ONTAP 9.15.1 commands

vserver vscan on-access-policy create

Create an On-Access policy

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The vserver vscan on-access-policy create command creates an On-Access policy.

Parameters

-vserver <vserver name> - Vserver

This parameter specifies the name of the Vserver on which you want to create an On-Access policy.

-policy-name <Policy name> - Policy

This parameter specifies the name of the On-Access policy that you want to create. An On-Access policy name can be up to 256 characters long and is a string that can only contain any combination of ASCII-range alphanumeric characters (a-z, A-Z, 0-9), "_", "-" and ".".

-protocol <CIFS> - File-Access Protocol

This parameter specifies the protocol name for which the On-Access policy will be created. Currently only CIFS is supported.

[-filters {scan-ro-volume|scan-execute-access}] - Filters

This parameter specifies a list of filters which can be used to define the scope of the On-Access policy more precisely. The list can include one or more of the following:

  • scan-ro-volume - Enable scans for read-only volume.

  • scan-execute-access - Scan only files opened with execute-access (CIFS only).

[-scan-mandatory {on|off}] - Mandatory Scan

This parameter specifies if access to a file is allowed or denied when there are no external virus-scanning servers available for virus scanning. The default value for this parameter is "on", this denies file access if an external virus-scanning server is not available. This parameter has no impact when an external virus-scanning server is available for file scanning because access to the file is allowed or denied based on the response from the virus-scanning server.

[-max-file-size {<integer>[KB|MB|GB|TB|PB]}] - Max File Size Allowed for Scanning

This parameter specifies the maximum size of the file which will be considered for virus scanning. By default, it is 2GB .

[-paths-to-exclude <File path>,…​] - File Paths Not to Scan

This parameter specifies a list of paths, separated by commas, to exclude from virus scanning. This path is given from the root of the Vserver and can be up to 255 characters long. By default, no paths are excluded. CIFS protocol based On-Access policies must use "\" as the path separator. The path can be in one of the following forms:

  • \dir1\dir2\name - This would match "\dir1\dir2\name" as well as "\dir1\dir2\name...".

  • \dir1\dir2\name\ - This would only match "\dir1\dir2\name...".

If you are using the CLI, you must delimit all paths with double quotation marks ("). For instance, to add the paths "\vol\a b\" and "\vol\a,b\" to the -paths-to-exclude in the CLI, type "\vol\a b\","\vol\a,b\" at the command prompt. To add a "?" to the expression, press ESC followed by the "?".
[-file-ext-to-exclude <File extension>,…​] - File Extensions Not to Scan

This parameter specifies a list of file extensions, separated by commas, to exclude from virus scanning. By default, no file extensions are excluded. Each file extension can be up to 16 characters long. The -file-ext-to-exclude supports wildcard patterns containing "*" and "?". Pattern matching is defined as:

  • * - Matches any string, including the empty string. For example, mp* would match mp, mp3, mp4, mpeg etc.

  • ? - Matches any single character. For example, mp? would match mp3, mp4 but not mp and mpeg.

If you are using the CLI, you must delimit all patterns with double quotation marks ("). For instance, to enter the pattern mp* in the CLI, type "mp*" at the command prompt. To add a "?" to the expression, press ESC followed by the "?".
[-file-ext-to-include <File extension>,…​] - File Extensions to Scan

This parameter specifies a list of file extensions, separated by commas, to include for virus scanning. By default it is * , which means all the file extensions are considered for virus scanning except those which match one of the patterns provided in -file-ext-to-exclude list. Each file extension can be up to 16 characters long. The -file-ext-to-include supports wildcard patterns containing "*" and "?". Pattern matching is defined as:

  • * - Matches any string, including the empty string. For example, mp* would match mp, mp3, mp4, mpeg etc.

  • ? - Matches any single character. For example, mp? would match mp3, mp4 but not mp and mpeg.

If you are using the CLI, you must delimit all patterns with double quotation marks ("). For instance, to enter the pattern mp* in the CLI, type "mp*" at the command prompt. To add a "?" to the expression, press ESC followed by the "?".
If you specify both -file-ext-to-include and -file-ext-to-exclude lists, then only those file extensions are considered for virus scanning which match one of the patterns provided in -file-ext-to-include list but do not match any of the patterns provided in -file-ext-to-exclude list.
[-scan-files-with-no-ext {true|false}] - Scan Files with No Extension

This parameter specifies if the files without any extension are considered for virus scanning or not. By default, it is true.

Examples

The following example creates an On-Access policy.

cluster1::> vserver vscan on-access-policy create -vserver vs1 -policy-name test
                -protocol CIFS -scan-mandatory on -filters scan-ro-volume -max-file-size 3GB
                -file-ext-to-exclude "mp3","txt" -file-ext-to-include "mp*","tx*"
                -paths-to-exclude "\vol\a b\","\vol\a,b\"

cluster1::> vserver vscan on-access-policy show -instance -vserver vs1 -policy-name test
Vserver: vs1
                            Policy: test
                     Policy Status: off
               Policy Config Owner: vserver
              File-Access Protocol: CIFS
                           Filters: scan-ro-volume
                    Mandatory Scan: on
Max File Size Allowed for Scanning: 3GB
            File Paths Not to Scan: \vol\a b\, \vol\a,b\
       File Extensions Not to Scan: mp3, txt
           File Extensions to Scan: mp*, tx*
      Scan Files with No Extension: true
Top of Page