’ve kicked this up a notch by running the AV engine directly on the array rather than on a connected appliance.

 

To bring our customers up to speed on the advantages of running the AV engine in the array, we asked Jim Waggoner, CISSP, Director of Product Management at McAfee to write this guest blog. Happy 2012, everybody!

=====================================================================================================================================================================================

McAfee blog image-small.png

By Jim Waggoner, McAfee

 

I was at a customer site yesterday where I was asked to offer personal insight into why they were getting repeating occurrences of the same infections on systems. Whenever I get this question, I have a standard set of questions that I ask in turn to cover the best practices that customers have adopted to help reduce outbreaks. The questions started like this.

 

Question 1: Do you have endpoint protection installed on every system?

Customer Response: Yes

 

Question 2: Are you scanning all files rather than a subset of files?

Customer Response: Yes

 

Question 3: Are you updating your antivirus signature files (DATs) on a daily basis?

Customer Response: Yes

 

Question 4: Are you running weekly scheduled scans on every system?

Customer Response: Yes

 

Question 5: Are you scanning your network file shares?

Customer Response: Uh…no.

 

That is where I stopped the line of questioning.

 

I did probe so that I could understand the reasons why they were not scanning network file shares, especially since one of the primary vectors of propagation in the enterprise are these central data repositories. For them it came down to concerns about performance and the impact that running network scans have on file copies and client-server operations.  At one point in time, they had a negative experience with a competitor’s antivirus product when they had enabled the scan feature within the policy to scan all files copied to and from the network. At some point in time they received a flood of calls into the helpdesk complaining about the performance degradation when files were being copied to or from the file share. They remembered the download time increasing from, say, 30 seconds to 5 minutes. Once they changed the policy back to disable network scanning the calls stopped, so they stayed with the less secure policy after they migrated to our solution.

 

That was the point where I responded to them about still needing to scan the file shares to stop malware propagation, but not doing it from the endpoint.  Instead, install the security on the storage controller so that 1) all files copied to the file shares will be scanned and 2) you don¹t have to worry as much about systems in your environment where endpoint protection is not or cannot be installed. There was a bit of resistance at first, but by the end of the meeting I had convinced them to try it. Once they do this, I know we will be able to put a stop to the outbreaks. And if we don’t, I just continue with the questions. The next question is, “Do you let your users have administrator access?”

 

Regards,

Jim Waggoner

Director, Product Management

McAfee - Core Anti-Malware Solutions

Comments

Filter Blog

By author: By date:
By tag: