Nasuni Antivirus Protection

  • Updated on Apr 15, 2025
  • Published on Dec 23, 2024
  • 11 minute(s) read
  • CD
 Prev Next

Overview

Clam AntiVirus (ClamAV®) is an open-source antivirus scanning engine built into Nasuni to help detect trojans, viruses, malware, and other malicious threats, and it is offered at no additional charge.

ClamAV is overseen by The Talos Security Intelligence and Research Group (Talos), a wholly owned business unit of Cisco. Talos underpins the entire Cisco security ecosystem, with researchers, data scientists, and engineers who collect information about existing and developing threats, and then deliver protection against attacks and malware.

ClamAV has the considerable resources of Cisco Talos behind it, including:

  • More than 250 full-time threat researchers.

  • More than 1100 decoy systems and other threat traps.

  • Millions of telemetry agents.

ClamAV consistently ranks in the middle of all antivirus solutions, based on which solutions detect the most threats, and which solutions detect the most serious threats.

Considerations and Impact of Using Antivirus Protection

Impact on Performance

Files must be scanned before moving to cloud storage, which can slightly delay data propagation and file synchronization.

Enabling antivirus scanning using the Antivirus Protection schedule generally has a low impact on performance because files are scanned in batches. However, since files do not proceed to cloud storage until scanned, this can delay data propagation and file synchronization until after the scheduled scan occurs.

Selecting “Check files immediately” has a higher impact on performance because each file is checked individually when it is closed, rather than as part of a batch of files, which consumes more resources. The “Check files immediately” processing is implemented as a queue. Files are still written to the Nasuni Edge Appliance and are accessible on the Nasuni Edge Appliance as they normally would be, but these files are added to a queue for scanning. Such files must be scanned before being moved to cloud storage, which can affect the performance of files propagating and synchronizing. Such scans do not have to wait until scheduled times.

Impact on Data Protection

If Antivirus Protection scanning is enabled for a volume, files must be scanned before moving to cloud storage. Unscanned files are not moved to cloud storage, remain in the cache, and are classified as “data not yet protected” until they are scanned.

Infected Files

Files marked as Infected are not moved to cloud storage, remain in the Edge Appliance cache, and are classified as “data not yet protected” by Nasuni until an administrator either Ignores or Deletes the file.

If a scanned file is infected, the authorized administrator can ignore the infection. If a file has no antivirus violations, that file is allowed to be part of a snapshot and protected in cloud storage. Suppose a file has an antivirus violation, but the authorized administrator deliberately ignores the violation. In that case, the file is also allowed to be part of a snapshot and protected in cloud storage. However, if a file has an antivirus violation, and the authorized administrator does not ignore the violation, the file is excluded from the snapshot and is not protected in cloud storage.

If the administrator chooses to Delete the file, the file is not written to cloud storage, and is removed from the Edge Appliance cache.

Tip: You can also delete infected files or ignore antivirus violations using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.

Files Already Written to Cloud Storage

Only new or changed files are scanned. Therefore, a file that has already been stored and protected in cloud storage before Antivirus Protection is enabled is not scanned, unless that file is changed somehow.

Using Third-Party Antivirus and Out of Band Scans

Attempting to perform antivirus scans with third-party products is not recommended at this time. A full scan with a third-party antivirus scanner would pull all data into the Edge Appliance cache for the scan, which would impact the performance of the Nasuni system.

Global File Lock and Antivirus Protection

If an open file has Global File Lock enabled, and if that file is saved, then that file is protected in the cloud outside of the regular snapshot, even if that file is still open. However, if Antivirus Protection is enabled for that file, that open file is not immediately protected in the cloud. This is because Antivirus Protection must check that file before that file can be moved to cloud storage. In this case, after Antivirus Protection checks that file, and that file has no infections, then that file is protected in the cloud.

If a file does have antivirus infections, and those infections are marked “Ignore”, then the file experiences the usual Global File Lock processing.

For details of Global File Lock processing, see Global File Lock.

Using Nasuni’s Built-In Antivirus Protection

The ClamAV-based Antivirus Protection built into Nasuni protects against viruses and other malware in files on a volume. Antivirus Protection scans every new or modified file for the presence of viruses and other malware, before the file is protected in cloud storage. The entire file is scanned, not just the changed part. Files are scanned when included in a snapshot, but not during Nasuni Global File Lock™ processing.

Important: Global File Lock processing: If an open file has Global File Lock enabled, and if that file is saved, then that file is protected in the cloud outside of the regular snapshot, even if that file is still open. However, if Antivirus Protection is enabled for that file, then Antivirus Protection checks that file before it is protected in the cloud. For details of Global File Lock processing, see Global File Lock.

If a scanned file is found to be infected, the authorized administrator can ignore the infection. Only files with no detected malware, or infected files that the authorized administrator deliberately ignores, are allowed into cloud storage.

Tip: You can also delete infected files or ignore antivirus violations using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.

Synchronization with the ClamAV virus database occurs within four hours of an update to that database. You can report the false positive on Clam AntiVirus’s Report False Positive page.

Nasuni Antivirus Protection scans files and container files (such as .zip files). Antivirus Protection does not detect malware in the following circumstances:

  • Encrypted or password-protected files or container files.

  • Files or container files larger than 25 MB.

  • Container files that contain any file larger than 25 MB.

  • Container files where the combined size of the container file itself, plus the size of all the contained files, is larger than 100 MB.

You can enable or disable antivirus protection at the volume level.

The Antivirus Protection setting is inherited by connecting Nasuni Edge Appliances. For example, if the Boston Nasuni Edge Appliance enables Antivirus Protection for a volume, and the London Nasuni Edge Appliance connects to that volume, then Antivirus Protection is also enabled for that volume on the London Nasuni Edge Appliance. In such a case, there might be a brief time lag before the London Nasuni Edge Appliance inherits that setting.

Note: Antivirus Protection is available for SMB and NFS volumes and FTP/SFTP directories.

Note: Antivirus Protection feature can be enabled or disabled in your customer license by Nasuni Support. The default is that the Antivirus Protection feature is enabled in your customer license.

Tip: To receive notifications of violations, you must have the “Manage all aspects of the Filer (super user)” or “Manage Notifications” permissions, and the appropriate “Filer Access” permissions. To receive emails of violations, if email is enabled, you must also ensure that Violation Alerts is selected for the user’s group.

Note: Antivirus violations are displayed in the Management Console, and are also logged to the .nasuni/av_violations/ folder of the volume. In the Antivirus log file, each violation entry is of the form:

<DATE> <TIME> <TIMEZONE> New AV violation: <SIGNATURE> found: <PATH>

Example:

2023-09-08 14:32:33 GMT New AV violation: EicarSignature found: /ei.txt

Tip: To access the hidden .nasuni directory on an SMB share, you must be an administrative user. Because the .nasuni directory is located in the root directory of the volume, in order to access the .nasuni directory, you must create a share to the root directory of the volume. In addition, this hidden directory must be visible on the client machine. For example, in Windows, “Show Hidden Files, folders, and drives” must be enabled, and “Hide protected operating system files” must be disabled. Alternatively, you can use the File System Browser to view the .nasuni directory and its contents. On the File System Browser page, select the volume, click the gear icon, then select “Show Hidden Files”.

Enabling and Disabling Antivirus Protection using the Nasuni Edge Appliance User Interface

Important: To configure Antivirus Protection, you must use the Nasuni Management Console (NMC). For details, see Nasuni Management Console (NMC) Guide.

Reviewing Infected Files

Important: To review infected files, you must use the Nasuni Management Console (NMC). For details, see Nasuni Management Console (NMC) Guide.

If Antivirus Protection finds any files infected with a virus or other malware, that information is displayed on the volume’s Volume properties page.

If a scanned file is infected, the authorized administrator has the option to ignore the infection. If a file has no antivirus violations, that file is allowed to be part of a snapshot and to be protected in cloud storage. If a file does have an antivirus violation, but the authorized administrator deliberately ignores the violation, that file is also allowed to be part of a snapshot and to be protected in cloud storage. However, if a file does have an antivirus violation, and the authorized administrator does not ignore the violation, that file is not allowed to be part of a snapshot and is not protected in cloud storage.

Tip: You can also delete infected files or ignore antivirus violations using the NMC API. This can be useful for automating tasks and for enhancing security. For more details, see Nasuni API Documentation.

Viewing Antivirus Protection settings using the Nasuni Management Console

To view the Antivirus Protection settings, follow these steps:

  1. On the Cyber Resilience page, click Antivirus Services. The Volume Antivirus Services page displays a list of CIFS (SMB) and NFS volumes and FTP/SFTP directories on managed Nasuni Edge Appliances.

The following information appears for each volume in the list:

  • Name: The name of the volume.

  • Protocol: The protocol of the volume: CIFS (SMB), NFS, or FTP.

  • Filer: The Nasuni Edge Appliance that contains the volume.

  • Enabled: The Antivirus Protection settings of the volume: Enabled (antivirus is operational) or Disabled (antivirus is not operational).

  • Check Immediately (volumes on which the CIFS (SMB) protocol has been enabled only): Indicates whether Antivirus Protection should check files as they are written to the Nasuni Edge Appliance, in addition to the specified Antivirus Protection schedule.

  • Schedule: If Antivirus Protection is enabled, the days of the week and the time during which to perform Antivirus Protection. If Antivirus Protection is disabled, displays “--”.

  • Frequency: If Antivirus Protection is enabled, the frequency of performing Antivirus Protection during the scheduled time. If Antivirus Protection is disabled, displays “--”.

Editing Antivirus Protection settings using the Nasuni Management Console

To edit Antivirus Protection settings, follow these steps:

  1. On the Volume Antivirus Services page, select the volumes in the list whose Antivirus Protection settings you want to edit.

  2. Click Edit Volumes. The Edit Antivirus Service dialog box appears.

  3. To copy settings from another volume, select the volume from the Copy Settings drop-down list. The settings from that volume appear in the dialog box.

  4. To enable Antivirus Protection, select the Enabled setting to On. To disable the Antivirus Protection, select the Enabled setting to Off.
    If you select On, then configure Antivirus Protection by performing these steps:

    1. To select or deselect all days for Antivirus Protection scanning, click Select/Deselect All.

    2. Select the days for Antivirus Protection scanning (for example, Sunday to Saturday).

    3. For volumes on which the CIFS (SMB) protocol has been enabled only, to check files as they are written to the Nasuni Edge

      Appliance, in addition to the specified Antivirus Protection schedule, select the Check files immediately check box. Otherwise, clear the Check files immediately check box.

    4. To specify scanning 24 hours a day, select the 24 Hours/Day check box.
      Alternatively, select the hour for scanning to start from the Start drop-down list. Select the hour for scanning to stop from the Stop drop-down list.

    5. Select the frequency for Antivirus Protection scanning from the Frequency drop-down list. If the volume does not have Remote Access enabled, your choices are 1, 2, 4, 8, 12, or 24 hours. If the volume does have Remote Access enabled, your choices are 1, 5, 10, 25, or 30 minutes, or 1, 2, 4, 8, 12, or 24 hours.

Note: Volumes that do not have Remote Access enabled only have Frequency options of hours, not minutes. For Antivirus Protection scanning more frequent than every 1 hour, enable Remote Access for the volume.

Note: In addition to the specified scanning schedule, a scan is performed automatically with every snapshot. Changed files must be scanned for antivirus before being written to the cloud. That can occur either by a scheduled Antivirus Service scan or during the Antivirus Service scan that runs as part of a snapshot or Global File Lock processing. Files that are scanned during a scheduled scan, and that have not changed before a snapshot, do not need to be rescanned as part of the snapshot process.

  1. Click Save. The Antivirus Protection settings are changed. The volume appears in the list on the Volume Antivirus Service page.

    Alternatively, click Close to exit the dialog box without changing the Antivirus Protection settings.

Testing procedure

To test Antivirus Protection, follow these steps:

  1. Notify administrators and users that you are testing the process to recover from a simulated virus.

  2. Create a test location, either a test directory containing files, or a test volume with directories and files.

  3. Create a simulated threat within the test location. You can do this using a harmless test piece of simulated malware.

    1. Create an ordinary text file on a user’s computer. Make sure that this text file is included in a snapshot.

    2. The European Institute for Computer Anti-Virus Research (EICAR) provides harmless files that can be used for testing purposes. You can download the EICAR files from their site: ANTI MALWARE TESTFILE

    3. Replace the text file created above with the EICAR test text file. Make sure that this file is included in a snapshot. This file now simulates a file that has become infected.

  4. When alerts and notifications occur, examine them for details that confirm the presence of the test virus.

  5. Perform procedures as described in Reviewing Infected Files above.

Related articles