Code level: Version 7.2.1.1 of OneFS:
We have been using a ICAP server by EMC in order to scan files on the Isilon. Since then, it started detecting numerous threats. So many in fact that it locks up the GUI and the Web interface has to be restarted. Within this, if there are any special characters within the name of the file type also makes the file get quarantined. This was due to an issue in the OS that was fixed in a later OneFS release. After many hours of testing we encountered a similar bug in 7.2.1.3. We had to upgrade to 7.2.1.4 to finally fix the issue. *Note that 7.2.1.4 is the last update before version OneFS 8*. But before fixing the issue, we had to release all of the quarantine so we can move forward. You cannot do this via the GUI due to the massive amount of quarantine and detected threats. Just going to the web page will lock up the Isilon and put you back on the phone. Since I am running this version on multiple Isilon’s, I wanted to know how to always clear the AV before upgrading. Not all remote support checks to make sure that this is empty before upgrading. So I was able to find a handy EMC support article that will save all quarantine items to a file and then purge them.
Full listing of all files in quarantine:
# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt
This will unquarantine everything and actual potential viruses. Please make sure you are aware of the risks before running this.
# isi avscan report threat –all | egrep -B2 “Quarantined” | egrep -o “/ifs.*$” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt | while read qFile; do if isi avscan unquarantine “${qFile}”; then echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) SUCCESSFUL unquarantine of ${qFile}” | tee -a /ifs/data/Isilon_Support/unquarantined_files_$(date ‘+%Y-%m-%d’).txt; else echo “$(date ‘+%Y-%m-%dT%H:%M:%S%z’) FAILED to unquarantine ${qFile}” | tee -a /ifs/data/Isilon_Support/quarantined_files_$(date ‘+%Y-%m-%d’).txt; fi; done
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.