I hate running antivirus on SQL Servers. I agree antivirus is a necessary evil on most systems, but I don't like running standard antivirus on Exchange, SQL Server, or Active Directory domain controllers. My SharePoint admin friends have made good arguments to avoid it there, too. But a lot of corporate policies say you have to have it. Fine, if that's the case, here are the exclusions I would ensure are enforced:
- Any .mdf files
- Any .ndf files
- Any .ldf files
- Any .bak files (if you use this as a backup extension)
- Any .trn files (if you use this as a backup extension)
- Any .sqb (SQL Backup) or other third party extensions for backup files
- Any .ckp files (used to be able to restart a restore if a failure occurs)
- Any directories tied to FILESTREAM
- Any directories tied to full text
- Any .log files
Any others folks can think of?
As to my preferences, I would rather an external scan be conducted against the drives of the SQL Server, which is possible in most enterprise antivirus products. This keeps the AV load off the SQL Server and keeps AV from filtering at both the disk and network interfaces.