Using CTE with PowerTech Antivirus
When Powertech Antivirus is configured to use on-access scanning,
CipherTrust Transparent Encryption Data Transformation may find files within the Data Transformation GuardPoint that are busy. These files are not processed by Data Transformation and are left unencrypted.
This problem only occurs if Powertech is configured to use on-access scanning.
This problem does not occur when using on-demand scanning.
Issue
When Powertech uses on-access scanning,
it opens a file and keeps it open. Before the Data Transformation program encrypts a file, it checks to see if the file is in use by another process. If the file is in use, Data Transformation does not encrypt the file but rather appends the path to the file in the dataxform_status_error-<guardpoint>
file located in /var/log/vormetric/.
This prevents any retry of Data Transformation from succeeding.
Resolving PowerTech/Data Transformation "in-use" Errors
For the following scenario, Powertech is configured with on_access scanning
and both Powertech and the Thales CTE agent have been installed at default locations. The example assumes the Data Transformation GuardPoint is /test-dataxform
.
Running Data Transformation with Powertech Antivirus code deactivated
-
Type the following to prevent the Powerteck package from starting on system boot.
/opt/sgav/avsvcctl disable
-
Reboot the system.
-
After the system restarts, verify that Powertech is not running, type:
/opt/sgav/avsvcctl status
Response
The following output indicates Powertech is not running: Subsystem Group PID Status avsvc powertech inoperative Device driver is not loaded
-
Perform a Data Transformation conversion on the Data Transformation GuardPoints.
Example
dataxform --rekey --gp /test-dataxform
-
Enable Powertech to start after system boot, type:
/opt/sgav/avsvcctl enable
-
Start Powertech, type:
/opt/sgav/avsvcctl start
Response
There is a delay before Powertech is completely loaded and active. The Powertech status may be found by the following command.
-
Verify the status, type:
/opt/sgav/avsvcctl status
Response
The Powertech avsvc subsystem should be `active' and the device driver loaded: Subsystem Group PID Status avsvc powertech 5964286 active Device driver is loaded The avsvc subsystem is configured to run at boot
Recovering from Data Transformation/Powertech Antivirus code errors
A Data Transformation rekey performed while Powertech is active can result in failed file conversion due to "busy" faults. The following section describes how to recover from this type of error.
There are many reasons that a data transformation may fail. This topic only considers the failure due to the interaction of Powertech with CTE. For other error recovery procedures, refer to the Data Transformation guide
The following section illustrates the process using an example data transformation and describes the steps needed to recover. The Data Transformation GuardPoint /test-dataxform.
-
Run Data Transformation.
dataxform --rekey --gp /test-dataxform
Response
Checking if /test-dataxform is a guardpoint with a rekey policy applied /test-dataxform is a guardpoint with a rekey policy applied About to perform the requested data transform operation – Be sure to back up your data – Please do not attempt to terminate the application Do you wish to continue (y/n)?y Scan found 19 files (14 MB) in 1 directories for guardpoint /test-dataxform File /test-dataxform/xab is busy File /test-dataxform/xaa is busy Transformed 17 files (13 MB) of 19 files (14 MB) for guardpoint /test-dataxform Data transform got errors on some files File /test-dataxform/xab is busy File /test-dataxform/xaa is busy Number of files in error due to file being busy: 2 The data transform operation took 0 hours, 0 minutes and 3 seconds The data transform program ran from Thu Feb 16 10:58:12 2023 until Thu Feb 16 10:58:15 2023 Data transform for guardpoint /test-dataxform finished but 2 files were not processed due to errors
-
Inspect the error file (
dataxform_status_error-_test-dataxform
) for/test-dataxform.
The file is located in/var/log/vormetric
. The contents for the file contain the error messages generated by Data Transformation.Example
Skipped, file is busy : /test-dataxform/xab Skipped, file is busy : /test-dataxform/xaa
Other Data Transformation errors may be present besides those caused by the Powertech antivirus code.
-
Create a "todo" file. Using Data Transformation, extract the names of the files that need to be retried for conversion.
dataxform --recovery --file_list my-output --gp /test-dataxform
This generates two files in the local directory
my-output_done my-output_todo
The
my-output_todo
file contains the list of files to retry applying Data Transformation:/test-dataxform/xaa /test-dataxform/xab
The
my-output_todo
file may need to be edited to remove entries not caused by theSkipped, file is busy
error. -
Turn off Powertech on boot, type:
/opt/sgav/avsvcctl disable
-
Reboot the system.
-
Verify the status.
/opt/sgav/avsvcctl status
Response
Subsystem Group PID Status avsvc powertech inoperative Device driver is not loaded
-
Re-issue Data Transformation to transform files listed in the
my-output_todo
file.dataxform --rekey_list --gp /test-dataxform --file_list ./my-output_todo
Response
Checking if /test-dataxform is a GuardPoint with a rekey policy applied /test-dataxform is a GuardPoint with a rekey policy applied Previous status information does not relate to a --rekey_file operation. Number of files previously in error due to file being busy: 2 About to perform the requested data transform operation – Be sure to back up your data – Please do not attempt to terminate the application Do you wish to continue (y/n)?y Starting data transform of /test-dataxform for files listed in ./my-output_todo The data transform operation took 0 hours, 0 minutes and 2 seconds The data transform program ran from Thu Feb 16 12:33:47 2023 until Thu Feb 16 12:33:49 2023
-
Re-enable Powertech on boot.
/opt/sgav/avsvcctl enable
-
Start Powertech.
/opt/sgav/avsvcctl start
There is a delay before Powertech is completely loaded and active. The Powertech status may be found by the following command:
/opt/sgav/avsvcctl status
The Powertech avsvc subsystem should be `active' and the device driver loaded:
Response
Subsystem Group PID Status
avsvc powertech 5964286 active
Device driver is loaded
The avsvc subsystem is configured to run at boot