How to configure a NetBackup Malware scan-host on Linux using share type NFS and Avira malware scanner?

Description

NetBackup malware scanning feature requires configuration of an additional host (a scan-host). The scan-host is a separate entity from NetBackup servers that does not have any NetBackup product installed . This host requires a Malware scanner installed and reachable from NetBackup media server over SSH.

Note: A "how to" video tutorial has been embedded at the bottom of this article.

Prerequisites

• RHEL 8.x or higher with 8 processors, 32 GB RAM
• Should be reachable over SSH
• Internet connectivity is needed for automatic updates of Avira signature files.
• Minimum 10 GB allocated to the /tmp partition.
• /tmp should have execute permissions for non-root users
• Download the latest available version of NetBackup Malware Scanner tool (Avira). Example: NBAntiMalwareClient_2.4.zip from https://www.veritas.com/support/en_US/downloads.
• Update the HOSTS file entries with the correct hostname, FQDN and IP addresses on all hosts (Primary server, Media servers, and scan hosts). If the scan host has multiple NICs and if you wish to use a specific NIC for scan traffic, then mention that IP address in the HOSTS file.

Scan host configuration

1. Install NFS client:
   $ yum install nfs-utils -y

2. Install libnsl:
    $ yum install libnsl -y

3. Create non-root user account for performing a scan:
    $ useradd scanuser

4. Set password of scan user (username: scanuser):
    $ passwd scanuser

5. Provide mount and unmount access to scanuser:
    $ vim /etc/sudoers 
    Add a line "scanuser  ALL=(ALL)   NOPASSWD: /bin/umount, /bin/mount"

   Install malware tool using scanuser:
    $ su scanuser

6. Downloaded from https://www.veritas.com/support/en_US/downloads at location /home/scanuser/
   $ unzip NBAntiMalwareClient_2.4.zip
   $ cd NBAntiMalwareClient_2.4_LinuxR_x86/
   $ sh setup.sh
  
  Optional: If malware scanner is already installed and needs to be upgraded.
   $ unzip NBAntiMalwareClient_2.4.zip
   $ cd NBAntiMalwareClient_2.4_LinuxR_x86/
   $ sh setup.sh
   >> NetBackup Malware Scanner is already installed. Do you want to update it? (y/n): default: y
   Note: To replace all binaries at target location, enter option -ALL

7. Copy RSA key:
    $ hostname
    copy hostname to notepad for later use
    $ ssh-keyscan <hostname> 2>/dev/null | grep ssh-rsa | awk '{print $3}' | base64 -d | sha256sum
    Note: Copy the RSA key to notepad for later use

8. Validate malware scanner configuration through WebUI as follows:

• The Validate configuration feature within Netbackup WEBUI is available in NetBackup v10.4 and higher. If NetBackup version is below 10.4 then  create small size backup image using a policy type either Standard or MS Windows and trigger scan using that image. If the Validate configuration or the Malware scan job fails, then the job will have the details needed to troubleshoot.

9. Creating a scan host pool:

WebUI --> Detection and reporting --> Malware detection settings --> Malware scan settings (drop down) --> Malware scanner host pools

Provide a name for the scan host pool and the share type

Add a scan host to the pool (you may add multiple scan hosts for load balancing purposes)

Add credentials for the scan host (all screenshots below were taken from a non-production lab environment)

Refer to the notepad info that you had saved earlier in step # 7

Next, add the media server name and then Save and validate configuration of the newly added scan host.

Validate the configuration of the scan host

Choose a backup image based on the backup ID and run a scan.

Video tutorial:

The log excerpts, information and/or screenshot(s) above were taken from a non-production test lab environment and are used for example purposes only.