Configure antivirus scans of uploaded files

Important:

Due to updates to the application code in StorageZones 4.2, some customers must update the permission level the tool runs at from local administrator to system network service. Failing to update permissions will result in antivirus scans failing to start.

Requirements / Summary

  • User utilizing StorageZones Controller 4.2 or later
  • SFAntivirus must be run as a Network Service using PSExec
  • Update log file location

Run SFAntivirus as a Network Service using PSExec:

Clients updating to SZ 4.2 or later with existing scheduled tasks linking to SFAntivirus need to change the user level that the tool runs at from local administrator to system network service.

To obtain Network Service Rights, use PSExec to launch PowerShell (x86) under the same user context as the storage zones controller and obtain Network Service Rights using the following command:

PsExec.exe -i -u "NT AUTHORITY\\NetworkService" C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell

Update log file location

Administrators must also change log file location by editing log4net.config entry, if they were logging to a directory outside of the default SZC log directory, by modifying the following line:

\<file value="..\\..\\SC\\logs\\avscantool-" /\>

Storage zones controller installation includes several files that support antivirus scans. The files are installed by default in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus.

After you customize the configuration file and use Windows Task Scheduler to schedule the scans, as described in the following steps, each file upload request causes storage zones controller to queue the file for an antivirus scan. If issues are reported for a scanned file, the Folders view includes a warning icon for the file. If a user tries to download the file, a warning message appears.

As of StorageZones Controller 4.0, the antivirus log file location can be configured. To modify the log location, edit the SFAntivirus.exe.config file at C:\inetpub\wwwroot\Citrix\StorageCenter\tools\SFAntiVirus.

The antivirus scan does not remove the file.

Use of the ICAP protocol with antivirus scanning platforms that have been coded to the RFC standard for ICAP is supported on StorageZones Controller 4.2 or later. Information on configuring an ICAP AV can be found further down in this article.

Prerequisite

  • If you will run virus scans (SFAntiVirus.exe) on the storage zones controller, make sure encryption is disabled on the controller: On the storage zones console configuration page, verify that the Enable Encryption check box is cleared.

Note:

After configuring antivirus on your zone, any newly uploaded items are scanned. Antivirus configuration is not retroactive. Configuring it does not scan files and items that already exist on the zone.

To prepare the configuration for your location

  1. To run virus scans on a server other than the storage zones controller:

    1. Copy the folder C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus to the other server.

    2. On the storage zones controller, open C:\inetpub\wwwroot\Citrix\StorageCenter\AppSettingsRelease.config and set QueueSDKRestricted to 0: <add key="QueueSDKRestricted" value="0" />

  2. On the server where you run virus scans, edit SFAntiVirus.exe.config with the values for your storage zones controller configuration:

    1. For CommandFile: Specify the full path to the antivirus software. That software must reside on the same server as the ShareFile antivirus folder.

    2. For CommandOptions and return codes: The command line settings provided in the configuration file are an example. Provide the appropriate settings for your antivirus software and environment.

    3. For ScanFileTimeout: Larger files can take longer to scan. Tune this setting according to the file sizes expected in your storage. Otherwise, this could increase the risk of a large file not getting scanned.

  3. In a command line window, run the following command to set up virus scans: SFAntiVirus.exe -register SFusername SFpassword

Use ICAP for AV scans instead of command line tools

StorageZones Controller 4.2 or later supports the use of the ICAP protocol with antivirus scanning platforms that have been coded to the RFC standard for ICAP. Customers may still use the CLI method if they want. This feature is supported for tenant zones as of SZ 5.0.1 or later.

To enable an ICAP AV scanner on your storage zone controller, navigate to the storage zones controller configuration page.

Select the Enable Antivirus Integration check box and enter the address of your antivirus server in the ICAP RESPMOD URL field. This is the URL of the ICAP response modification service: ICAP://SERVER/RESPMOD.

Click Test Connectivity to confirm your setting.

To create and schedule a task for virus scans

Note:

Creating scheduled tasks for virus scans is only necessary when utilizing command line tools. This is not required when utilizing ICAP.

  1. Start Windows Task Scheduler, and in the Actions pane click Create Task.

  2. On the General tab:

    1. Provide a meaningful name for the task.

    2. Under Security options, click Change User or Group, and specify a Windows user to run the task. The user must have full access permission on the storage location.

    3. Select Run whether user is logged on or not. Leave the Do not store password check box cleared.

    4. Select Run with highest privileges.

    5. From the Configure for menu, select the operating system of the server where the task will be run.

  3. To create a trigger: On the Triggers tab, click New. Then, for Begin the task, choose On a schedule and specify a schedule.

  4. To create an action: On the Actions tab, click New.

    1. For Action, choose Start a program and specify the full path to the program. For example:

      C:\\inetpub\\wwwroot\\Citrix\\StorageCenter\\Tools\\SFAntiVirus\\SFAntiVirus.exe

    2. For Start in, specify the location of SFAntiVirus.exe: C:\\inetpub\\wwwroot\\Citrix\\StorageCenter\\Tools\\SFAntiVirus

  5. On the Settings tab, for If the task is already running, then the following rule applies, choose Do not start a new instance.

AV command-line integration into Scan Service

Prerequisites

  • Before installing or upgrading storage zones controller 5.2, ensure that you stop or delete the existing command-line AV if it is running as a scheduled task or a cron.
  • Install .NET 4.6.2 (or later) on a host machine.

The Scan Service in the on-premises storage zones controller includes support for using a command-line AV Tool, like Symantec command-line AV Scan. In addition, the Scan Service provides scans with ICAP supported antivirus products.

To enable this feature, add the following configuration key and value in the AntiVirus/OnPrem/AVScanService/AVScanService/appSettings.config

<add key="use-command-line-av" value="true" />

Command-line tool specific configuration

The upgrade or new installation of storage zones controller 5.2 includes a new configuration file:

AntiVirus/OnPrem/AVScanService/AVScanService/avCommandLineSettings.json

This file handles the necessary settings for the AV command line.

The configuration key values are explained below with example values included.

  • Set this point to your command-line app.

    "command-file": "c:\\\\vscan\\\\scan.exe"

  • Check the documentation for the command-line app to see what options or switches it supports and then add them in this location.

    "command-options": "/ALL /ANALYZE /MIME /NOMEM /NORENAME /SECURE ",

  • Include the output values that indicate a clean scan.

    "scanner-codes-for-clean-file": "0, 19",

  • Include output values that indicate infected file.

    "scanner-codes-for-infected-file": "12, 13",

  • Include output values that indicate not scanned files.

    "scanner-codes-for-notscanned-file": "2, 6, 8, 15, 20, 21, 102"

Notes on enforcing max file size, excluding extensions

Before version 5.2, you could not enforce extension exclusion or maximum file size enforcement on the command-line AV. You could only do so on the ICAP Scan service. With version 5.2, the same settings that applied to the ICAP scan service regarding excluded extensions and max file size in bytes apply to the AV command-line service.

These settings were named as:

<add key="icap-exclude-extensions" value="" />

<add key="icap-max-file-size-bytes" value="0" />

A new installation of storage zones controller 5.2 renames these settings to the following. The renamed settings reflect the fact that they are applicable both to ICAP-based AV and to the command-line AV.

<add key="exclude-extensions" value="" />

<add key="max-file-size-bytes" value="0" />

On an upgrade, these settings are not renamed. Although manual renames work, the same settings would also work for the AV command line in addition to ICAP.

<add key="icap-exclude-extensions" value="" />

<add key="icap-max-file-size-bytes" value="0" />