When you use Smart Scan and InterScan Web Security Virtual Appliance (IWSVA) fails to connect to the Smart Scan server for three consecutive times, IWSVA automatically switches to Conventional Scan.
You want to know how to stop IWSVA from automatically changing the scan method from Smart Scan to Conventional Scan.
Smart Scan contacts the Global Smart Protection Server or the Local Smart Protection Server via HTTP if necessary to scan unknown threats. IWSVA checks whether it can access to the server every five minutes.
If the check fails for three consecutive times, IWSVA automatically changes the scan method into Conventional Scan. You must manually set Smart Scan again in Administration > IWSVA Configuration > Scan Method if necessary.
IWSVA uses the Global Smart Protection Server by default, which might cause a frequent switch to Conventional Scan when using IWSVA under unstable network circumstances.
The following are helpful methods to prevent the switch.
Implement Local Smart Protection Server
Implement a Local Smart Protection Server (another Trend Micro product) along with IWSVA and select "Smart Scan with Local SPS" in Administration > IWSVA Configuration > Scan Method.
This should prevent the switch because the Smart Scan's HTTP access is done within the local network.
You can also set a secondary Local Smart Protection Server using "Enable Local SPS HA" option in Administration > IWSVA Configuration > Scan Method.
Disable the automatic failover to Conventional Scan
IWSVA 6.5 Service Pack 2 (SP2) Patch 1 provides a feature where the automatic failover to Conventional Scan is disabled. To disable it, do the following after applying SP2 Patch 1.
To disable the automatic failover:
- Log on to IWSVA as root via SSH (for example with a SSH shell such as PuTTy).
Create a backup of /etc/iscan/intscan.ini:
# cp /etc/iscan/intscan.ini /etc/iscan/intscan.ini.bak
Use vi to edit the file /etc/iscan/intscan.ini.
# vi /etc/iscan/intscan.ini
Add the following line in [Scan-configuration] section:
- Save the file and quit.
Run the following commands to reload FTP/HTTP scan service.
# /etc/iscan/S99ISproxy stop
# /etc/iscan/S99ISproxy start
The following is what happens when the Smart Scan server cannot be reached:
- Displaying websites take a long time, until the connection timeout of the Smart Scan server.
- As the malicious content information is not included in the CRC cache generated by the Smart scan query, the security level is temporarily decreased until the Smart Scan server comes back up online.
- However, pattern file matching and CRC cache still work and cover malicious content detection.