Guidelines for using antivirus software on an OES FTP server

  • 7017758
  • 21-Jun-2016
  • 16-Mar-2017


Novell Open Enterprise Server 2015 (OES 2015) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux


Novell Technical Services has seen a pattern of odd failures (across multiple customers) in situations where anti-virus software was running on and OES system which was acting as an Novell FTP Server.  By this it is meant that the Novell FTP pattern is active, or in other words, the "novell-oes-pure-ftpd" package is in use.
Typically, the failures seen involve the "remote_server" feature of Novell FTP, which allows an FTP session at the OES FTP Server to access NCP volumes from other Novell servers.  To accomplish this, Novell FTP makes calls to the Novell Client for Linux, which mounts remote NCP file systems locally as "novfs" file systems.  It does all this relatively transparently, so the FTP Client is not fully aware of all the work being done.


Novell cannot fully support issues caused by anti-virus software, because of the intrusive nature of methods used by such software.  It seems to be especially problematic for anti-virus software to interact with novfs file systems, used for the "remote_server" feature of Novell FTP.  However, these issues can often be eliminated without abandoning use of the anti-virus software completely.  Here are some tips:
(Note:  The following could apply to any anti-virus functions, whether they be isolated scheduled scans, live monitoring of file system activity, etc.)
1.  If an OES FTP server is having problems performing tasks on a remote NCP volume, while anti-virus software is active at the OES FTP Server machine, it may be best to first do a broad test to determine whether the anti-virus software is contributing.  If possible, fully disable the anti-virus software and test to evaluate the effect.
2.  After confirming that the anti-virus software is contributing to the problem, or (alternatively) in cases where policy prohibits the anti-virus software from being disabled, the next step would be to configure the anti-virus software to exclude (ignore) certain areas of the file system.  This way, conflicts may be avoided.
The recommended exclusion to start with is:
/var/opt/novell (and the full subdir tree under that)
Not every path under that location is used by FTP, however.  So if excluding /var/opt/novell is successful, the approach could be made more granular.  Instead of excluding the entire /var/opt/novell subdir tree, exclusions could be made for two deeper locations:
/var/opt/novell/nclmnt/  (and the full subtree under that)
This is where remote NCP volumes, used by OES FTP, are mounted.  For FTP/NCP purposes, this is probably the most important area to exclude from the effects of anti-virus software.
/var/opt/novell/pure-ftpd (and the full subtree under that)
This is where novell-oes-pure-ftpd stores some tracking information about remote server usage.  In most cases, this path does not actually need to be excluded, but if problems persist, this should be tested and evaluated.
It may be safe for the various remote OES servers (where those NCP volumes reside natively) to run anti-virus to watch activity on their own NCP volumes.  The primary goal here is that an OES FTP server which is remotely accessing other servers' NCP volume should not be attempting to scan thoses volume through the local novfs file system mount.  Scan the NCP volumes at their native locations instead.

Additional Information

In some cases, it has been found that fully disabling anti-virus software solved an issue, but excluding the pertinent paths did not.  This would typically mean that the anti-virus software does not fully exclude paths even when they are configured to be excluded.
For example, McAfee recently enhanced some of their scanning methods to make use of "fanotify" APIs on Linux.  Their exclusion settings prevent some scanning activities from occurring, but some fanotify calls were still being made in those excluded areas.
Mcafee VirusScan Enterprise for Linux (VSEL) 1.9.x is reported to not have this issue (and not use fanotify).
VSEL 2.0.3 is reported to use fanotify and has this issue.
Endpoint Security for Linux (ENSL) 10.2.1 is believed to have the issue as well.
New version or updates of these products are expected to be released by April 2017, which should fully exclude novfs areas from scanning activity.