Many enterprises have strict security policies in place to detect, clean (remove), or quarantine viruses. This is often performed at the individual user level with per-system antivirus (AV) solutions from third-party security vendors. Many of these same enterprises utilize large, centralized storage platforms to contain user home directories or group project repositories. Because these are the same file types that reside on end-user workstations, it is critical that viruses are not resident on the storage systems. Since end-user solutions do not work well for centralized storage depots, a different type of solution is required.
Third-party software is often used to scan the storage array itself during end-user access or based on manually scheduled policies from a central antivirus scan server. There are methods to do this using RPC or with SMB and NFS. However, there are drawbacks to these methods since they use proprietary solutions and non-centralized scanning through NAS protocols.
One common and simple alternative uses the Internet Content Adaptation Protocol (ICAP) () which is ratified by the Internet Engineering Task Force (IETF) and is publicly accessible. Dell EMC PowerScale scale-out storage has incorporated ICAP in the OneFS operating system since version 5.0.4. The ICAP protocol is an off-box solution that is loosely based on the HTTP protocol. It is often used in web proxy applications to extend proxy server functionality. This protocol also works very well on NAS servers which allow PowerScale clusters to offload virus-scanning duties to antivirus servers.
There are two methods that PowerScale storage clusters can use to scan files for threats. One is the on access method in which a file is vectored to the ICAP antivirus scan engine when the file is requested by the end-user. It is scanned and appropriate actions are taken. The other method uses policy definitions on the storage array itself. These policies can be implemented manually, on a schedule, or using both methods. In this scenario, entire directories or the entire array itself can be proactively scanned by the scan engine. Most organizations use a combination of these two methods.
This document provides best practices for planning an PowerScale scale-out storage solution with antivirus capabilities using ICAP and an off-box scan engine from Dell Technologies technology partners.