Skip to main content
NetApp Knowledgebase

Common EMS messages for Vscan

Views:
1,166
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

 

Applies to

  • ONTAP 9
  • Clustered Data ONTAP 8.3
  • Clustered Data ONTAP 8.2
     

Answer


In clustered Data ONTAP, the following are the common EMS messages for Vscan and their meaning:


vscan.enabled
Description: This message occurs when a Storage Virtual Machine (SVM) or cluster administrator enables Vscan on a SVM. Based on the configuration, subsequent client requests can trigger virus scanning.
Sample Message:
Vscan is enabled on Vserver 'vserver_1'.

vscan.disabled
Description: This message occurs when an SVM or cluster administrator disables Vscan on a SVM. No subsequent client requests will trigger virus scanning.
Sample Message:
Vscan is disabled on Vserver 'vserver_1'.

vscan.privShareCreate.failed
Description: This message occurs when a privileged share $ONTAP_ADMIN creation fails. Attempted connections to the system by a Vscan server will fail.
Sample Message:
Failed to create privileged share $ONTAP_ADMIN for Vserver 'vserver_1'.

Corrective Action - NONE

vscan.rdbUpdRegister.failed
Description: This message occurs when the Vscan configuration replication mechanism fails to register RDB update callback. Modification in the Vscan configuration might not be available to this node.
Sample Message:
Vscan configuration replication mechanism failed to register RDB update callback. Modification in the Vscan configuration might not be available to this node.

Corrective Action - Restart the node or contact <vendor-name-support/> for assistance.

vscan.job.failed
Description: This message occurs when the Vscan job fails. It is retried automatically. Run the job history show -name Vscan* command to get more detail.
Sample Message:
Vscan job failed. It will automatically be retried.

Corrective Action - NONE

vscan.pool.autoActivated
Description: This message occurs when the Vscan scanner pool is automatically activated.
Sample Message:
Vscan scanner pool 'sp1' is automatically activated on Vserver 'vserver_1'.

Corrective Action - NONE

vscan.pool.autoDeactivated
Description: This message occurs when the Vscan scanner pool is automatically deactivated.
Sample Message: Vscan scanner pool 'sp1' is automatically deactivated on Vserver 'vserver_1'.

Corrective Action - NONE

vscan.newVersion.allocated
Description: This message occurs when the Vscan version mechanism allocates a new version-ID corresponding to the Vscan server version.
Sample Message:
Vscan version mechanism added new version-ID for Vserver 'vserver_1' corresponding to vendor 'McAfee', version '5.62'.

Corrective Action - NONE

[Available clustered Data ONTAP 8.2.2+]

Nblade.vscanNoScannerConn
Description: This message occurs when Data ONTAP(R) has no scanner connections for servicing virus-scan-requests.
Sample Message:
Nblade.vscanNoScannerConn: vserverId="2".

     What information is captured in the EMS message:
       vserverId Identifier for the Vserver associated with this operation.

Corrective Action - Ensure that the scanner pool is properly configured and that scanner machines are active and connected to Data ONTAP.
 
Nblade.vscanNoDispatcher
Description: This message occurs when the vscan-dispatcher component cannot be created. This might be due to internal errors on the system, such as nonavailability of memory.
Sample Message:
Nblade.vscanNoDispatcher: vserverId="2".

     What information is captured in the EMS message:
       vserverId Identifier for the Vserver associated with this operation.

Corrective Action - There are no known issues yet that would cause this error. Please triage and troubleshoot accordingly.
 
Nblade.vscanConnInactive
Description: This message occurs when an Data ONTAP(R) detects and forcibly closes a nonresponsive scanner connection.
Sample Message:
Nblade.vscanConnInactive: vserverId="2", scannerIp="10.72.204.244".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       scannerIp "IP address of the scanner connection."

Corrective Action - Ensure that the AV Connector can connect, transmit and receive messages to and from the system, and that the 'vscanConnBackPressure' event is not occuring frequently.

Note: If the event is occurring frequently, add more scanners to the primary scanner pools to ensure that there are enough scanners to handle the virus-scanning load.

Nblade.vscanNoRegdScanner
Description: This message occurs when Data ONTAP(R) receives a connection from an AV connector that does not have a scanner registered.
Sample Message:
Nblade.vscanNoRegdScanner: vserverId="2", scannerIp="10.72.204.27".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       scannerIp "IP address of the client running the AV connector."

Corrective Action - Ensure that the virus scanner software is installed correctly, is running, and can connect to the AV Connector on the client with the mentioned IP address.

Nblade.vscanConnBackPressure
Description: This message occurs when scanner connections are too busy to accept new scan requests.
Sample Message:
Nblade.vscanConnBackPressure: vserverId="2", scannerIp="10.72.204.27".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       scannerIp "IP address of the scanner connection."

Corrective Action - If this message occurs, open a case with your vScan vendor to investigate why the scanner cannot handle the virus-scanning load being generated for the mentioned Vserver.
 
Nblade.vscanBadProtoMagicNum
Description: This message occurs when an incorrectly formatted message is received from an AV Connector.
Sample Message:
Nblade.vscanBadProtoMagicNum: vserverId="2", scannerIp="10.72.204.27".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       scannerIp "IP address of the scanner connection."

Corrective Action - Ensure that the correct AV Connector version is running on the scanner host, and that no other user or software is attempting to connect to the '\PIPEvscan' resource on the Vserver.
 
Nblade.vscanBadIPPrivAccess
Description: This message occurs when the IP address of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed IP addresses.
Sample Message:
Nblade.vscanBadIPPrivAccess: vserverId="2", scannerIp="10.72.204.27".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."

Corrective Action - Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.
 
Nblade.vscanBadUserPrivAccess
Description: This message occurs when the logged-in user of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed users.
Sample Message:
Nblade.vscanBadUserPrivAccess: vserverId="2", userName= "fsctuser1", scannerIp="10.72.204.27".

    What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       userName "User name of the client attemping to access the ONTAP_ADMIN$ share."
       scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."

Corrective Action - Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the current active scanner pool configuration.

Alternatively, if the user mentioned in the EMS messages is a machine account, such as "DOMAIN\VSCANSVR$":

  1. Ensure that the customer configures ALL AV-engine services to run with the privileged user that has already been configured in the scanner pool. 
  2. Ensure that only the required software is installed on the Vscan server, as features such as real-time protection on security software (not the vendor Vscan software) may attempt to access the privileged ONTAP_ADMIN$ share, which will be denied, and generate this type of error. For Windows Server 2016 and later, the Windows Defender service should also be disabled.

Nblade.cifsNoPrivShare
Description: This message occurs when a client attempts to connect to a nonexistent ONTAP_ADMIN$ share.
Sample Message:
Nblade.cifsNoPrivShare: vserverId="2", userName= "fsctuser1", clientIp="10.72.204.27".

    What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation."
       userName "User name of the client attemping to access the nonexistent ONTAP_ADMIN$ share."
       clientIp "IP address of the client attemping to access the nonexistent ONTAP_ADMIN$ share."

Corrective Action - Ensure that the vscan is enabled for the mentioned Vserver ID. Enabling vscan on a Vserver causes the ONTAP_ADMIN$ share to be created for the Vserver automatically.

Nblade.vscanConnInvalidUser
Description: This message occurs when the logged-in user of a client attempting to create a vscan pipe is not found in the list of allowed users.
Sample Message:
Nblade.vscanConnInvalidUser: vserverId="2", scannerIp="10.72.204.27, userName= "fsctuser1".

     What information is captured in the EMS message:
       vserverId "Identifier for the Vserver associated with this operation.
       scannerIp "IP address of the client attemping to create a vscan pipe."
       userName "User name of the client attemping to create a vscan pipe."

Corrective Action - Ensure that the mentioned user name exists in one of the active vscan scanner pools. Use the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.

[Available clustered Data ONTAP 8.3.2+]

Nblade.vscanVirusDetected
Description: This message occurs when a vscan server reports an error to the storage system. Normally this indicates that a virus has been found by the vscan server; however, other error conditions on the vscan server can result in this event. Client access to the file is denied. The vscan server might, depending on its settings and configuration, clean the file, quarantine it, or delete it.
Sample Message:
Possible virus detected. Vserver: “vserverName”, vscan server IP: “vscanServerIp”, file path: “filePath”, client IP: “clientIp”, SID: “SID”, vscan engine status: “vscanEngineStatus” , vscan engine result string: “vscanEngineResultString”.

    What information is captured in the EMS message:
       vserverName “Name of the Vserver associated with this operation.”
       vscanServerIp " IP address of the vscan server. "
       filePath “Path of the file that was found to be infected.”
       clientIp “IP address of the client.”
       SID “SID of the client.”
       vscanEngineStatus “Status code returned by the vscan server.”
       vscanEngineResultString “result string returned by the vscan server.”

Corrective Action - Check the log of the vscan (antivirus) server reported in the syslog message to see if it was able to successfully quarantine or delete the infected file. If it was not able to do so, a system administrator might want to manually delete the file.

[Available clustered Data ONTAP 9.1P6+]

Nblade.vscanNoPolicyEnabled
Description: This message occurs when a file access is not considered for virus scanning because none of the configured On-Access policies are enabled for the Vserver.
Sample Message:
Nblade.vscanNoPolicyEnabled: For Vserver "vserverName", the file access was not considered for virus scanning because none of the configured On-Access policies are enabled.

   What information is captured in the EMS message:
       vserverName “Name of the Vserver associated with this operation.”

Corrective Action - Enable one of the configured On-Access policies for the Vserver.

Nblade.vscanConnReqOnSMB1
Description: This message occurs during a vscan server attempts to establish a vscan connection over SMB1, which is not supported.
Sample Message:
Nblade.vscanConnReqOnSMB1: For Vserver "vserverName", the vscan connection request coming from the client "vscanServerIp" is rejected because it is not supported for SMB1.

   What information is captured in the EMS message:
       vserverName “Name of the Vserver associated with this operation.”
       vscanServerIp " IP address of the vscan server. "

Corrective Action - Verify that both the vscan server and Data ONTAP(R) support and are configured for SMB2 or later.


 

Frequently Asked Questions (FAQ):
  • Are there any existing SNMP traps that capture these EMS messages?
    A: Not yet, however, BUG 927663 addresses this need. “[Offbox-AV]: Add EMS and snmp traps to capture vscan configuration changes” 
    However, after 8.4 and 8.3.2 we will have the ability to trap infected file EMS messages due to fixes in “EMS error messages are not generated when the Vscan server detects an infected file”. See BUG 906894.
     
  • How to use these EMS messages to track events from the vscanner?
    You can track the events that have transpired in the EMS logs, for example:
    Example #1: User changes the service account for their “McAfee VirusScan Enterprise for Storage” service from the privileged user to another domain user account and causes scanning to fail. Notice the events in the EMS log that reflect that change.
    filer::*> event log show -node node1 -event *vscan*

    Time                Node             Severity      Event

    ------------------- -------------- ------------- ---------------------------

    1/12/2016 09:27:17  node1          WARNING       Nblade.vscanBadUserPrivAccess: vserverId="3", userName="DOMAINInvalidDomainAccount", scannerIp="10.63.119.148"

    1/12/2016 09:27:17  node1          DEBUG ems.engine.suppressed: Event 'Nblade.vscanBadUserPrivAccess' suppressed 687 times in last 511780 seconds.

    1/12/2016 09:26:12  node1          WARNING       Nblade.vscanNoRegdScanner: vserverId="3", scannerIp="10.63.119.148"


    Example #2: Vscan is disabled and re-enabled.
     
    filer::*> event log show -node node1 -event *vscan*

    Time                Node             Severity      Event

    ------------------- ---------------- ------------- ---------------------------

    1/11/2016 10:53:53  node1 INFORMATIONAL vscan.enabled: Vscan is enabled on Vserver 'vsm1'.

    1/11/2016 10:53:46  node1 INFORMATIONAL vscan.disabled: Vscan is disabled on Vserver 'vsm1'.

     
  • What other logging is available to me for Vscanning?
    The AV Connector also has logging available; this must be enabled manually.
    (Under section Enable AVSHIM logging).
    3014901__en_US__solutions30149013014901.jpg
text example of errors seen in avshim log:
40.860: [Pipe: 10.64.80.74, cifs01cmvsimn1-ams5][r] CreateNamedPipe failed with 1. closingQ: [0]
41.532: [Pipe: 10.64.80.76, cifs01cmvsimn2-ams5][r] CreateNamedPipe failed with 1. closingQ: [0]
                                             
AV Connector Common Errors

The following are some typical error-codes and the issue that they may indicate:

Error-code '1'
(Incorrect function)
This typically indicates that either the:
  • Vscan feature was not enabled on the mentioned vserver
  • The mentioned scanner-host-IP is not in the list of IPs in one of the currently active scanner-pool

Error-code '2'

(The system cannot find the file specified)
This usually indicates that the user-account of AV Connector service is not listed in the privileged users's list in one of currently active scanner-pools for the mentioned vserver
 

Error-code '5'

(Can't connect to host (err=5)
This usually indicates an access denied error. This can be seen in several places, check any corresponding EMS vscan messages for related errors. Verify that priviliged-user is set correctly and if account used AV Connector is setup properly.
 

Error-code '31'

(GetOverlappedResult failed)
This usually indicates that

  • SMB2 is disabled on vscan server as a client (RE: https://support.microsoft.com/en-us/kb/2696547 run 'sc query mrxsmb20' to check for state)
  • SMB2 has been disabledre-enabled on the vserver or vscan server. Verify that SMB2 is enabled on vserver and reboot vscan server to clear condition.

Error-code '53'

(Incorrect function)
(The network path was not found)

This usually indicates one or more of the following issues:

  • Scanner-host and mentioned vserver's data-lif are unreachable from each other
  • SMB2 is not configured for the mentioned vserver
  • SMB2 is not configured on the scanner host
  • Time Skew exists between scanner and filer (more than 5 mins apart)

Error-code '58'

(The specified server cannot perform the requested operation)
This message may indicate that A pathname greater than 2048 bytes was attempted
AV Connector 1.0.4 should increase this limit to 4096 bytes.
Without a fix for 1098898 , ONTAP will not send scan requests for pathnames greater than what is specified in the burt.

Error-code '67'

(The network name is not found)
This message may indicate that SMB2 is not configured for the mentioned vserver


Error-code '1326' - Incorrect username/password
           Username/password combination of the account running the AV Connector service is incorrect.

Error-code '1907'

(The user's password must be changed before logging on the first time)
This message may indicate the user-account (security-context) of AV Connector service is not a valid domain user, or the password for the given user-account must be refreshed. In the former case, the issue may be confirmed by changing the user-account for the AV Connector to a valid and active domain user, which exists in the list of privileged-users in one of the currently active scanner-pools.
 

Error-code '1935' - ERROR_AUTHENTICATION_FIREWALL_FAILED
           Verify is the account used is traversing a Selective Authentication Domain Trust. If so, the service account will have to be provided permission to traverse that domain trust.

Error codes are not defined in KB? Or not known? No problem.

They are windows error codes.
Go to here to help translate: https://docs.microsoft.com/en-us/win...em-error-codes
 

Additional Information

Add your text here.