Skip to main content
NetApp Knowledge Base

Common EMS messages for Vscan

Views:
4,310
Visibility:
Public
Votes:
2
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9
  • Clustered Data ONTAP 8.3
  • Clustered Data ONTAP 8.2

Answer


The following are common EMS messages regarding Vscan and their associated meaning:
vscan.enabled
  • Description: This message occurs when a Storage Virtual Machine (SVM) or cluster administrator enables Vscan on a SVM. Based on the configuration, subsequent client requests can trigger virus scanning.
  • Sample Message: Vscan is enabled on Vserver 'vserver_1'.
vscan.disabled
  • Description: This message occurs when an SVM or cluster administrator disables Vscan on a SVM. No subsequent client requests will trigger virus scanning.
  • Sample Message: Vscan is disabled on Vserver 'vserver_1'.
vscan.privShareCreate.failed
  • Description: This message occurs when a privileged share $ONTAP_ADMIN creation fails. Attempted connections to the system by a Vscan server will fail.
  • Sample Message: Failed to create privileged share $ONTAP_ADMIN for Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.rdbUpdRegister.failed
  • Description: This message occurs when the Vscan configuration replication mechanism fails to register RDB update callback. Modification in the Vscan configuration might not be available to this node.
  • Sample Message: Vscan configuration replication mechanism failed to register RDB update callback. Modification in the Vscan configuration might not be available to this node.
  • Corrective Action: Restart the node or contact <vendor-name-support/> for assistance.
vscan.job.failed
  • Description: This message occurs when the Vscan job fails. It is retried automatically. Run the job history show -name Vscan* command to get more detail.
  • Sample Message: Vscan job failed. It will automatically be retried.
  • Corrective Action: NONE
vscan.pool.autoActivated
  • Description: This message occurs when the Vscan scanner pool is automatically activated.
  • Sample Message: Vscan scanner pool 'sp1' is automatically activated on Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.pool.autoDeactivated
  • Description: This message occurs when the Vscan scanner pool is automatically deactivated.
  • Sample Message: Vscan scanner pool 'sp1' is automatically deactivated on Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.newVersion.allocated
  • Description: This message occurs when the Vscan version mechanism allocates a new version-ID corresponding to the Vscan server version.
  • Sample Message: Vscan version mechanism added new version-ID for Vserver 'vserver_1' corresponding to vendor 'McAfee', version '5.62'.
  • Corrective Action: NONE
Available starting in clustered Data ONTAP 8.2.2+
Nblade.vscanNoScannerConn
  • Description: This message occurs when Data ONTAP(R) has no scanner connections for servicing virus-scan-requests.
  • Sample Message: Nblade.vscanNoScannerConn: vserverId="2".
    • What information is captured in the EMS message: vserverId Identifier for the Vserver associated with this operation.
  • Corrective Action: Ensure that the scanner pool is properly configured and that scanner machines are active and connected to Data ONTAP.
Nblade.vscanNoDispatcher
  • Description: This message occurs when the vscan-dispatcher component cannot be created. This might be due to internal errors on the system, such as nonavailability of memory.
  • Sample Message: Nblade.vscanNoDispatcher: vserverId="2".
    • What information is captured in the EMS message: vserverId Identifier for the Vserver associated with this operation.
  • Corrective Action: There are no known issues yet that would cause this error. Please triage and troubleshoot accordingly.
Nblade.vscanConnInactive
  • Description: This message occurs when an Data ONTAP(R) detects and forcibly closes a nonresponsive scanner connection.
  • Sample Message: Nblade.vscanConnInactive: vserverId="2", scannerIp="10.72.204.244".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the scanner connection."
  • Corrective Action: Ensure that the AV Connector can connect, transmit and receive messages to and from the system, and that the 'vscanConnBackPressure' event is not occurring frequently.

Note: If the event is occurring frequently, add more scanners to the primary scanner pools to ensure that there are enough scanners to handle the virus-scanning load.

Nblade.vscanNoRegdScanner
  • Description: This message occurs when Data ONTAP(R) receives a connection from an AV connector that does not have a scanner registered.
  • Sample Message: Nblade.vscanNoRegdScanner: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the client running the AV connector."
  • Corrective Action: Ensure that the virus scanner software is installed correctly, is running, and can connect to the AV Connector on the client with the mentioned IP address.
Nblade.vscanConnBackPressure
  • Description: This message occurs when scanner connections are too busy to accept new scan requests.
  • Sample Message: Nblade.vscanConnBackPressure: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the scanner connection."
  • Corrective Action: If this message occurs, open a case with your vScan vendor to investigate why the scanner cannot handle the virus-scanning load being generated for the mentioned Vserver.
Nblade.vscanBadProtoMagicNum
  • Description: This message occurs when an incorrectly formatted message is received from an AV Connector.
  • Sample Message: Nblade.vscanBadProtoMagicNum: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      •  scannerIp "IP address of the scanner connection."
  • Corrective Action: Ensure that the correct AV Connector version is running on the scanner host, and that no other user or software is attempting to connect to the '\PIPEvscan' resource on the Vserver.
Nblade.vscanBadIPPrivAccess
  • Description: This message occurs when the IP address of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed IP addresses.
  • Sample Message: Nblade.vscanBadIPPrivAccess: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.
Nblade.vscanBadUserPrivAccess
  • Description: This message occurs when the logged-in user of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed users.
  • Sample Message: Nblade.vscanBadUserPrivAccess: vserverId="2", userName= "fsctuser1", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • userName "User name of the client attemping to access the ONTAP_ADMIN$ share."
      • scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the current active scanner pool configuration.

Alternatively, if the user mentioned in the EMS messages is a machine account, such as "DOMAIN\VSCANSVR$":

  1. Ensure that the customer configures ALL AV-engine services to run with the privileged user that has already been configured in the scanner pool. 
  2. Ensure that only the required software is installed on the Vscan server, as features such as real-time protection on security software (not the vendor Vscan software) may attempt to access the privileged ONTAP_ADMIN$ share, which will be denied, and generate this type of error. For Windows Server 2016 and later, the Windows Defender service should also be disabled.
Nblade.cifsNoPrivShare
  • Description: This message occurs when a client attempts to connect to a nonexistent ONTAP_ADMIN$ share.
  • Sample Message: Nblade.cifsNoPrivShare: vserverId="2", userName= "fsctuser1", clientIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • userName "User name of the client attemping to access the nonexistent ONTAP_ADMIN$ share."
      • clientIp "IP address of the client attemping to access the nonexistent ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the vscan is enabled for the mentioned Vserver ID. Enabling vscan on a Vserver causes the ONTAP_ADMIN$ share to be created for the Vserver automatically.
Nblade.vscanConnInvalidUser
  • Description: This message occurs when the logged-in user of a client attempting to create a vscan pipe is not found in the list of allowed users.
  • Sample Message: Nblade.vscanConnInvalidUser: vserverId="2", scannerIp="10.72.204.27, userName= "fsctuser1".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation.
      • scannerIp "IP address of the client attemping to create a vscan pipe."
      • userName "User name of the client attemping to create a vscan pipe."
  • Corrective Action: Ensure that the mentioned user name exists in one of the active vscan scanner pools. Use the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.
Available clustered Data ONTAP 8.3.2+
Nblade.vscanVirusDetected
  • Description: This message occurs when a vscan server reports an error to the storage system. Normally this indicates that a virus has been found by the vscan server; however, other error conditions on the vscan server can result in this event. Client access to the file is denied. The vscan server might, depending on its settings and configuration, clean the file, quarantine it, or delete it.
  • Sample Message: Possible virus detected. Vserver: “vserverName”, vscan server IP: “vscanServerIp”, file path: “filePath”, client IP: “clientIp”, SID: “SID”, vscan engine status: “vscanEngineStatus” , vscan engine result string: “vscanEngineResultString”.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
      • vscanServerIp " IP address of the vscan server. "
      • filePath “Path of the file that was found to be infected.”
      • clientIp “IP address of the client.”
      • SID “SID of the client.”
      • vscanEngineStatus “Status code returned by the vscan server.”
      • vscanEngineResultString “result string returned by the vscan server.”
  • Corrective Action: Check the log of the vscan (antivirus) server reported in the syslog message to see if it was able to successfully quarantine or delete the infected file. If it was not able to do so, a system administrator might want to manually delete the file.
Available starting in ONTAP 9.1P6+
Nblade.vscanNoPolicyEnabled
  • Description: This message occurs when a file access is not considered for virus scanning because none of the configured On-Access policies are enabled for the Vserver.
  • Sample Message: Nblade.vscanNoPolicyEnabled: For Vserver "vserverName",the file access was not considered for virus scanning because none of the configured On-Access policies are enabled.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
  • Corrective Action: Enable one of the configured On-Access policies for the Vserver.
Nblade.vscanConnReqOnSMB1
  • Description: This message occurs during a vscan server attempts to establish a vscan connection over SMB1, which is not supported.
  • Sample Message: Nblade.vscanConnReqOnSMB1: For Vserver "vserverName", the vscan connection request coming from the client "vscanServerIp" is rejected because it is not supported for SMB1.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
      • vscanServerIp " IP address of the vscan server."
  • Corrective Action: Verify that both the vscan server and Data ONTAP(R) support and are configured for SMB2 or later.
Frequently Asked Questions (FAQ):
Are there any existing SNMP traps that capture these EMS messages?

A: Not yet, however, BUG 927663 addresses this need. “[Offbox-AV]: Add EMS and snmp traps to capture vscan configuration changes” 
However, after 8.4 and 8.3.2 we will have the ability to trap infected file EMS messages due to fixes in “EMS error messages are not generated when the Vscan server detects an infected file”. See BUG 906894.

How to use these EMS messages to track events from the vscanner?

You can track the events that have transpired in the EMS logs, for example:
Example #1: User changes the service account for their “McAfee VirusScan Enterprise for Storage” service from the privileged user to another domain user account and causes scanning to fail. Notice the events in the EMS log that reflect that change.

filer::*> event log show -node node1 -event *vscan*

Time                Node             Severity      Event

------------------- -------------- ------------- ---------------------------

1/12/2016 09:27:17  node1          WARNING       Nblade.vscanBadUserPrivAccess: vserverId="3", userName="DOMAINInvalidDomainAccount", scannerIp="10.63.119.148"

1/12/2016 09:27:17  node1          DEBUG ems.engine.suppressed: Event 'Nblade.vscanBadUserPrivAccess' suppressed 687 times in last 511780 seconds.

1/12/2016 09:26:12  node1          WARNING       Nblade.vscanNoRegdScanner: vserverId="3", scannerIp="10.63.119.148"

Example #2: Vscan is disabled and re-enabled. 

filer::*> event log show -node node1 -event *vscan*

Time                Node             Severity      Event

------------------- ---------------- ------------- ---------------------------

1/11/2016 10:53:53  node1 INFORMATIONAL vscan.enabled: Vscan is enabled on Vserver 'vsm1'.

1/11/2016 10:53:46  node1 INFORMATIONAL vscan.disabled: Vscan is disabled on Vserver 'vsm1'.

What other logging is available to me for Vscanning?

The AV Connector also has logging available; this must be enabled manually.
(Under section Enable AVSHIM logging).
3014901__en_US__solutions30149013014901.jpg

text example of errors seen in avshim log:
40.860: [Pipe: 10.64.80.74, cifs01cmvsimn1-ams5][r] CreateNamedPipe failed with 1. closingQ: [0]
41.532: [Pipe: 10.64.80.76, cifs01cmvsimn2-ams5][r] CreateNamedPipe failed with 1. closingQ: [0]

AV Connector Common Errors

The following are some typical error-codes and the issue that they may indicate:

Error-code '1'
  • (Incorrect function)
  • This typically indicates that either the:
    • Vscan feature was not enabled on the mentioned vserver
    • The mentioned scanner-host-IP is not in the list of IPs in one of the currently active scanner-pool
Error-code '2'
  • (The system cannot find the file specified)
  • This usually indicates that the user-account of AV Connector service is not listed in the privileged users' list in one of currently active scanner-pools for the mentioned vserver
Error-code '5'
  • (Can't connect to host (err=5)
  • This usually indicates an access denied error. This can be seen in several places, check any corresponding EMS vscan messages for related errors. Verify that priviliged-user is set correctly and if account used AV Connector is setup properly.
Error-code '31'
  • (GetOverlappedResult failed)

This usually indicates that

  • SMB2 is disabled on vscan server as a client (RE: https://support.microsoft.com/en-us/kb/2696547 run 'sc query mrxsmb20' to check for state)
  • SMB2 has been disabledre-enabled on the vserver or vscan server. Verify that SMB2 is enabled on vserver and reboot vscan server to clear condition.

Read for more details:

Error-code '53'
  • (Incorrect function)
  • (The network path was not found)

This usually indicates one or more of the following issues:

  • Scanner-host and mentioned vserver's data-lif are unreachable from each other
  • SMB2 is not configured for the mentioned vserver
  • SMB2 is not configured on the scanner host
  • Time Skew exists between scanner and filer (more than 5 mins apart)
  • Verify if any firewalls are blocking ports 445 or 139
Error-code '58'
  • (The specified server cannot perform the requested operation)
    • This message may indicate that A pathname greater than 2048 bytes was attempted
    • AV Connector 1.0.4 should increase this limit to 4096 bytes.
    • Without a fix for 1098898 , ONTAP will not send scan requests for path names greater than what is specified in the BURT.
Error-code '64'
  • (The specified network name is no longer available)
  • This message may indicate that the av connector is unable to complete a registration with the vserver data lif
    • Check if firewalls or network ACLs are preventing communication on port 445
    • Verify if proper SPNs are in place for vserver cifs server account
Error-code '67'
  • (The network name is not found)
  • This message may indicate that SMB2 is not configured for the mentioned vserver
Error-code '1265'
  • ERROR_DOWNGRADE_DETECTED
  • Check to see if DNS resolution on vscan servers are working correctly.
  • Verify vscan server can locate and resolve service records for domain controllers.
Error-code '1326'
  • Incorrect username/password
  • Username/password combination of the account running the AV Connector service is incorrect.
Error-code '1907'
  • (The user's password must be changed before logging on the first time)
  • This message may indicate the user-account (security-context) of AV Connector service is not a valid domain user, or the password for the given user-account must be refreshed. In the former case, the issue may be confirmed by changing the user-account for the AV Connector to a valid and active domain user, which exists in the list of privileged-users in one of the currently active scanner-pools.
Error-code '1935'
  • ERROR_AUTHENTICATION_FIREWALL_FAILED
  • Verify is the account used is traversing a Selective Authentication Domain Trust. If so, the service account will have to be provided permission to traverse that domain trust.
Error codes are not defined in this KB? Or not known? No problem.

Additional Information

Add your text here.