TREND MICROTM ServerProtectTM for EMC Celerra TM Filers Getting Start Guide
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes and the latest version of the Getting Started Guide, which are available from Trend Micro's Web site at: www.trendmicro.com/download/default.asp NOTE: A license to the Trend Micro software includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. Thereafter, you must renew Maintenance on an annual basis by paying Trend Micro s then-current Maintenance fees to have the right to continue receiving product updates, pattern updates and basic technical support To order renewal Maintenance, you may download and complete the Trend Micro Maintenance Agreement at the following site: www.trendmicro.com/en/purchase/license/overview.htm Microsoft, Windows, Windows Server 2003, Windows NT, and Windows 2000 are trademarks of Microsoft Incorporated. Intel, and Pentium are trademarks of Intel Corporation. Celerra is a tradermark of EMC.Copyright 1994-2003 EMC Corporation. All rights reserved. InterScan, VirusWall, MacroTrap, TrendLabs, ScriptTrap, Trend Micro, ServerProtect, and the Trend Micro t-ball logo are trademarks of Trend Micro Incorporated and are registered in certain jurisdictions.
Copyright 1998-2003, Trend Micro Incorporated. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Document Part No. SPEM51694/31205 Release Date: December 2003 Protected by U.S. Patent No. 5,951,698 The Getting Started Guide for Trend Micro ServerProtect for EMC Celerra intends to introduce the main features of the software and installation instructions for your production environment. You should read it before installing or using the software. Detailed information about how to use specific features within the software is available in the online help file and online Knowledge Base at the Trend Micro Web site. At Trend Micro, we are always seeking to improve our documentation. If you have questions, comments, or suggestions about this or any Trend Micro documents, please contact us at docs@trendmicro.com. Your feedback is always welcome. Please evaluate this documentation on the following site: www.trendmicro.com/download/documentation/rating.asp.
Contents Contents Chapter 1: Chapter 2: ServerProtect for EMC Celerra Filers Introducing ServerProtect for EMC Celerra... 1-2 Benefits of ServerProtect for EMC Celerra... 1-2 System Requirements... 1-4 Installing ServerProtect for EMC Celerra... 1-6 Before Installing ServerProtect for EMC Celerra... 1-6 Install ServerProtect for EMC Celerra... 1-7 Specific Functions for EMC Celerra... 1-7 Adding AV Servers... 1-8 Overview of ServerProtect ServerProtect for EMC Celerra Architecture Overview. 2-1 Organizational Overview... 2-4 Original ServerProtect Architecture Review... 2-5 Enabling Trend Micro ActiveUpdate... 2-6 i
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide ii
Chapter 1 ServerProtect for EMC Celerra Filers Welcome to Trend Micro ServerProtect for EMC Celerra. This document is intended to be an accurate and comprehensive guide that lets you quickly become familiar with functions of the product necessary to get started. For detailed ServerProtect information, refer to the online help. This chapter provides enough information to check that your system has the necessary hardware and software required to install ServerProtect for EMC Celerra. It also describes the tasks you need to perform before installing ServerProtect. This chapter contains the following sections: Introducing ServerProtect for EMC Celerra System Requirements Installing ServerProtect for EMC Celerra Specific Functions for EMC Celerra Note: This document often refers to the EMC Celerra AntiVirus Agent Technical Note and the ServerProtect for Windows and NetWare Getting Started Guide. It is important to become familiar and to have those two documents handy when reading this Getting Started Guide. 1-1
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Introducing ServerProtect for EMC Celerra ServerProtect for EMC Celerra (SP EMC) is an enhanced version of ServerProtect developed to provide an antivirus solution for the EMC Celerra File Server system. Scalable and reliable, SP EMC protects the Celerra File Server system against viruses, Trojans, and other malicious code. Managed through an intuitive, portable Windows-based console, SP EMC provides centralized virus scanning, pattern updates, event reporting, antivirus configuration, and more. You must install ServerProtect on Windows Server 2003/2000/NT Servers that already contain the Celerra AntiVirus Agent (CAVA). The actual scanning of data occurs on these AV Servers (antivirus servers). Multiple AV Servers can scan a single Celerra File Server to share the loading, increase performance, and create a fault-tolerant antivirus system; if an AV Server stops functioning, other AV Servers continue to scan and protect the Celerra File Server. Benefits of ServerProtect for EMC Celerra ServerProtect for EMC Celerra offers the following benefits: Scalability and High-Performance To increase scalability and performance levels, connect multiple ServerProtect AV Servers to a single Celerra File Server at any time. An increased number of AV Servers improves scan performance. If ServerProtect detects any communication disconnection, it notifies the Celerra File Server to reconnect. Comprehensive Log Reports From a single console, ServerProtect s comprehensive log reports enable administrators to track and manage antivirus events including: virus infection, pattern or program updates, virus alerts, running tasks, scan activity, and modifications. This simplifies virus management and product configuration tasks for administrators. Centralized Management With ServerProtect's Information Server, simply manage multiple AV Servers from a single, portable management console. Organize multiple AV Servers into a logical domain for easy management. In fact, we recommend you group all AV Servers for a Celerra File Server into one domain. 1-2
Introducing ServerProtect for EMC Celerra The ServerProtect Management Console lets administrators configure servers in the same domain simultaneously, and generate integrated virus incident reports from all AV Servers. This consolidates status information if there are multiple Celerra File Servers and multiple AV Servers for each Celerra. Scan engine and Virus Pattern Update Configure the Information Server to automatically download virus pattern file and scan engine updates from Trend Micro's ActiveUpdate server and then distribute them to designated ServerProtect AV Servers. The Information Server uses an incremental update mechanism to distribute new virus pattern files, whereby only the latest virus signatures added since the last update need to be downloaded. This highly efficient approach saves download time and preserves network bandwidth. Virus Scanning to Ensure Data Integrity The latest Trend Micro award-winning scan engine uses both rule-based and pattern recognition technology to detect and remove both known and unknown viruses, including all viruses "In-the-Wild". The scan engine now also includes ScriptTrap technology. Using ScriptTrap technology, ServerProtect not only guards against harmful known script-based viruses ( I Love You and Anna Kournikova ), but also protects from new, unknown script-based threats. Without any user intervention, ScriptTrap scans for scripting viruses based on "what they do" rather than how they are written using the following processes: lexical analysis- the division of the script's source code into components, called tokens, based on punctuation and other keys. semantic parsing- attempts to determine the meaning of each component. The engine also recursively scans inside files compressed with the following compression algorithms: PKZIP, PKZIP_SFX, LHA, LHA_SFX, ARJ, ARJ_SFX, CABANET, TAR, GUN ZIP, RAR, PKLITE, LZEXE, DIET, MSCOMPRESS, UNIX, PACKED, UNIX COMPACKED, UNIX LZW, UUENCODE, BINHEX, BASE64, and others. Configurable Actions for Infected Files The Management Console provides the interface for users to configure what action an AV Server takes on an infected file. Choices include: 1-3
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Quarantine the infected file Clean with a backup for cleanable viruses Clean without a backup Delete the infected file Notification of Program Events ServerProtect notifies administrators of potentially serious situations in their system. An alert is issued in response to the following conditions: virus infections and an out-of-date virus pattern, or any problems with pattern/engine file distributions. Alerts can be sent via a message box, pager, printer, Internet email, SNMP trap, or written to the Windows Server 2003/2000/NT event log. Comprehensive Built-in Support ServerProtect provides online help that recommends solutions to virus-related problems and Trend Micro's online virus encyclopedia provides detailed descriptions of thousands of viruses. System Requirements ServerProtect for EMC Celerra requires the following: Normal Server 200MHz Intel Pentium processor or faster (or equivalent) Operating System: Microsoft Windows Server 2003. Minimum 128MB RAM. Microsoft Windows 2000 Professional/Server with SP1. Minimum 128MB RAM. Microsoft Windows NT Server/Workstation 4.0 with SP6 or above. Minimum 64MB RAM. 70MB of free disk space The following network protocols and services must be installed: TCP/IP, Microsoft Network, and RPC services must be running on Windows Server 2003/2000 or NT Server/Workstation. 1-4
System Requirements Information Server 450MHz Intel Pentium III processor or faster (or equivalent) Operating System: Microsoft Windows Server 2003 Microsoft Windows 2000 Professional/Server Microsoft Windows NT Server/Workstation 4.0 with SP6 256MB RAM and above is recommended 70MB free disk space 90MB free disk space (if installing with Control Manager agent) The following network protocols and services must be installed: TCP/IP, Microsoft Network, NetBIOS Compatible Transport Protocol, and RPC services. Management Console Operating System: Windows Server 2003 Windows XP Home/Professional Windows 2000 Professional/Server with SP1 Windows NT 4.0 Server/Workstation with SP6 Windows Me/98/95 A monitor with 800 x 600 or higher resolution The following network protocols and services must be installed: TCP/IP, Microsoft Network, and RPC Services. EMC Celerra File Server Celerra NAS 2.2.39.1 or above Celerra Antivirus Agent (CAVA) 1.8.9 or above. CAVA must be installed on the same machine that you installed the ServerProtect Normal Server. Celerra Antivirus Agent (CAVA) 2.2.4 or above must be installed if using Windows Server 2003. Note: For optimal scanning performance, we recommend the connection between the EMC Celerra File Server and the AV Servers to have at least 1 Gbps bandwidth. 1-5
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Installing ServerProtect for EMC Celerra Installing ServerProtect for EMC Celerra constitutes your acceptance of the terms and conditions of the license agreement that accompanies all Trend Micro software. Please review the license agreement carefully before installing the software. This section includes the following: Before Installing ServerProtect for EMC Celerra Install ServerProtect for EMC Celerra Before Installing ServerProtect for EMC Celerra To ensure ServerProtect for EMC Celerra functions correctly, it is important you perform the following pre-installation tasks in sequence before installing ServerProtect for EMC Celerra: Configure the AV User Account and Antivirus Group on the Windows Server 2003/2000/NT Domain Controller Install CAVA on each Windows Server 2003/2000/NT Server Configure the AV User Account and Antivirus Group on the Windows Server 2003/2000/NT Domain Controller You need to configure the AV user account and antivirus group on each Windows Server 2003/2000/NT domain controller. For complete instructions, refer to the EMC Celerra AntiVirus Agent Technical Note. Relevant procedures listed in the EMC Technical Note include: Creating the AV User Creating an Antivirus local group Assigning the AV User security and identification privileges for the VC Client Providing access to the Celerra NetBIOS name used to configure CIFS on the Data Mover Install CAVA on each Windows Server 2003/2000/NT Server You must install the EMC Celerra AntiVirus Agent (CAVA) on each AV Server before installing ServerProtect for EMC Celerra and before you start the VC Client on a Data Mover. 1-6
Specific Functions for EMC Celerra Refer to the EMC Celerra AntiVirus Agent Technical Note for detailed instructions on installing CAVA on a Windows Server 2003/2000/NT Server. The installation package contains both CAVA and the AV Driver. Install ServerProtect for EMC Celerra Make sure that CAVA is already installed on each of the ServerProtect target Windows Server 2003/2000/NT Servers. You must install ServerProtect for EMC Celerra on each Windows Server 2003/2000/NT Server that is part of the EMC Celerra antivirus system. WARNING! If CAVA is not installed on the ServerProtect target Windows Server 2003/2000/NT Server, you will not be able to install ServerProtect for EMC Celerra. The installation procedure for SP EMC is the same as the procedure for the regular version of ServerProtect (refer to Installing ServerProtect in the ServerProtect for Windows and NetWare Getting Started Guide). Specific Functions for EMC Celerra An AV Server receives a scan request when a user tries to access a file on the Celerra File Server. The AV Server then scans the file using the ServerProtect Real-time Scan function. To protect both the Celerra File Server system and the AV Server, the default setting for the ServerProtect Real-time Scan function is Incoming & outgoing. Trend Micro strongly recommends not changing this setting. For more information about Real-time Scans, refer to Real-time Scanning in the ServerProtect for Windows and NetWare Getting Started Guide. If the file is infected, the AV Server performs any of the following actions, depending on what you have previously configured: Bypass- Skips over the file without taking any corrective action in a Real-time Scan (see below Warning). Delete: Deletes the infected file. Rename: Changes the name of the infected file by modifying the file extension to ".VIR". Move: Moves the infected file to a designated folder. 1-7
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Clean: Attempts to clean the virus code from the file. For more information about these actions and how to configure them, refer to the ServerProtect for Windows and NetWare Getting Started Guide. WARNING! Although all virus actions function correctly, use only the Clean, Delete, and Move actions. Do not use the Bypass action. If a file is infected and the virus action is set to Bypass, the file will remain infected after entering the Celerra File Servet system. Adding AV Servers ServerProtect for EMC Celerra provides a fully scalable enterprise antivirus solution for organizations using Celerra File Servers. If the Celerra File Server has to handle a large volume traffic, adding and registering multiple AV Servers evenly distributes the workload among registered AV Servers. Files to be scanned are sent to AV Servers in "round-robin" fashion. For example, if you have three AV Servers and the Celerra File Server has four incoming files, the first AV Server scans the first file, the second AV Server scans the second file, the third AV Server scans the third file, and the first AV Server scans the fourth file. An additional file, is scanned by the second AV Server, the next file by the third AV Server, and the next file again by the first AV Server and so on. This even distribution of the workload reduces the loading of AV Servers and improves scan performance. To add an AV Server, you must first install CAVA and make sure it is connected to the Celerra File Server (refer to the EMC Celerra AntiVirus Agent Technical Note for instructions). The procedure for adding additional Normal Servers is identical to the procedure for adding Normal Servers in the regular version of ServerProtect (refer to Adding a Normal Server in the ServerProtect for Windows and NetWare Getting Started Guide). Note: You can only register an AV Server to a single Celerra File Server. However, you can register multiple AV Servers to a single Celerra File Server. 1-8
Overview of ServerProtect Chapter 2 Besides an overview of how ServerProtect for EMC Celerra protects the Celerra File Server, this chapter also includes a review of the regular version of ServerProtect. This review describes in detail the ServerProtect three-tier architecture components: Normal Server, Information Server, and the Management Console. There is also a section about using the ActiveUpdate Server to ensure ServerProtect is using the latest antivirus technology. This chapter contains the following sections: ServerProtect for EMC Celerra Architecture Overview Original ServerProtect Architecture Review Enabling Trend Micro ActiveUpdate ServerProtect for EMC Celerra Architecture Overview The main components of the Celerra antivirus system include: Data Mover (includes the VC Client)- located on the Celerra File Server AV Server (includes ServerProtect for EMC Celerra and CAVA)- located on a machine separate from the Celerra File Server Scanning is done on a separate AV Server rather than on the Celerra File Server. This ensures virus scanning will not impact the Celerra File Server's processing power. Connecting multiple AV Servers with the Celerra File Server evenly distributes the scanning workload. Scan requests and files are sent to AV Servers in a "round-robin" method. This evenly distributes the workload and improves scan performance. 2-1
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Remote Procedure Call (RPC) connections maintain constant communication between the Celerra File Server and the AV Server(s) for round-the-clock assurance that only virus-free files are saved to the EMC data storage system. The following is a description of the ServerProtect and Celerra antivirus system workflow: 1. A user or application running a Windows client accesses the file from Celerra using the Common Internet File System (CIFS) protocol. 2. When a client attempts to rename, modify, close, or save a file to the Celerra system, the Celerra File Server triggers a request. 3. The Virus Checking (VC) Client on the Celerra File Server will request a virus check by sending the Universal Naming Convention (UNC) path name to the CAVA of the AV Server. 4. The request is sent to AV Servers in a round-robin fashion. 5. On the AV Server, CAVA requests ServerProtect to scan the file for viruses using the Real-time Scan function. 6. Simplified scan results: NON-INFECTED: file not infected, or disinfected (file can be opened) INFECTED: infected and not cleanable (file will be access denied) Protecting the EMC Celerra File Server is the main focus of SP EMC. In SP EMC, virus scanning is made in "on-access" mode, and takes place on a separate machine ("AV Server") that is running Windows NT 4.0, Windows 2000, or Windows Server 2003. The AV Server protects the Celerra File Server. This differs from the regular version of ServerProtect whose focus is to protect the Normal Server. 2-2
ServerProtect for EMC Celerra Architecture Overview FIGURE 2-1. ServerProtect for EMC Celerra product architecture. When a client attempts to modify, close or save a file to the Celerra Server, the VC Client on the Celerra Server will request a virus check by sending the Universal Naming Convention (UNC) path name to the CAVA on an AV Server. CAVA then requests ServerProtect to scan the file using Real-time Scan mode. If the file is infected, ServerProtect performs a designated virus action. If CAVA reports the file has been successfully cleaned, the Celerra File Server lets clients access the file or saves it to its attached data storage system. 2-3
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Organizational Overview ServerProtect for EMC Celerra communicates with the Celerra File Server via Remote Procedure Call (RPC). RPC AV Server RPC RPC AV Server RPC ServerProtect Information Server Internet RPC Trend Micro ActiveUpdate Server RPC AV Server FIGURE 2-2. ServerProtect for EMC Celerra organizational flow The ServerProtect performs the following functions: Works with CAVA to become an AV Server (AntiVirus Server) for a Celerra File Server Notifies the VC Client (on the Celerra File Server) that CAVA and ServerProtect are installed and the Real-time Scan service is running Monitors for requests from the VC Client to scan files Lets CAVA return scan results to the VC Client Informs the VC Client of any pattern file or scan engine updates Communicates with the VC Client to check the connection between the AV Server and the Celerra File Server Works with the VC Client to provide load balancing among multiple AV Servers via round-robin method 2-4
Original ServerProtect Architecture Review Original ServerProtect Architecture Review As previously mentioned, ServerProtect for EMC Celerra is an enhanced version of the original ServerProtect. To understand the ServerProtect for EMC Celerra enhancements, it is useful to review the architecture of the original ServerProtect. The original ServerProtect protects networks through a three-tier architecture: the Management Console, the Information Server, and the Normal Server. You use the Management Console to configure the Information Server (IS), which lets you control the Normal Servers in the IS s domain. The three layers are independent from each other, and can be installed on the same machine, on separate machines, or in a combination (for example, you can install the Management Console on one machine, and you can install the Information Server and the Normal Server on a different machine). Management Console- this portable console gives you centralized control of multiple network servers and domains. The console lets you simultaneously configure servers in the same IS domain and generate integrated virus incident reports for all servers. The ServerProtect domain browser tree shows the ServerProtect servers and the status of each server. Status information includes: the version of the virus pattern, scan engine, and program file, type and version of operating system, direction of real-time scanning, etc. The Console can be installed on any Win32 machine. For more Management Console information, refer to Using the Management Console in the ServerProtect for Windows and NetWare Getting Started Guide. Information Server- a communications hub for coordinating antivirus defense activities within its domains. An Information Server (IS) provides you with a single point of contact for assigned Normal Servers. This saves time and hassle because the Information Server makes it unnecessary to directly configure each individual Normal Server. What are Domains? ServerProtect domains are virtual groupings of Normal Servers that simplify the identification and management of Normal Servers. You can create, rename, or delete domains. Refer to Managing ServerProtect Domains in the ServerProtect for Windows and NetWare Getting Started Guide. If there are a large number of Normal Servers in a domain, you can add more Information Servers and divide the number of Normal Servers among them. For example, if a domain has 100 Normal Servers assigned to one IS, you can share the workload among the two IS by adding another IS and assigning each IS to 50 Normal Servers. The IS also collects log files. 2-5
Trend Micro ServerProtect for EMC Celerra Filers Getting Started Guide Note: In addition to managing only AV Servers, the SP EMC Information Server can also manage regular version ServerProtect Normal Servers. Normal Server- the first line of defense in the ServerProtect architecture and where all the scanning takes place. The Normal Servers are the machines in the organization which typically act as file servers, data servers, etc. Normal Servers can scan both manually and in real time. Key differences between the ServerProtect versions are listed in the following table: Protection Focus: Normal Server Role: ServerProtect for EMC Celerra EMC Celerra File Server Together with CAVA becomes an EMC Celerra File Server "AV Server" and scans files when clients attempt to access files stored on the EMC Celerra File Server ServerProtect Normal Servers (the machines in the organization which act as file servers, data servers, etc.) First line of defense in the Server- Protect architecture. These servers perform the actual antivirus functions of the system Table 2-1. ServerProtect Version Comparison Enabling Trend Micro ActiveUpdate A virus scanner must have the latest updates to be effective. You can configure ServerProtect to automatically download the newest virus patterns and scan engine updates. To minimize download times and preserve network bandwidth, distribution to the designated servers is done via an incremental update mechanism. This ensures ServerProtect downloads only the latest virus signatures that have been added since the last version. For detailed information about Trend Micro update server, refer to Configuring Updates in the ServerProtect for Windows and NetWare Getting Started Guide. 2-6