SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Antivirus Exceptions - Yes or No?


Antivirus Exceptions - Yes or No?

Author
Message
kevaburg
kevaburg
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15452 Visits: 1280
Hi Folks,

I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile. This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

Does anyone have anything to say on the subject and any experiences one way or the other?

Regards,
Kev
anthony.green
anthony.green
SSC Guru
SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)SSC Guru (96K reputation)

Group: General Forum Members
Points: 96816 Visits: 8690
kevaburg - Wednesday, December 6, 2017 6:51 AM
Hi Folks,

I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile. This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

Does anyone have anything to say on the subject and any experiences one way or the other?

Regards,
Kev


I've always been on the "yes" side, especially with BAK and TRN files as had a few exceptions where the AV (also McAfee) was scanning the backup files while we where in the middle of a recovery scenario, and we couldn't recover as the file was locked.

Theres also the "mass mail worm" blocker as well in McAfee which is a pain when enabled for sp_send_dbmail as you never get any mail, so that's another exclusion I add to the list.

You then also have the problem if, for some reason unbeknown to man, the auto close option has been set on the database you can get it being scanned while SQL is trying to re-start the database as a user has requested a connection to the closed DB.

Then there is the very rare occurrences where the SQL service doesn't auto start on boot up as the system isn't ready, (changed to Auto Delayed Start), so if you get that occurrence it could be an issue.

Just my 2 cents worth...



How to post data/code for the best help - Jeff Moden
Need a string splitter, try this - Jeff Moden
How to post performance problems - Gail Shaw
Managing Transaction Logs - Gail Shaw
Troubleshooting SQL Server: A Guide for the Accidental DBA - Jonathan Kehayias and Ted Krueger


Sue_H
Sue_H
SSC Guru
SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)SSC Guru (62K reputation)

Group: General Forum Members
Points: 62743 Visits: 13325


Always exclude. I've used the MS recommendations if I got any push back:
How to choose antivirus software to run on computers that are running SQL Server

Here are the McAffee recs:
Recommended exclusions for Endpoint Security/VirusScan Enterprise on Microsoft SQL Servers

Sue



Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)

Group: General Forum Members
Points: 202696 Visits: 18548
kevaburg - Wednesday, December 6, 2017 6:51 AM
Hi Folks,

I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile. This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

Does anyone have anything to say on the subject and any experiences one way or the other?

Regards,
Kev


You should exclude sql server disk locations.
The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
Summer90
Summer90
One Orange Chip
One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)One Orange Chip (27K reputation)

Group: General Forum Members
Points: 27283 Visits: 4156
I always create exceptions for .bak and .ldf .mdf .ndf. I also exclude the main SQL Server folders from being scanned. Years ago someone deleted those exceptions and the server was running poorly.
kevaburg
kevaburg
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15452 Visits: 1280
Thanks for the opinions and ideas. It is always interesting to see how many different ideas and thoughts about the subject are out there!

I'll stick to my current plan I think..... Smile
Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)SSC Guru (202K reputation)

Group: General Forum Members
Points: 202696 Visits: 18548
Perry Whittle - Wednesday, December 13, 2017 9:40 AM

The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

This is actually how it works Wink


-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
kevaburg
kevaburg
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15452 Visits: 1280
Perry Whittle - Monday, December 18, 2017 8:38 AM
Perry Whittle - Wednesday, December 13, 2017 9:40 AM

The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

This is actually how it works Wink


I saw the word "injecting" and it brought me to another point. Is there an anti-virus solution that can detect SQL injection? I know Oracle has been marketing its Database Firewall for some time now and I was wondering if there is a comparable solution for SQL Server.
Steve Jones
Steve Jones
SSC Guru
SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)SSC Guru (562K reputation)

Group: Administrators
Points: 562335 Visits: 20826
AV usually runs as a filter driver in the IO stack, not an injection in process.

Always exclude.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Ed Wagner
Ed Wagner
SSC Guru
SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)SSC Guru (251K reputation)

Group: General Forum Members
Points: 251487 Visits: 12104
I always exclude as well. In the interest of curiosity, we did do a bit of a test on one server when we were mandated (dictated is more like it) to switch AV software. It didn't take long to figure out that not having exceptions was a horrible idea. I got points for "playing nice" with the domain admins in the decision-making process. Tongue That and confirmation were the old good things to come out of the experiment.


Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search