EMC Common Antivirus Agent (CAVA) – Virus Scanners Offline

Hey folks,

@virtualtacit (http://blog.virtualtacit.com) and I ran into an interesting issue recently where the EMC CAVA antivirus servers were in an “OFFLINE” state and virus scanning services were down. EMC’s Common Anti-Virus Agent is software that runs on a Windows operating system and leverages the system’s antivirus client to scan CIFS shares that are located on a VNX File or Celerra. After configuring a few basic options on the VNX File/Celerra, the datamover will coordinate with the “EMC CAVA” service on the virus scanning server to scan the files on the underlying file systems.

clip_image002

Now, in our case, we reviewed the configuration and everything seemed correct. The datamover could reach the virus scanning servers by DNS name and IP, but the service was still offline. The status of the virus scanning server(s) can be seen by running “server_viruschk server_2”.

image

After trying to recreate the problem in a lab, I noticed a difference between the protocol being used. Notice the use of “ONC-RPC version 3” in the above screenshot? In my lab, you can see we are using “MS-RPC over SMB”

clip_image005

A quick search on ‘support.emc.com’ indicated that if “MS-RPC over SMB” isn’t available, CAVA will failback to “ONC-RPC”. ONC-RPC is not supported for 64-bit CAVA implementations; therefore, the server would never come online.

So why isn’t “MS-RPC over SMB” working? In order for the datamover to negotiate “MS-RPC over SMB” it must be able to resolve the server’s hostname from the specified IP address. In other words, a DNS pointer (PTR) record must exist for each of the virus scanning servers. We reviewed the DNS entries for each of the virus scanning servers and sure enough, the PTR records were missing. After the team added the correct entries, the correct protocol was discovered, the virus checking servers came online.

image

Leave a Reply

Your email address will not be published. Required fields are marked *

*