Securing your Amazon FSx for ONTAP Windows Share (SMB) against Viruses

Organizations want to securely store and access their data, while adhering to security best practices by deploying and enforcing various policies. This includes using antivirus programs to scan and disinfect data at rest and on-access to help align with various compliance standards.

Since the release of Amazon FSx for NetApp ONTAP, many customers are migrating or have migrated their workload data to the AWS fully-managed ONTAP filesystem. Customers can quickly provision highly available file systems with scalable performance, storage size, and efficiency, to handle a large volume of data and traffic. FSx for ONTAP provides a “VScan” feature which integrates to perform on-access, and on-demand or scheduled virus scanning of your data.

In this post, I provide a step-by-step guide to deploy and integrate an antivirus software with FSx for ONTAP.

Solution Architecture

Solution overview

The following is a summary of the components of this solution:

1. Amazon FSx for NetApp ONTAP filesystem with a Storage Virtual Machine joined to an Active Directory Domain. The files on the Server Message Block (SMB) share is scanned for viruses, on-access, and on a schedule.
2. An Active Directory domain environment.
3. In this post, the NetApp ONTAP Antivirus Connector and the supported anti-virus server is be deployed on an Amazon Elastic Compute Cloud (EC2) Windows instance; preferably launched in the same subnets where FSx for ONTAP is deployed. Consider having two EC2 instances running on multiple-Availability Zones(AZ) for redundancy.
4. NetApp ONTAP Antivirus Connector that establishes a connection with the filesystem storage virtual machine (SVM).
5. We are using Trend Micro Server Protect for Storage in this post, but you can use your preferred ONTAP -supported antivirus software for virus scanning. The steps for setting up the Vscan configuration in the FSx for ONTAP CLI is the same. However, antivirus software configuration settings will differ, so please refer to the antivirus vendor manual for details.

Prerequisites

The instructions in this post assume you have a working knowledge of FSx for ONTAP filesystems. You should also have administrator permissions, access to and login credentials for an EC2 instance, and have the login details to an Active Directory domain user in your AWS Account.

The following tasks also need to be completed:

1. You are logged on to the AWS Management console.
2. You are logged in as an admin “fsxadmin” via SSH to the FSx for ONTAP filesystem. We then use the ONTAP-CLI to enable Vscan on-access and on-demand scheduled scans. On-access scan initiates a scan when a file is accessed, while the scheduled scan runs and scans the files within the specified directory during the defined schedule.
3. Verify you have an existing Active Directory domain environment or setup a new one.
4. A domain user account is created or you can use an existing account with local administrator privileges on the EC2 Windows instance (to install the ONTAP antivirus connector and the antivirus software).
5. Confirm that you can log in to a Windows EC2 instance via RDP Client or Fleet Manager. We install the ONTAP Antivirus Connector and antivirus software on this Windows instance.
6. Another domain user account is created and designated as service account; this account will be configured on the ONTAP Antivirus Connector. It is used by the Antivirus Connector to connect to the SVM. This same account is also configured on the Trend Micro Server Protect.
7. Familiarity with the Windows Server environment and PowerShell is established.
8. Create or have an existing Server Message Block SMB/CIFS share on the FSx for ONTAP filesystem.

Summary of the steps

1. Download and Install ONTAP Antivirus Connector from the NetApp software download page.You might need to register to access the download; if so please follow these instructions in the FSx for ONTAP user guide.
2. Download and install Trend Micro Server Protect for Storage. For other supported antivirus software, please check the NetApp website for Vscan-supported antivirus vendors.
3. Configure and connect the ONTAP Antivirus Connector running on the Windows EC2 instance to the filesystem SVM. For a single-AZ file system, it is recommended to have at least two instances, which can be in the same Availability Zone. For a multi-AZ file system, it is recommended that the instances spread across the Availability Zones. I am using two 2xlarge instances spread across two different Availability Zones for this setup.
4. Configure Vscan on the filesystem with the antivirus server set as the external server. I have included a PowerShell script to make the configuration simple to deploy. You can access the PowerShell scripts from the GitHub repository.
5. Configure the Trend Micro software.

Detailed steps

Gathering Information from the File System

1. We need some details from your FSx for ONTAP filesystem, so open the FSx Management Console and choose your filesystem name or create a new filesystem.
   

2. Locate the Management endpoint – IP address and copy it to Notepad or your favorite text editor.
   

3. Locate and store the Storage virtual machines name, choose the SVM link to view the SVM management endpoint details.
   

4. Take note of and store the SVM Management IP address, which is used to mount the file share during the testing done later in the post.
   

5. Locate and store the Volume name. We are not using the “_root” volume. By default, the filesystem creates an additional volume called “vol1.” In this setup, I have named my data volume “datavol1.”
   

Deploying ONTAP Vscan software

1. Log in to a Windows EC2 instance with a domain user account that has sufficient permissions to perform software installation, using RDP Client or Fleet Manager Remote desktop.
2. Copy the installers to the ONTAP Antivirus Connector and the Trend Micro Server Protect to the instance, in your preferred folder/directory.
3. Extract the ONTAP AV Connector archive, open the extracted folder, right-click, and choose Run as Administrator. Accept the defaults and choose Next until it prompts you to enter your Windows service credentials. You need to enter the credentials of the domain user created earlier for the AV Connector. Choose Next and then allow the installation to complete. Once it does, select the Configure ONTAP LIFs checkbox, then choose Finish to exit the installer.
4. Each filesystem has multiple Logical Interfaces (LIFs), each LIF has an associated IP address. For example, you have the Management endpoint LIF (Management LIF) and the SVM endpoint LIF (Data LIF). You have the option of configuring a “Data LIF” or “Management LIF”. Configuring a ‘DATA LIF’ means you can only scan the VServer whose management IP you configured. Management LIF allows you to scan the VServers configured on the filesystem. If you choose to use the latter, then additional configuration is required. Refer to the README.txt file for more details. In this walkthrough, we are using the “Data LIF”.
5. Retrieve the SVM management IP you stored earlier and paste/type that in the Data LIF field on the Antivirus Connector screen, then choose Test to confirm connectivity.
6. Confirm connectivity check is passed, then choose Update and then Save. If the connectivity test fails, please check your instance and filesystem security groups and route table to confirm ICMP and the required ports are allowed on the filesystem and instance security group rules, or on any other firewall, you might be running. In addition, refer to the FSx for ONTAP troubleshooting steps.

Deploying Trend Micro software

1. Install the Trend Micro Server Protect for Storage. Open the folder where the installer is stored, right-click, and choose Run as Administrator. Then follow the setup on-screen instructions, you can find the README here. For this deployment, we choose three components: Install server as a ServerProtect Information Server, Install server as a ServerProtect Normal Server and select the RPC radio button, and Install the Management Console to local machine.

2. Enter your desired local administrator login credentials that the Trend Micro Service will “run as.” For this setup, we are using the credentials of the domain user we created earlier

3. Create a secure password for the Trend Micro information Server, then choose next:

Update antivirus definitions

1. Launch the ServerProtect Management Console, then enter the Information Server password you specified earlier, during the installation wizard.

2. Choose the Updates tab on the Server Protect Management Console.

3. Now choose Download Now. Once completed, choose Deploy Now to download and deploy the latest antivirus definition updates to information and normal Servers. Disable Windows Defender once installation is complete and the antivirus signature has been updated and deployed.

Add FSx for ONTAP filesystem Vscan to the antivirus Software

1. Right-click on the ServerProtect RPC servername and choose Device List

.

2. Choose Add Device and choose ClusterMode AV Connector as Device Mode. Then enter the credentials of the domain user you used earlier when setting up the Antivirus Connector.

3. Confirm that you got a “successfully added” prompt.

4. When you check the device list, for now, the SVM status shows as offline. Next, configure the Vscan on the FSx ONTAP filesystem using the PowerShell script provided below. For this walkthrough,I created a folder called “vscan-reports” in the “datavol1” directory and my CIFS/SMB share folder is located in a subfolder called “corpshare.” I am also choosing to perform a daily scheduled scan, in addition to the on-access scanning feature. The script also utilizes the “default_CIFS” Vscan policy and sets the max file size “max-file-size” to scan to 10GB. This means any file larger than 10GB will not be scanned.

Configure Vscan on FSx for ONTAP File System

1. Run a script that configures the FSx for ONTAP Vscan parameters. In summary, the script creates the below configuration:

a. Creates a scanner pool, setting the domain user you created earlier as a privileged user and adding the IP address of the Windows EC2 instance to the filesystem VScan Scanner Pool.

b. Applies an existing/inbuilt on-access-policy ‘default_CIFS’ to the newly-created scanner-pool.

c. Enables VScan

d. Creates a scheduled on-demand scan task to be run daily.

Download the “setup-fsxn-vscan-live.ps1” from the GitHub repository here. Open a text editor and then modify the parameters to match your filesystem configuration values you stored earlier. You can also change some other parameters such as the scan schedule, maximum file size or timeout values. Next hold the “Shift” button and right-click on an empty space within the directory file explorer, and choose Open PowerShell Window here.

Script parameter details

• FSxManagementIP — FSx for ONTAP filesystem Management IP address
• Username — Cluster Management user “fsxadmin”
• VserverName — Your file system Storage Virtual Machine Name
• PrivilegedUserName — Username of the Active Directory domain user you created earlier for Vscan
• antivirusServerHostname — Hostname or IP of the server where you install your Vscan server and antivirus software
• ScannerPoolName — Your desired name for the FSx for ONTAP Virus scanning Pool
• ScanPath — Location or path of your shared folder (SMB or NFS) on the file system
• ReportDirectory — Location where you want the file system to deliver the reports of each Virusscan
• ScheduleTiming — How often you would like the on-demand scanning to occur for example “daily”
• ScheduleScanTaskName – Your desired name to identify the scheduled on-demand scan

2. Retrieve your “fsxadmin” password. Type the name of the PowerShell script you saved earlier, then choose Enter to run the script. The script prompts you for your filesystem “fsxadmin” password. Provide it and then choose Enter You should get an output similar to the following:

3. Go back to the ServerProtect Management console > RPC Scanner Type > Device List to confirm that the SVM now shows as Online

Configure the second EC2 instance

1. Now, perform the ONTAP Antivirus Connector and TrendMicro ServerProtect installation and configuration steps on the second EC2 instance node.

2. For the second EC2 instance, we use a different PowerShell script to update the FSxN filesystem Vscan scanner-pool servers. You can download the second script here. We specified the IP address of the second EC2 instance here, please edit the script to match your environment. Then, run the script the same way you did for the first node.

You should get an output similar to the following:

Completion and testing

Congratulations! We have successfully configured antivirus scanning for your SMB/CIFS share. I have also provided another script to display your existing Vscan configuration, you can download it here.

The output will be the following:

Testing on-access scanning

Note to consider running the following tests during a system maintenance period.

Now let’s run some tests and shut down the antivirus servers one after the other to confirm that redundancy works as expected and to ensure clients cannot access the file share if antivirus on-access scanning is not available. You can choose to deny access to shared files if the antivirus servers are available or not, this setting can be modified by changing the “scan-mandatory” setting in the policy configuration.

For a multi-AZ filesystem, the next test is to trigger a filesystem failover by updating the throughput, then continuously monitor access to the share to make sure it is available throughout the filesystem update process. This is to confirm that there are no interruptions to file access from the client if an Availability Zone is impacted.

Files on the SMB share that are infected are detected and actions taken based on the settings on the antivirus software. Example actions include quarantine or deletion –see the sample configuration that follows. Moreover, please ensure you use a configuration that meets your unique organizational security policies.

Example Virus detection Action configuration:

Example infected file detection and alert:

Cleanup

There are costs associated with running EC2 instances and FSxN filesystems. You also need to have a subscription for the anti-malware software. Remember to delete and terminate unused filesystem and EC2 instances if they are no longer needed.

Conclusion

In this post, we walked through the steps for setting up antivirus scanning for your FSx for ONTAP filesystem by configuring Vscan policy and setting up a TrendMicro ServerProtect for Storage as the virus scanner. To verify redundancy, we deployed two EC2 instances in two separate Availability Zones, and installed and configured ONTAP Antivirus Connector and ServerProtect software on both. We also defined both in the FSx for ONTAP filesystem Vscan scanner-pool and tested that the server’s redundancy and on-access scanning work as expected. Files from the FileShare are accessible as long as one of the EC2 instances is running and returns an error when both instances are shutdown.

To learn more, check out FSx for ONTAP filesystem and EC2 instances , and view best practices for configuring antivirus functionality in ONTAP.