McAfee VirusScan running on NetApp – How does it work?

Awhile ago I wrote a post on On-board antivirus for NetApp filers. I thought this was an interesting play for user profiles and your ThinApp repository The solution is a integrated approach to partnering with McAfee and you must be running at least Data ONTAP 8.1.

I was curious on how it actually worked and even more curious to see the impact of it running.

How and When a NetApp storage system determines to scan a File

1. Technically, the NetApp storage system will scan on:



Close (if the file was modified)

2. The NetApp storage system will scan a file based on the file extensions set by the NetApp storage system’s administrator.

3. The NetApp storage system scans a file when the file is opened.

4. The NetApp storage system scans when a file is renamed to a file name that has one of the designated file extensions.

5. The NetApp storage system scans a file when a file is closed after being modified. The NetApp storage system does not scan a file after each write, but only when a modified file is closed.

6. Newly created files are not scanned on create, but only after data has been written to them and closed.

7. The NetApp storage system does not scan a file when the file is accessed from the vscan server itself.

8. If multiple applications access the same file simultaneously, they will all share the same scan results on the first application’s virus scan. For example, if application-1 requests to open a file and triggers a scan for viruses, the scan is launched. If application-2 tries to open the same file, the storage system will not launch a second scan, but instead queues up application-2 to wait for the already-active scan to complete. When the scan completes, both requests then continue being processed by the NetApp storage system.

The below is taken from


The VSE On-board solution consists of hooks in the data path to delay file operations and generate scan requests, and a user-mode application that mediates scan and management requests with a third-party
scanning engine. The main components of this architecture are:

AV filter. When a file is accessed by using the network protocols, the AV filter first decides whether or not the file needs to be scanned. This predecision is based on information like file extension, the share through which the request is coming, the protocol used, and so on. This information is passed to the AV on-access client.

AV on-access client. A module used by NetApp WAFL® (Write Anywhere File Layout) to manage virus scanning. Based on the predecision passed by the AV filter and the AV attributes of the inode, 5 McAfee VirusScan Enterprise On-board for Data ONTAP Operating in Cluster-Mode Deployment Guide the AV on-access client decides whether or not to scan the file. To scan a file, the AV client sends a request to the AV server.

AV server. Located in the user space, the AV server contains the third-party scan engine. Upon request of the AV on-access and on-demand clients, the AV server scans the file. A maximum of one AV server can be present per node.

AV on demand. Parses directories upon an administrator’s request and scans the files by sending a request to the AV server.

AV manager. Used to configure and monitor the antivirus feature and to manage the AV subsystems. On-access scanning is based on the AV policy defined for the volume. The AV policy can be assigned either to a v-server or to a volume. A volume inherits the AV policy from the v-server if there is no explicit policy assigned to it.

When I get my small filer, I hope I can do some testing and see the impact with the integrated AV on and off. I don’t see this as a replacement for running AV on your desktop but I would use it to form a complete solution.

Note: After seeing this tweet from Ron Oglesby, Is Antivirus Software a Waste of Money?, maybe this is a complete waste of time:-)


  1. […] : McAfee VirusScan running on NetApp – How does it work? gapi.plusone.go(); […]

Speak Your Mind