EMC Isilon AV Scan – Malformed container size


Code level: Version of OneFS:

We have been using a ICAP server by EMC in order to scan files on the Isilon. Since then, it started detecting numerous threats. So many in fact that it locks up the GUI and the Web interface has to be restarted.   Within this, if there are any special characters within the name of the file type also makes the file get quarantined.  This was due to an issue in the OS that was fixed in a later OneFS release.  After many hours of testing we encountered a similar bug in   We had to upgrade to to finally fix the issue.  *Note that is the last update before version OneFS 8*.  But before fixing the issue, we had to release all of the quarantine so we can move forward. You cannot do this via the GUI due to the massive amount of quarantine and detected threats. Just going to the web page will lock up the Isilon and put you back on the phone. Since I am running this version on multiple Isilon’s, I wanted to know how to always clear the AV before upgrading. Not all remote support checks to make sure that this is empty before upgrading. So I was able to find a handy EMC support article that will save all quarantine items to a file and then purge them.

Full listing of all files in quarantine:

# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt

This will unquarantine everything and actual potential viruses.   Please make sure you are aware of the risks before running this.

# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt | while read qFile; do if isi avscan unquarantine “${qFile}”; then echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) SUCCESSFUL unquarantine of ${qFile}” | tee -a /ifs/data/Isilon_Support/unquarantined_files_$(date ‘+%Y-%m-%d’).txt; else echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) FAILED to unquarantine ${qFile}” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt; fi; done

Add a Comment

Your email address will not be published. Required fields are marked *