[OpenAFS] OpenAFS/Windows antivirus compatibility question

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 23 Nov 2012 01:12:55 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig7F78D2E3849532DB93BFF321
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

There are no standard rules for how an anti-virus filter driver should=20
be
implemented.  Nor is there any documentation from the anti-virus vendors
regarding the assumptions that they make regarding the behavior of a=20
file
system.  As a result any given version of an AV product on any given=20
Windows
operating system revision (including hot fixes) with any file system is=20
a random
role of the dice.

AV products are not free.   Organizations pay significant sums of money=20
on
them.  There are two recommendations I will make to any organization=20
that
intends to deploy an AFS infrastructure:

1. Make it a condition of any purchase that the AV vendor test their
    products against OpenAFS on all platforms for which the product
    is being licensed.

2. Purchase a support contract for OpenAFS to ensure that any=20
interoperability
    issues with the AV product (or any other application) will be=20
promptly
    resolved.

The only AV product that has not had a production issue with OpenAFS on
Windows in the last 18 months is Microsoft Security Essentials.  There=20
is a reason
for that.  Microsoft tests against OpenAFS and they have accepted our=20
design
recommendations.

Jeffrey Altman


On Thursday, November 22, 2012 4:51:42 PM, Ian Crowther wrote:
> Hi,
>
> I have heard that compatibility between OpenAFS and Windows Antivirus
> products isn't assured. I'm trying to compile a list of the best option=
s.
>
> Has anybody got any suggestions for the list (below)? OS versions and
> Client versions would be nice to know too.
>
> Has anybody anecdotal evidence about AV to be avoided?
>
> Thanks,
>
> Ian
>
>    - Kaspersky
>       * 1.7.1400 release notes mention working around AV triggered
> deadlock
>    - ESET
>       *
> https://lists.openafs.org/pipermail/openafs-info/2009-August/031819.htm=
l
> had NOD32 working with (old) AFS client 1.5.60
>    - Symantec
>       *
> http://www.dartmouth.edu/comp/soft-comp/datastorage/afs/afs-windows.htm=
l
> states that recent versions work ("2010/04 and later")
>    - McAfee
>       *
> http://www.uni-tuebingen.de/en/faculties/faculty-of-science/departments=
/zentren/zentrum-fuer-bioinformatik-tuebingen/support/laptops/laptop-setu=
p/windows-laptops.html
> seem to be using McAfee VirusScan Enterprise and recommending OpenAFS
> 1.6.x under Windows XP/2003.
>    - Norton_AntiVirus
>       *
> http://help.unc.edu/help/what-do-i-need-for-my-non-cci-laptop-computer/=
 instructs
> their users to use the distributed OpenAFS (1.7.6) and Symantec
> Endpoint (11.0.6 MP1) under Vista.
>    - Trend Micro AntiVirus
>       * 1.7.0900 release notes mention working around AV triggered
> deadlock
>    - Sophos
>       * 1.7.1400 release notes mention working around AV triggered
> deadlock
>


--------------enig7F78D2E3849532DB93BFF321
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJQrxPsAAoJENxm1CNJffh4WbcIAKAmyvlkHn6QJJR2DMvCHfSN
WtLdjw+c6xc3iw5fN6VAYZI9+y0M5FZ+7lm5eNn7nxss3IHZFH1b4UP0fi+vBQbC
ChOhMw+wk2svld12+IJvNvORfeB3x31eIrFg8owLX8QQy1p4g5hwlRcxko3LXVwr
G5mM6x+tgLO5Xf+kz50YclnynJ1dH2utO2kVs2CZ1PaWjoCXyKAk9wRIvGahcbBt
uJmiTx+xbI0SooQ9gCQ5JTwNoE3R2AacR/hF7+IcUjLXbb20/St25T13YN3p+wqG
2l2alBvd3K+gadQQ33lyy62D4Rvd1tnkbULJq+3M7MxBFlwM2f8nau3XgTkGCS4=
=+ccn
-----END PGP SIGNATURE-----

--------------enig7F78D2E3849532DB93BFF321--