Post reply

Antivirus Scanning...File Exclusions...Why do it?

  • February 27, 2006 at 8:43 am

    #171248

    So, there's no question that we'll be running antivirus scanning on our database servers.  This question involves File Exclusions.

    Most people have written that you should be excluding your .MDF/.LDF/.NDF files from virus scanning.  However, I'm not sure I understand why.  The antivirus software won't be able to scan the file until it can gain access to it and if the DB is running the antivirus engine won't be able to get to it...

    The only thing I've read is that there can be issues if the antivirus engine starts a scan at startup that happens to begin before the DB server has grabbed control then the DB file and that may cause the DB to fail to start.  I personally have never seen that happen, though.

    The other files I was surprised no one talks about are the .BAK and .LOG (etc.) files that are written...But again, I don't think the antivirus engine will be able to read it until the DB engine has completed writing the file and at that point why would I care if the antivirus engine scans the file?

    I'll be honest, originally I was a hardcore proponent of excluding DB files from being scanned...But, the more I think about it the less concerned I am.  We even had a recent incident where we had a DB server in production that had an antivirus engine on it without any exclusions for several weeks and never had a problem and didn't notice any performance benefit when we created the exclusions...

    We have both SQL Server and Oracle here and I work on both (though primarily SQL Server)...And, the other DBAs who work primarily on Oracle get crazy when someone brings up the idea of not having the exclusions, though I'm no longer convinced that they are warranted concerns.

    Any thoughts?  Anyone know of any recent whitepaper "Best Practices" that deal with this issue?

    Thanks!

    Mike

  • February 27, 2006 at 10:48 am

    #623500

    There is an article about it:

    http://qa.sqlservercentral.com/columnists/bkelley/sqlserversecuritydealingwithantivirusprograms.asp

  • February 27, 2006 at 11:42 am

    #623509

    Thanks Jo...I had already read that article, but appreciate you pointing it out.  I had read it a few weeks ago and just re-read it as a refresher...

    Given that we aren't re-using .bak/.trn files and we aren't using the Full Text engine, I don't see a reason to exclude any files...I don't see the .MDF/.LDF/.NDF as being an issue at startup, though I can see how it could happen.  I bet there's some way you can get the antivirus software to delay its initial scan, though.

  • February 27, 2006 at 12:36 pm

    #623525

    Okay, you know the antivirus won't be able to scan your database files. But it will try. So, do you really gain anything from seeing all the error messages that it can't scan the .mdf/.ldf (and .ndf if any) files?

    I know it can't scan those files, so why have it keep confirming that to me?

    -SQLBill

  • February 27, 2006 at 12:59 pm

    #623531

    That's a good question.

    It's more of a question of maintenance and overall protection...And, the assumption that virus/spyware/malware developers *WILL* at some point create a virus that uses a common DB file extension.

    1. Do I want to exclude the DB files in any directory?  No...
    2. Do I want to exclude the DB files in the Data directory?  No...Again, it's not hard to drop a virus file into the default data directory.  Though, if you are hardened appropriately rights should be limited.
    3. Do I want to maintain specific file exclusions for every database server that I have?  No, not really.  I have roughly 70 SQL Server instances, the number of actual databases and database files is obviously much greater than that.  And, that isn't even taking into consideration the Oracle databases.  Having to alter the antivirus exclusion whenever I move a file or create a new database is not going to be a small task, especially since the Security team here is solely responsible for those modifications.

    Anyway, that's where all this is coming from...I'm just trying to find out if there is an inherent and real risk of having an AV engine not exclude database files...

    Furthermore, I've heard rumors that some AV companies are creating scans for DBs themselves, which is probably a wise thing at some point because of all the BLOB data that is being stored in these databases...

  • February 28, 2006 at 12:54 am

    #623600

    As far as I can tell it's not the full scan that does the damage to performance - it's the realtime scan! We found a major performance problem with a server that had been set up wrong and databases weren't excluded. Everytime any change happened to the data files the anti-virus spent 30+ secs (it's max time per file) trying to scan the file and locked it completely for database access!

    Performance improved amazingly when the DB files were excluded.

    Cheers


    The Aethyr Dragon

    Cape Town
    RSA

  • February 28, 2006 at 7:02 am

    #623672

    The Aethyr Dragon:

    What database system was that?  What AV engine did you have on the server?

     

    Thanks,

    Mike

  • February 28, 2006 at 7:17 am

    #623678

    Hi,

    Had two different occurances at two different companies. Both SQL 2000 one was with McAfee and other with Symantec.

    Cheers


    The Aethyr Dragon

    Cape Town
    RSA

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply