Skip to content


EMC Isilon AV Scan – Malformed container size

isilon-logo

 

 

 

 

 

 

Code level: Version 7.2.1.1 of OneFS:

 

We have been using a ICAP server by EMC in order to scan files on the Isilon. Since then, it started detecting numerous threats. So many in fact that it locks up the GUI and the Web interface has to be restarted.   Within this, if there are any special characters within the name of the file type also makes the file get quarantined.  This was due to an issue in the OS that was fixed in a later OneFS release.  After many hours of testing we encountered a similar bug in 7.2.1.3.   We had to upgrade to 7.2.1.4 to finally fix the issue.  *Note that 7.2.1.4 is the last update before version OneFS 8*.  But before fixing the issue, we had to release all of the quarantine so we can move forward. You cannot do this via the GUI due to the massive amount of quarantine and detected threats. Just going to the web page will lock up the Isilon and put you back on the phone. Since I am running this version on multiple Isilon’s, I wanted to know how to always clear the AV before upgrading. Not all remote support checks to make sure that this is empty before upgrading. So I was able to find a handy EMC support article that will save all quarantine items to a file and then purge them.

 

Full listing of all files in quarantine:

# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt

 

This will unquarantine everything and actual potential viruses.   Please make sure you are aware of the risks before running this.

# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt | while read qFile; do if isi avscan unquarantine “${qFile}”; then echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) SUCCESSFUL unquarantine of ${qFile}” | tee -a /ifs/data/Isilon_Support/unquarantined_files_$(date ‘+%Y-%m-%d’).txt; else echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) FAILED to unquarantine ${qFile}” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt; fi; done

 

Posted in Antivirus, CLI, Isilon.


No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.