IBM Support

Support Policy for Anti-Virus and ClearCase

Preventive Service Planning


Abstract

What is the support policy for Anti-Virus Scanners installed on IBM Rational ClearCase clients and servers and are there any transcripts of known configurations for Virus scanners that are compatible with VOB and View servers?

Content

Overview

ClearCase does not officially certify any specific anti-virus applications. The Rational ClearCase product team tests ClearCase releases together with concurrently available versions of some major anti-virus vendors to ensure there are no major issues with the anti-virus product and ClearCase.

The information in this technote is a compilation of support knowledge related to the configuration of Anti-Virus applications to successfully work along side Rational ClearCase.

This is a consolidation of documents that have been written to detail the lessons-learned to assist you in avoiding known problems when Anti-Virus applications are configured on a ClearCase host. This means that ClearCase can coexist with an anti-virus program running, however, there are some considerations to plan for.

Note: Problems occurring in an environment with anti-virus and ClearCase may be caused by either product or an interaction between the two products. Rational Client Support can assist in determining what the specific anti-virus ClearCase problem is, however, you may need to work with your anti-virus vendor to determine how to resolve the issues.

Topics Covered in this technote

 

The general issues to consider when configuring Virus scanners on a ClearCase server are:

When and How to Scan

When and How NOT to Scan

What to Scan

What NOT to Scan

Other products that can cause ClearCase issues

When and How to Scan:

  • When possible scan manually or on a scheduled basis during down time (non-work time). This limits the performance impact virus scanning can impose during normal operations especially ClearCase use as this impact could be significant depending on client speed, network bandwidth, server performance, and the number of clients accessing VOBs and views on any given host.
  • We have seen instances where aggressive real-time/on-access scanning interfering with the ClearCase process and causing the following errors:

vobrpc_server(6868): Error: vobrpc_server.exe(6868): Error: Error from VOB database: "\myvob".
vobrpc_server(6868): Error: vobrpc_server.exe(6868): Error: db_VISTA error -914 (errno == "Invalid argument")

vobrpc_server(6868): Error: vobrpc_server.exe(6868): Error: Error from VOB database: "\myvob".
vobrpc_server(6868): Error: vobrpc_server.exe(6868): Error: db_VISTA error -901 (errno == "Invalid argument")

db_server(9096): Error: db_server.exe(9096): Error: db_VISTA error -901 (errno == "Invalid argument")


db_server(9096): Error: db_server.exe(9096): Error: DBMS error in \\myhost\ct\myshare\myvob\db.

db_server(9096): Error: db_server.exe(9096): Error: db_VISTA error -914 (errno == "Invalid argument")
db_server(9096): Error: db_server.exe(9096): Error: DBMS error in \\myhost\ct\myshare\myvob\db.

This can impact performance and in some instances access to the vob itself.
  • ClearCase should be shut down on the host being scanned. This avoids any possibility of the scanner affecting or being affected by ClearCase.
 

When and How NOT to Scan:

  • "Realtime" or "on-access" scans should be avoided. Depending on how aggressive the virus scanner is, "on-access" scanning can disable ClearCase cleartext and source container creation. The final step in the on-access operation is typically to rename temporary containers and ClearCase creates many of these containers as part of its process. Also, on-access scans may lock a file to perform some operations resulting in the inability of ClearCase to rename the file. This may result in errors from vob_server regarding "operation 'rename_container' failed." or "operation 'make container permanent' failed."
     
  • Virus scanner should not be configured to attempt cleaning or deletion of infected files. These options can lead to corrupted or missing source containers and/or derived objects which in turn can lead to a dramatic increase in recovery time as the corrupted/missing containers have to be rebuilt.
 

Back to top

 

What to Scan:

  • Scan the VOB source pools. Be aware that binary files that have been added to source control may be compressed and inaccessible to the virus scanner unless the scanner can scan inside of zip files.
     
  • Scan VOB cleartext pools. Be aware that the file names in this directory bear little relation to their real names, so a scan by extension (.txt, .exe etc...) will not properly scan.
     
  • Scan VOB DO pools. This may protect against file infectors that may find a freshly built executable during a build and make a few minor changes. If that file is then winked in through another build, a virus-infected file would be publicly available. This would at least provide notification.
     
  • Scan View storage directories. This would catch new files added to a directory by a virus and view private files modified by a virus.
 

Back to top

What NOT to Scan:

  • Do not scan the MVFS "dynamic view" drive ("M:" by default on Microsoft® Windows®). Scans on this drive will scan all the dynamic views started on this system and all VOBs mounted on this system. The cleartext lookup/creation phase of a file open in MVFS can lead to serious performance degradation as the scan attempts to open all files in the view.
  • Do not scan the MVFS "automatic view" drive ("R:" by default on Microsoft® Windows®). Scans on this drive will scan all the user's automatic views started on this system and all VOBs mounted in each view. The cleartext lookup/creation phase of a file open in MVFS can lead to serious performance degradation as the scan attempts to open all files in the view.
  • Avoid scanning mapped drives to the MVFS on Windows. Scanning drives mapped to views is generally considered redundant as long as the view storage directories are being scanned. Similar performance problems related to scanning the MVFS drive itself can manifest itself during mapped drives scans as well.
  • Avoid scanning /view mount point on UNIX® or Linux®, as this is a mirror of the root directory for the file system.
  • Avoid scanning /rview mount point on UNIX® or Linux®
  • Avoid scanning ClearCase Remote Client (CCRC) local view copy area storage directories and CCRC install directory. For optimal performance, consider disabling real-time scanning or avoid scanning the ClearCase Remote Client (CCRC) local view copy area storage directories and avoid scanning the directory into which CCRC is installed.
 

Back to top

Other Products that can interfere with ClearCase operations:

There is a new class of security software emerging that can cause failed-access conflicts with ClearCase, but strictly speaking is not "Anti-Virus"


Examples:
Symantec: Data Loss Prevention (DLP)
https://www.symantec.com/products/information-protection/dlp/data-loss-prevention

Intelligent Wave Inc: CWAT (CWAT is a Digital Assets Extrusion Security Management Solution that stands for“Cyber-crime Warning Alert Termination.” )
http://www.iwi.co.jp/en/product/detail/cwat.html

If you have these installed and are experiencing ClearCase issues, see if the problem persists if they are disabled or uninstalled.

Back to top

[{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Application Conflicts","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.0.1;8.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
09 November 2023

UID

swg21149511

Page Feedback