Skip to main content
NetApp Knowledge Base

Common EMS messages for Vscan

  1. Last updated
  2. Save as PDF
Views:
9,602
Visibility:
Public
Votes:
7
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • VSCAN
  • ONTAP AV Connector
  • ONTAP 9

Answer

vscan.enabled
  • Description: This message occurs when a Storage Virtual Machine (SVM) or cluster administrator enables Vscan on a SVM. Based on the configuration, subsequent client requests can trigger virus scanning.
  • Example: Vscan is enabled on Vserver 'vserver_1'.
vscan.disabled
  • Description: This message occurs when an SVM or cluster administrator disables Vscan on a SVM. No subsequent client requests will trigger virus scanning.
  • Example: Vscan is disabled on Vserver 'vserver_1'.
vscan.privShareCreate.failed
  • Description: This message occurs when a privileged share $ONTAP_ADMIN creation fails. Attempted connections to the system by a Vscan server will fail.
  • Example: Failed to create privileged share $ONTAP_ADMIN for Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.rdbUpdRegister.failed
  • Description: This message occurs when the Vscan configuration replication mechanism fails to register RDB update callback. Modification in the Vscan configuration might not be available to this node.
  • Example: Vscan configuration replication mechanism failed to register RDB update callback. Modification in the Vscan configuration might not be available to this node.
  • Corrective Action: Restart the node or contact <vendor-name-support/> for assistance.
vscan.job.failed
  • Description: This message occurs when the Vscan job fails. It is retried automatically. Run the job history show -name Vscan* command to get more detail.
  • Example: Vscan job failed. It will automatically be retried.
  • Corrective Action: NONE
vscan.pool.autoActivated
  • Description: This message occurs when the Vscan scanner pool is automatically activated.
  • Example: Vscan scanner pool 'sp1' is automatically activated on Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.pool.autoDeactivated
  • Description: This message occurs when the Vscan scanner pool is automatically deactivated.
  • Example: Vscan scanner pool 'sp1' is automatically deactivated on Vserver 'vserver_1'.
  • Corrective Action: NONE
vscan.newVersion.allocated
  • Description: This message occurs when the Vscan version mechanism allocates a new version-ID corresponding to the Vscan server version.
  • Example: Vscan version mechanism added new version-ID for Vserver 'vserver_1' corresponding to vendor 'McAfee', version '5.62'.
  • Corrective Action: NONE
Nblade.vscanNoScannerConn
  • Description: This message occurs when Data ONTAP(R) has no scanner connections for servicing virus-scan-requests.
  • Example: Nblade.vscanNoScannerConn: vserverId="2".
    • What information is captured in the EMS message: vserverId Identifier for the Vserver associated with this operation.
  • Corrective Action: Ensure that the scanner pool is properly configured and that scanner machines are active and connected to Data ONTAP.
Nblade.vscanNoDispatcher
  • Description: This message occurs when the vscan-dispatcher component cannot be created. This might be due to internal errors on the system, such as nonavailability of memory.
  • Example: Nblade.vscanNoDispatcher: vserverId="2".
    • What information is captured in the EMS message: vserverId Identifier for the Vserver associated with this operation.
  • Corrective Action: There are no known issues yet that would cause this error. Please triage and troubleshoot accordingly.
Nblade.vscanConnInactive
  • Description: This message occurs when an Data ONTAP(R) detects and forcibly closes a nonresponsive scanner connection.
  • Example: Nblade.vscanConnInactive: vserverId="2", scannerIp="10.72.204.244".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the scanner connection."
  • Corrective Action: Ensure that the AV Connector can connect, transmit and receive messages to and from the system, and that the 'vscanConnBackPressure' event is not occurring frequently.

Note: If the event is occurring frequently, add more scanners to the primary scanner pools to ensure that there are enough scanners to handle the virus-scanning load.

Nblade.vscanNoRegdScanner
  • Description: This message occurs when Data ONTAP(R) receives a connection from an AV connector that does not have a scanner registered.
  • Example: Nblade.vscanNoRegdScanner: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the client running the AV connector."
  • Corrective Action: Ensure that the virus scanner software is installed correctly, is running, and can connect to the AV Connector on the client with the mentioned IP address.
Nblade.vscanConnBackPressur
  • Description: This message occurs when scanner connections are too busy to accept new scan requests.
  • Example: Nblade.vscanConnBackPressure: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the scanner connection."
  • Corrective Action: If this message occurs, open a case with your vScan vendor to investigate why the scanner cannot handle the virus-scanning load being generated for the mentioned Vserver.
Nblade.vscanBadProtoMagicNum
  • Description: This message occurs when an incorrectly formatted message is received from an AV Connector.
  • Example: Nblade.vscanBadProtoMagicNum: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      •  scannerIp "IP address of the scanner connection."
  • Corrective Action: Ensure that the correct AV Connector version is running on the scanner host, and that no other user or software is attempting to connect to the '\PIPEvscan' resource on the Vserver.
Nblade.vscanBadIPPrivAccess
  • Description: This message occurs when the IP address of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed IP addresses.
  • Example: Nblade.vscanBadIPPrivAccess: vserverId="2", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.
Nblade.vscanBadUserPrivAccess
  • Description: This message occurs when the logged-in user of a client attempting to connect to the privileged ONTAP_ADMIN$ share is not found in the list of allowed users.
  • Example: Nblade.vscanBadUserPrivAccess: vserverId="2", userName= "fsctuser1", scannerIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • userName "User name of the client attemping to access the ONTAP_ADMIN$ share."
      • scannerIp "IP address of the client attemping to access the ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the mentioned user name and IP address exist in one of the configured vscan scanner pools by using the 'vscan scanner pool show-active' command to view the current active scanner pool configuration.

Alternatively, if the user mentioned in the EMS messages is a machine account, such as "DOMAIN\VSCANSVR$":

  1. Ensure that the customer configures ALL AV-engine services to run with the privileged user that has already been configured in the scanner pool. 
  2. Ensure that only the required software is installed on the Vscan server, as features such as real-time protection on security software (not the vendor Vscan software) may attempt to access the privileged ONTAP_ADMIN$ share, which will be denied, and generate this type of error. For Windows Server 2016 and later, the Windows Defender service should also be disabled.
Nblade.cifsNoPrivShare
  • Description: This message occurs when a client attempts to connect to a nonexistent ONTAP_ADMIN$ share.
  • Example: Nblade.cifsNoPrivShare: vserverId="2", userName= "fsctuser1", clientIp="10.72.204.27".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation."
      • userName "User name of the client attemping to access the nonexistent ONTAP_ADMIN$ share."
      • clientIp "IP address of the client attemping to access the nonexistent ONTAP_ADMIN$ share."
  • Corrective Action: Ensure that the vscan is enabled for the mentioned Vserver ID. Enabling vscan on a Vserver causes the ONTAP_ADMIN$ share to be created for the Vserver automatically.
Nblade.vscanConnInvalidUser
  • Description: This message occurs when the logged-in user of a client attempting to create a vscan pipe is not found in the list of allowed users.
  • Example: Nblade.vscanConnInvalidUser: vserverId="2", scannerIp="10.72.204.27, userName= "fsctuser1".
    • What information is captured in the EMS message:
      • vserverId "Identifier for the Vserver associated with this operation.
      • scannerIp "IP address of the client attemping to create a vscan pipe."
      • userName "User name of the client attemping to create a vscan pipe."
  • Corrective Action: Ensure that the mentioned user name exists in one of the active vscan scanner pools. Use the 'vscan scanner pool show-active' command to view the currently active scanner pool configuration.
Nblade.vscanVirusDetected
  • Description: This message occurs when a vscan server reports an error to the storage system. Normally this indicates that a virus has been found by the vscan server; however, other error conditions on the vscan server can result in this event. Client access to the file is denied. The vscan server might, depending on its settings and configuration, clean the file, quarantine it, or delete it.
  • Example: Possible virus detected. Vserver: “vserverName”, vscan server IP: “vscanServerIp”, file path: “filePath”, client IP: “clientIp”, SID: “SID”, vscan engine status: “vscanEngineStatus” , vscan engine result string: “vscanEngineResultString”.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
      • vscanServerIp " IP address of the vscan server. "
      • filePath “Path of the file that was found to be infected.”
      • clientIp “IP address of the client.”
      • SID “SID of the client.”
      • vscanEngineStatus “Status code returned by the vscan server.”
      • vscanEngineResultString “result string returned by the vscan server.”
  • Corrective Action: Check the log of the vscan (antivirus) server reported in the syslog message to see if it was able to successfully quarantine or delete the infected file. If it was not able to do so, a system administrator might want to manually delete the file.
Nblade.vscanNoPolicyEnabled
  • Description: This message occurs when a file access is not considered for virus scanning because none of the configured On-Access policies are enabled for the Vserver.
  • Example: Nblade.vscanNoPolicyEnabled: For Vserver "vserverName",the file access was not considered for virus scanning because none of the configured On-Access policies are enabled.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
  • Corrective Action: Enable one of the configured On-Access policies for the Vserver.
Nblade.vscanConnReqOnSMB1
  • Description: This message occurs during a vscan server attempts to establish a vscan connection over SMB1, which is not supported.
  • Example: Nblade.vscanConnReqOnSMB1: For Vserver "vserverName", the vscan connection request coming from the client "vscanServerIp" is rejected because it is not supported for SMB1.
    • What information is captured in the EMS message:
      • vserverName “Name of the Vserver associated with this operation.”
      • vscanServerIp " IP address of the vscan server."
  • Corrective Action: Verify that both the vscan server and Data ONTAP(R) support and are configured for SMB2 or later.

Availabile in ONTAP 9.7+
Nblade.vscanWorkQueueOverloaded
  • Description: This message occurs when there are too many events being generated by the Vscan subsystem in ONTAP(R) software, which might be the result of a misconfigured Vscan server.
  • Example: Nblade.vscanWorkQueueOverloaded:notice]: Too many events [50000] present in Vscan work queue.
  • Corrective Action: Check the Vscan server configurations to make sure that there are no connectivity or configuration issues between the storage system and Vscan server. Use the "vserver vscan connection-status show-all" command to see the connection states of all configured Vscan servers.

Additional Information

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.