Product DocsMenu

CES and Anti-Virus Software

Coveo Enterprise Search (CES) is very unlikely to be infected or to contribute to spread computer viruses or other malicious programs. Scanning Coveo index files for viruses is possible, but most likely unnecessary.

When the threat mitigation policy of your organization requires that you scan the CES index files for viruses, CES and the anti-virus software operations must be carefully coordinated to prevent important CES issues described below.

CES/Virus Considerations

The documents that Coveo connectors download from indexed repositories to the Coveo Master server are saved to .tmp files while they are being indexed. These .tmp files are compressed disk buffers stored in the index temporary folder (typically D:\CES7\Temp), but can also be partly in RAM. Once indexed, the downloaded documents are deleted from the temporary files and/or memory. In the index, the content of downloaded documents is deconstructed only to retain the terms they contain and their position. The cached HTML or Quick View built for non HTML documents are stored in a compressed format.

If a downloaded document was to be infected, the virus signature could not be detected unless the file was decompressed. The downloaded documents are not executed so a virus could not be activated.

With its index two phase commit system, CES constantly creates and deletes temporary and transaction files. An external process such as an anti-virus can block these operations by keeping a lock on scanned files. CES performs a number of retries on locked files to prevent or minimize interferences, but there can still be cases with issues.

Index files are proprietary format binary files, a bit like a database file. They are usually large. They are constantly modified while indexing. Modifications can occur anywhere in the file, not just at the end. An anti-virus software will often require to fully rescan these modified files and interfere with CES processes.

There is a very small probability that a compressed CES file can randomly generate a pattern that matches a virus signature. In such a case, a virus detection would be a false positive.

CES keeps a fair amount of information in various memory caches. An anti-virus memory scan process can run on a Coveo server as long as it does not lock, modify, or delete memory content used by CES.

Possible Interferences

The following table presents the possible types of interferences that an virus scan process can have on CES.

Anti-virus software operation Possible impact on CES Resolution
Scan index files Reduced performances None
Block access for CES to index files Crash
Mirror desynchronization
Restart CES
Synchronize mirror
Modify, delete, or quarantine an index file Index corruption Rebuild the entire index

Recommendations

In light of the above considerations and possible interferences, our recommendations are:

  1. When possible, exclude the [Index_Path] folder (typically D:\CES7) from your virus scan processes.

  2. Otherwise, consider the following two alternatives: 

    Important: If you choose to scan Coveo files for viruses, your anti-virus process must never automatically modify, delete, move, or quarantine a Coveo index file. If a Coveo index file is detected as being infected, before performing any of these operations on the file, you must contact Coveo Support to ensure it will not cause CES to crash, or much worst, index corruption.

Scanning Coveo Files While the Index Is in Read-Only Mode

You can scan most (not all) Coveo index files for viruses when the index is in read-only mode.

  1. For each Coveo server, respect the following guidelines to configure your virus scan jobs:

    • Never scan the following Coveo index subfolders for viruses, even when the Coveo index is in read-only mode (CES can still modify their content and the scan process cause interferences):

    • Consider setting up a virus scan job that only and exclusively scans the following Coveo index subfolder while the index will be in read-only mode:

      This virus scan job will be shorter, its duration more predictable, and therefore easier to coordinate with index mode changes.

    • Exclude the Coveo index files from all other virus scan jobs.

  2. Manually or automatically with a schedule, put the Coveo index in read-only mode (see Toggling the Index Between the Read-Write and Read-Only Modes).

    Note: Consider using a CES system schedule to automate the index mode toggling (see Modifying System Schedules).

  3. Validate that the Coveo index completed the pending operations and switched to the read-only mode (see Administration Tool - Details Menu).

  4. Manually or automatically with a schedule, start the Coveo server virus scan job.

    Note: When the Coveo index mode change is scheduled, evaluate the typical time needed by your Coveo index to switch to the read-only mode, and delay the start of the virus scan job accordingly.

  5. Validate that the anti-virus scan is completed and inspect the scan results.

    Important: If your anti-virus detects Coveo index files that must be modified, moved, or deleted, before performing any of these operations, contact Coveo Support to verify the impact of such interferences with CES and get required recovery steps.

  6. Manually or automatically with a schedule, put the Coveo index back in read-write mode (see Toggling the Index Between the Read-Write and Read-Only Modes).

    Note: When the Coveo index mode change is scheduled, evaluate the typical time needed to perform the scan, and delay the toggle of the Coveo index back to its read-write mode accordingly.

Scanning Coveo Files While the CES Service Is Stopped

When your Coveo deployment includes load-balanced mirrors, you can turn off the CES service on one mirror to be able to scan all of its Coveo index files while the other mirrors continue to provide search results.

  1. Remove the Coveo server that you want to scan for viruses from the load-balanced cluster.

  2. On that Coveo server, stop the CES service (see Stopping the CES Service).

  3. Perform the virus scan on the Coveo index files.

  4. Validate that the anti-virus scan completed and inspect the scan results.

    Important: If your anti-virus detects Coveo index files that must be modified, moved, or deleted, before performing any of these operations, contact Coveo Support to verify the impact of such interferences with CES and get required recovery steps.

  5. Restart the CES service (see Starting the CES Service).

  6. Put the Coveo back in the load-balanced cluster.

People who viewed this topic also viewed