Preventive Service Planning
What is the support policy for Anti-Virus Scanners installed on IBM Rational ClearCase clients and servers and are there any transcripts of known configurations for Virus scanners that are compatible with VOB and View servers?
ClearCase is not certified at this time to run with any specific Anti-Virus applications. The Rational ClearCase product team is currently testing with some major anti-virus vendors to ensure there are no major issues with the anti-virus product and ClearCase.
The information in this technote is a compilation of support knowledge related to the configuration of Anti-Virus applications to successfully work along side Rational ClearCase.
This is a consolidation of documents that have been written to detail the lessons-learned to assist you in avoiding known problems when Anti-Virus applications are configured on a ClearCase host. This means that ClearCase can coexist with an anti-virus program running, however, there are some considerations to plan for.
Note: If problems caused by anti-virus configuration issues occur in your ClearCase environment, resolution of those issues is beyond the scope of Rational Client Support. Rational Client Support can assist in determining what the specific anti-virus ClearCase problem is, however, you should work with your anti-virus vendor to determine how to resolve the issues.
Topics Covered in this technote
The general issues to consider when configuring Virus scanners on a ClearCase server are:
When and How to Scan:
- When possible scan manually or on a scheduled basis during down time (non-work time). This limits the performance impact virus scanning can impose during normal operations especially ClearCase use as this impact could be significant depending on client speed, network bandwidth, server performance, and the number of clients accessing VOBs and views on any given host.
- ClearCase should be shut down on the host being scanned. This avoids any possibility of the scanner affecting or being affected by ClearCase.
When and How NOT to Scan:
- "Realtime" or "on-access" scans should be avoided. Depending on how aggressive the virus scanner is, "on-access" scanning can disable ClearCase cleartext and source container creation. The final step in the on-access operation is typically to rename temporary containers and ClearCase creates many of these containers as part of its process. Also, on-access scans may lock a file to perform some operations resulting in the inability of ClearCase to rename the file. This may result in errors from vob_server regarding "operation 'rename_container' failed."
- Virus scanner should not be configured to attempt cleaning or deletion of infected files. These options can lead to corrupted or missing source containers and/or derived objects which in turn can lead to a dramatic increase in recovery time as the corrupted/missing containers have to be rebuilt.
What to Scan:
- Scan the VOB source pools. Be aware that binary files that have been added to source control may be compressed and inaccessible to the virus scanner unless the scanner can scan inside of zip files.
- Scan VOB cleartext pools. Be aware that the file names in this directory bear little relation to their real names, so a scan by extension (.txt, .exe etc...) will not properly scan.
- Scan VOB DO pools. This may protect against file infectors that may find a freshly built executable during a build and make a few minor changes. If that file is then winked in through another build, a virus-infected file would be publicly available. This would at least provide notification.
- Scan View storage directories. This would catch new files added to a directory by a virus and view private files modified by a virus.
What NOT to Scan:
- Do not scan the MVFS "dynamic view" drive ("M:" by default on Microsoft® Windows®). Scans on this drive will scan all the dynamic views started on this system and all VOBs mounted on this system. The cleartext lookup/creation phase of a file open in MVFS can lead to serious performance degradation as the scan attempts to open all files in the view.
- Do not scan the MVFS "automatic view" drive ("R:" by default on Microsoft® Windows®). Scans on this drive will scan all the user's automatic views started on this system and all VOBs mounted in each view. The cleartext lookup/creation phase of a file open in MVFS can lead to serious performance degradation as the scan attempts to open all files in the view.
- Avoid scanning mapped drives to the MVFS on Windows. Scanning drives mapped to views is generally considered redundant as long as the view storage directories are being scanned. Similar performance problems related to scanning the MVFS drive itself can manifest itself during mapped drives scans as well.
- Avoid scanning /view mount point on UNIX® or Linux®, as this is a mirror of the root directory for the file system.
- Avoid scanning /rview mount point on UNIX® or Linux®
- Avoid scanning ClearCase Remote Client (CCRC) local view copy area storage directories and CCRC install directory. For optimal performance, consider disabling real-time scanning or avoid scanning the ClearCase Remote Client (CCRC) local view copy area storage directories and avoid scanning the directory into which CCRC is installed.