Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««1234»»»

Guest Editorial: Do You Run Antivirus Software on Your SQL Servers? Expand / Collapse
Author
Message
Posted Monday, February 9, 2009 1:52 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 3:11 PM
Points: 31,368, Visits: 15,837
I've rarely run AV on a server, except for file servers. And then mostly to prevent the spread from workstation to workstation.

For SQL, we've prevented browsing from most of the servers, prevented people from actively doing things on them except with RPC, so AV hasn't made a lot of sense for us.

If you do it, definitely exclude folders or extensions. You don't want to necessarily do files unless your backups are all run on the same names.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #653210
Posted Monday, February 9, 2009 2:12 PM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, September 12, 2014 4:57 PM
Points: 582, Visits: 453
Huh, I always assumed that we did run AV on the server boxes. Went to check, and it appears that we don't. It doesn't alarm me, since the servers are dedicated and sit behind the firewall. Still, I can't get rid of a nagging thought - in the unlikely event that we do get a virus, it would be very difficult to explain to TPTB why it was unnecessary to scan the servers. :D
Post #653221
Posted Monday, February 9, 2009 2:23 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 8:56 AM
Points: 6,748, Visits: 8,545
We run AV on all our servers.
For db servers we exclude the db file locatons as well as the location of the backup files.

We recently had an issue with one (of many) SQL2000 instance which lost connectivity (unless time had been set to > 20sec) after installing McAfee 8.5 (+6upd)
Still looking for a valid solution .....


Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution"


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me
Post #653235
Posted Monday, February 9, 2009 2:58 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Tuesday, December 9, 2014 3:09 PM
Points: 54, Visits: 172
Excellent topic and some very interesting posts.

Post #653268
Posted Monday, February 9, 2009 3:31 PM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, October 16, 2014 10:06 AM
Points: 176, Visits: 728
Your answers are all over the place, which is mostly what I expected to see. In my editorial, I avoided telling you what I have traditionally done because I didn't want to bias anyones response. I generally have gone with option "2". I leave don't run any antivirus locally, but scan rermotely once a week during maintenance periods. In addition, I harden each of the SQL Servers as much as possible. In my close to 14 years of managing SQL Servers, I have never had a virus problem yet, even when other servers in the company were having virus issues. Of course, now that I say this, one of my servers will probably get a virus.

Brad M. McGehee
DBA
Post #653285
Posted Monday, February 9, 2009 3:52 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Sunday, October 26, 2014 10:20 PM
Points: 32, Visits: 87
on our own dedicated SQL servers we don't run AV. When working with external clients who already have it present on their system we recommend excluding the data/log/backup dirs.
Post #653295
Posted Monday, February 9, 2009 4:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, October 9, 2014 2:02 AM
Points: 2, Visits: 23
When I administered SQL boxes in the past, I turned off the real-time scan on the SQL-only boxes and disabled scanning for the MSSQL/Data folder during regular nightly scans.
Seemed a good trade-off for performance. Granted the SQL boxes were behind firewall and had not direct file access by regular (non-admin) clients.
Post #653313
Posted Monday, February 9, 2009 4:36 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, November 14, 2014 7:14 AM
Points: 6,625, Visits: 1,876
Given that the last few successful virus/worm threats attacked SMB/RPC, I believe in running AV on the SQL Server, while setting the AV software not to scan the appropriate file types SQL Server cares about. For instance, Conficker attacks SMB, and therefore, if your SQL Server is on the domain and talking to DCs and other systems (even app servers) using Windows authentication, accessible to most patch management software, remote management, etc., it's going to use those protocols. If you've got a 0-day, then the AV definition may be the only thing that catches and smacks down the virus/worm.

I'd rather take the small performance hit from a properly configured AV software then take the larger risk of the server compromise because someone brought in an infected USB drive, accessed the wrong site on the Internet before it could be properly categorized (especially normally legitimate sites like .edu ones which are often compromised because (a) they aren't being watched as carefully as a commercial site and (b) because of the fact that until reclassified the site is seen as legitimate by the web filtering software most organizations use), or brought in an infected laptop that was in standby or hibernation mode.



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #653317
Posted Monday, February 9, 2009 10:28 PM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Tuesday, September 23, 2014 6:47 PM
Points: 525, Visits: 557
I think it all depends.

If your server is in a position where it is accessible to the net at large, then oh yeah, AV that bad boy, run it real time, because a scheduled task isnt going to help you if you are already comprimised. Do it even if you are firewalled, because if a virus uses a valid connection port through the firewall and then uses some unknown/unpatched buffer overflow exploit, well you are just as screwed.

If it is sitting on an internal IP address and is only connected to via an application server or internal management client and even then only via a firewall, then it probably doesnt make much sense.

and if you are an admin that directly downloads random executables and runs them on your production SQL (or any) server without having scanned them, well, you get what you deserve.
Post #653409
Posted Tuesday, February 10, 2009 3:41 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, December 11, 2014 3:10 AM
Points: 1,274, Visits: 1,987
Servers I've managed have always gone with a variation of 3(b). That is, AV is installed but settings are adjusted to minimize impact, e.g. only scan on writes to the hard disk, skip certain extensions, etc.

Derek
Post #653535
« Prev Topic | Next Topic »

Add to briefcase ««1234»»»

Permissions Expand / Collapse