Most antivirus vendors provide a mechanism to update their virus definition file at least once a day to eliminate the potential threats of a new virus. Through a scheduled job or a manual update, the updated virus definition files are pushed to all the ICAP servers. At the same time, the ICAP service tag (ISTag) is updated at the ICAP server level.
PowerScale maintains a timer job to synchronize the ISTags from ICAP servers every hour, which can result in a maximum wait of one hour for ISTags to be updated on the PowerScale cluster. Use the following command to view all the ISTags from PowerScale:
The following example has only one node of McAfee VirusScan Enterprise for Storage deployed and integrated with PowerScale. In this case, its ISTag is 6000.8403.9327.0.
tme-sandbox-3# sysctl efs.bam.av.current_istags efs.bam.av.current_istags:
num istags: 2
If a file has been scanned by isi_avscan_d, the ISTag will be applied to its metadata. Use the following command to check the ISTag of a file:
isi antivirus status -v <file path>
The following is an example where the ISTag for the file /ifs/audit/test/0.0.1 is 6000.8403.9327.0.
tme-sandbox-3# isi antivirus status -v /ifs/audit/test/0.0.1 File: /ifs/audit/test/0.0.1
Last Scan: 2019-07-24T07:15:59
Last Istag: 6000.8403.9327.0
Scan Status: Current
The file has been scanned by the ICAP server with ISTAG 6000.8403.9327.0. OneFS will not request a second scan to an unmodified file if the ISTag on the file matches any ISTag in the output of sysctl efs.bam.av.current_istags. This also means even if a file is not modified, it will still have a chance to be scanned due to the update of the virus definition file.
Dell Technologies recommends setting an interval for updating the virus definition file for ICAP servers which aligns with your scan policy, avoiding unnecessary scans which could impact overall performance.