2 Replies Latest reply on Apr 6, 2017 3:58 AM by aarmstro

    VSEL filesystem granularity / whitelist (include) vs exclude folders & drives, multiple policies, VSCL

    morgan.dono9

      Hello,

       

         I'm investigating VSEL and VSCL for a possibly atypical use case.  We'd download files from the internet to an NFS mount (NFS server) drive.  We'd like to scan them immediately with an On-Access Scan, so the on-write feature.  However, once the file is scanned, it's likely to be served heavily, so we'd like to disable OAS on-read scanning.  Here, issue is we'd like on-read scanning for all folders outside an NFS mount drive per a standard policy, but on-write only on that drive/ folder (and its subfolders).  Also, we'd like to trigger a scan upon virus definition file update (if that's not done automatically).  Another consideration is that we'd like to scan compressed files and have heard of performance issues, which may suggest decompressing downloads with a script then calling reads on them to trigger VSEL scans, or passing them to VSCL.

       

         It appears that the easiest way to do this would be something like 2 ePO policies, 1 for the server, and a second for one folder/drive mounted to that machine.  The problem may be further complicated by needing to install McAfee agent on a couple other servers with NFS client links to the NFS server drive.

       

        Our current idea is to use VSEL with on-read on the servers, then set up VSCL to scan the NFS drive.  We'd need to use a 1) frequently recurring cron job or 2) link into Linux kernel filesystem utils to catch filesystem change events for that hypothetical /data or /mnt/data folder and trigger VSCL scans, passing files, folders, and paths to scan (as we just want to do diff scans and scan the unscanned).  This may involve maintaining a database of which files were scanned and times.

       

      Since the above VSCL workload essentially mimics VSEL features which wrap the scanning engine, we were curious regarding any similar functionality VSEL could offer to VSCL to automate this, or general ideas.

       

      Any input or customization ideas appreciated-

        • 1. Re: VSEL filesystem granularity / whitelist (include) vs exclude folders & drives, multiple policies, VSCL
          Richard Carpenter

          Moved to Linux products forum for better response.

           

          Rich

          McAfee Volunteer Moderator - Business Products

          • 2. Re: VSEL filesystem granularity / whitelist (include) vs exclude folders & drives, multiple policies, VSCL
            aarmstro

            VSCL is essentially a command line scanner and must be called to scan items. This is not like OnAccess Scanning at all. 

            So an item would be written to disk and you would have to call the scanner to act on that item with a series of parameters.

            Not sure this would be in any way efficient at all and would suggest this not what it is designed for - this is CommandLine OnDemand Scanner - usually ODS would really be run at Off Peak times so not interfering with normal operations. 

             

            VSEL On-Access Scanner is "always on" and works based on the OS and kernel its is installed on

            2.0.3 works with Kernel Fanotify on supported systems - e.g. Redhat\CentOS 7.x version (see readme\guide for other supported versions)

            1.9.2 works with is compiled kernel modules - e.g. Redhat\CentOS 6.x versions (see readme\guide for other supported versions)

             

            VSEL does not offer granularity of exclusion of dir for read or write - either Read Scanning is turned off or Write Scanning is turned off for the whole system.

             

            Newer Product Enterprise Security for Linux 10.2.1 (10.2.0 with Patch1) is a much more efficient product. It determines to use Fanotify or modules on install (see list of supported OSes in readme/guide)  and does offer the scanning where you could have Read and Write Scanning on all system stuff and exclude scanning of certain directories completely, for read scanning or for write scanning.

             

            Remember though if scanning on this write by the will be intercepted and the scan will take place - the scan efficiency will most likely depend on what is passing through .... e.g. a 50Mb item will be much slower than a 20Kb item ....

             

            If you are going to test anything I would suggest using ENSL 10.2 Patch 1 with 5900 engine...... of course this depends on whether the OS you intend for this purpose is supported.