Product Documentation

Configure antivirus scans of uploaded files

Important

Due to updates to the application code in StorageZones 4.2, some customers must update the permission level the tool runs at from local administrator to system network service. Failing to update permissions will result in antivirus scans failing to start.

Requirements / Summary

  • User utilizing StorageZones Controller 4.2 or later
  • SFAntivirus must be run as a Network Service using PSExec
  • Update log file location

Run SFAntivirus as a Network Service using PSExec:

Clients updating to SZ 4.2 or later with existing scheduled tasks linking to SFAntivirus need to change the user level that the tool runs at from local administrator to system network service.

To obtain Network Service Rights, Use PSExec to launch PowerShell (x86) under the same user context as the StorageZone Controller and obtain Network Service Rights using the following command:

PsExec.exe -i -u "NT AUTHORITY\\NetworkService" C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell

Update Log File Location

Administrators must also change log file location by editing log4net.config entry, if they were logging to a directory outside of the default SZC log directory, by modifying the following line:

\<file value="..\\..\\SC\\logs\\avscantool-" /\>

StorageZones Controller installation includes several files that support antivirus scans. The files are installed by default in C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus.

After you customize the configuration file and use Windows Task Scheduler to schedule the scans, as described in the following steps, each file upload request causes StorageZones Controller to queue the file for an antivirus scan. If issues are reported for a scanned file, the Folders view includes a warning icon for the file. If a user tries to download the file, a warning message appears.

As of StorageZones Controller 4.0, the antivirus log file location can be configured. To modify the log location, edit the SFAntivirus.exe.config file at C:\inetpub\wwwroot\Citrix\StorageCenter\tools\SFAntiVirus.

The antivirus scan does not remove the file.

Use of the ICAP protocol with antivirus scanning platforms that have been coded to the RFC standard for ICAP is supported on StorageZones Controller 4.2 or later. Information on configuring an ICAP AV can be found further down in this article.

Prerequisite

  • If you will run virus scans (SFAntiVirus.exe) on the StorageZones Controller, make sure encryption is disabled on the controller: On the StorageZones console Configuration page, verify that the Enable Encryption check box is cleared.

Note:

Once you have configured antivirus on your zone, any newly uploaded items will be scanned. Antivirus configuration is not retroactive in that configuring it will not scan files/items that already exist on the zone.

To prepare the configuration for your location

  1. To run virus scans on a server other than the StorageZones Controller:

    1. Copy the folder C:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus to the other server.

    2. On the StorageZones Controller, open C:\inetpub\wwwroot\Citrix\StorageCenter\AppSettingsRelease.config and set QueueSDKRestricted to 0: <add key=”QueueSDKRestricted” value=”0” />

  2. On the server where you will run virus scans, edit SFAntiVirus.exe.config with the values for your StorageZones Controller configuration:

    1. For CommandFile: Specify the full path to the anti-virus software. That software must reside on the same server as the ShareFile antivirus folder.

    2. For CommandOptions and return codes: The command line settings provided in the configuration file are an example. Provide the appropriate settings for your anti-virus software and environment.

    3. For ScanFileTimeout: Larger files can take longer to scan. Tune this setting according to the file sizes expected in your storage. Otherwise, this could increase the risk of a large file not getting scanned.

  3. In a command line window, run the following command to set up virus scans: SFAntiVirus.exe -register SFusername SFpassword

Use ICAP for AV scans instead of command line tools

StorageZones Controller 4.2 or later supports the use of the ICAP protocol with antivirus scanning platforms that have been coded to the RFC standard for ICAP. Customers may still use the CLI method if they wish. This feature is supported for tenant zones as of SZ 5.0.1 or later.

To enable an ICAP AV scanner on your StorageZone Controller, navigate to the StorageZones Controller Configuration page.

Select the Enable Antivirus Integration checkbox and enter the address of your antivirus server in the ICAP RESPMOD URL field. This is the URL of the ICAP response modification service.

     Example URL: ICAP://SERVER/RESPMOD.

Click Test Connectivity to confirm your setting.

To create and schedule a task for virus scans

Note:

Creating scheduled tasks for virus scans is only necessary when utilizing command line tools. This is not required when utilizing ICAP.

  1. Start Windows Task Scheduler and in the Actions pane click Create Task.

  2. On the General tab:

    1. Provide a meaningful Name for the task.

    2. Under Security options, click Change User or Group, and specify a Windows user to run the task. The user must have full access permission on the storage location.

    3. Select Run whether user is logged on or not. Leave the Do not store password check box cleared.

    4. Select Run with highest privileges.

    5. From the Configure for menu, select the operating system of the server where the task will be run.

  3. To create a trigger: On the Triggers tab, click New. Then, for Begin the task, choose On a schedule and specify a schedule.

  4. To create an action: On the Actions tab, click New.

    1. For Action, choose Start a program and specify the full path to the program. For example:

    C:\\inetpub\\wwwroot\\Citrix\\StorageCenter\\Tools\\SFAntiVirus\\SFAntiVirus.exe
    

    2. For Start in, specify the location of SFAntiVirus.exe: c:\inetpub\wwwroot\Citrix\StorageCenter\Tools\SFAntiVirus

  5. On the Settings tab, for If the task is already running, then the following rule applies, choose Do not start a new instance.

AV command-line integration into Scan Service

Prerequisites:

  • Before installing or upgrading StorageZones Controller 5.2, ensure that you stop or delete the existing command-line AV if it is running as a scheduled task or a cron.
  • Install .NET 4.6.2 (or later) on a host machine.

The Scan Service in the on-premises StorageZones Controller includes support for using a command-line AV Tool, like Symantec command-line AV Scan. In addition, the Scan Service provides scans with ICAP supported antivirus products.

To enable this feature, add the following configuration key and value in the AntiVirus/OnPrem/AVScanService/AVScanService/appSettings.config

<add key=”use-command-line-av” value=”true” />

Command-line tool specific configuration

The upgrade or new installation of StorageZones Controller 5.2 includes a new configuration file:

 AntiVirus/OnPrem/AVScanService/AVScanService/avCommandLineSettings.json

This file handles the necessary settings for the AV command line.

The config key , values are explained below with example values included.

  • Set this point to your command-line app.

      “command-file”: “c:\\vscan\\scan.exe”  

  • Check the documentation for the command-line app to see what options or switches it supports and then add them in this location.

    “command-options”:  “/ALL /ANALYZE /MIME /NOMEM /NORENAME /SECURE “,

  • Include the output values that indicate a clean scan.

    “scanner-codes-for-clean-file”: “0, 19”,

  • Include output values that indicate infected file.

    “scanner-codes-for-infected-file”: “12, 13”,

  • Include output values that indicate not scanned files.

    “scanner-codes-for-notscanned-file”: “2, 6, 8, 15, 20, 21, 102”

Notes on enforcing max file size, excluding extensions

Before version 5.2, you could not enforce extension exclusion or maximum file size enforcement on the command-line AV. You could only do so on the ICAP Scan service. With version 5.2, the same settings that applied to the ICAP scan service regarding excluded extensions and max file size in bytes apply to the AV command-line service.

These settings were named as:

<add key=”icap-exclude-extensions” value=”” />

<add key=”icap-max-file-size-bytes” value=”0” />

A new installation of StorageZones Controller 5.2 renames these settings to the following. The renamed settings reflect the fact that they are applicable both to ICAP-based AV and to the command-line AV.

<add key=”exclude-extensions” value=”” />

<add key=”max-file-size-bytes” value=”0” />

On an upgrade, these settings are not renamed. Although manual renames work, the same settings would also work for the AV command line in addition to ICAP.

<add key=”icap-exclude-extensions” value=”” />

<add key=”icap-max-file-size-bytes” value=”0” />