February 7, 2009 at 3:31 pm
Comments posted to this topic are about the item Guest Editorial: Do You Run Antivirus Software on Your SQL Servers?
Brad M. McGehee
DBA
February 7, 2009 at 4:23 pm
Yes, we run AV software on our SQL boxes. I was dead set against this for the longest time but most of the AV software folks have become intelligent about this now and allow you to eliminate scan on certain items and you can configure it so that you really don't impact your database server too much. There is always a hit which can't be avoided but we have had success doing this.
Seriously, can anyone risk being hit with a virus on the SQL Server box? Not I.....
David
@SQLTentmakerβHe is no fool who gives what he cannot keep to gain that which he cannot loseβ - Jim Elliot
February 9, 2009 at 1:57 am
Where I used to ork, we ran AV software on SQL Server boxes as well. We were able to set up scanning exclusions for specific groups of servers, but by default had the default set of exclusions, rather than the SQL set (or the IIS set). This meant we had to let the server team know the server purpose before it got put to use.
Occasionally got hit by AV updates that wanted servers rebooted(!), and then gave them the default set of exclusions...
February 9, 2009 at 3:53 am
In general I am against AV on a server, because the vast majority of the time it is useless. However, the very occasional time it is useful (eg. prevent a trojan jumping from server to server through your whole network) probably means that an AV engine is worthwhile.
Personally, I'd much rather the applications running on the server were configured to be secure; but that is often asking too much. If the server sits behind a firewall, and the only ports exposed are to penetration-tested applications, then an AV is pointless (and liable to cause more problems than it solves; a forced reboot is just one of them).
However, in the last few places I have worked, a "contract" is in place with the AV provider which stipulates the AV engine must be installed on every single server. No exceptions. So an AV engine on the SQL Server servers has become an inevitable pain that I have to live with.
The AV engines I have experience of, generally don't even need MDF, LDF, etc files to be excluded. They sit quietly in the background, and as long as the hardware is up to it, don't cause me many problems.
So I guess I fall into category 1.
Andy
February 9, 2009 at 6:55 am
As I'm not in the corporate world at the moment, I can only speak to what I saw back when I was, and it was AV on every server, no exceptions. That company was working exclusively with Symantec's products. As I had been there for more than 20 years, my own server and my Vista machine with SQL Server on it, along with at least 2 other XP client machines, are all running Symantec EndPoint Protection, and wow, what a difference in resource usage. Back with SAV 10.1, the client SAV would take as much as 75 MEG, ALL the time, and since it wasn't looking at spyware, I had to add WebRoot SpySweeper, for another 25 meg. Now with EPP, my Vista machine uses well less than 20 meg, and my wife's XP machine is SO much faster, she can't believe it. FYI...
Steve
(aka smunson)
:):):)
Steve (aka sgmunson) π π π
Rent Servers for Income (picks and shovels strategy)
February 9, 2009 at 6:58 am
My opinion is that while AV software is the must on a file server, it is useless on a "well-configured" SQL Server, since the treatment goes to be worse than the illness.
By "well-configured" I mean:
1. it's used only as SQL Server (no file-sharing, no IIS, etc.);
2. the SQL Services are run under least privileged accounts;
3. it's locked down by Security Configuration Wizard (to disable all unneeded services, and leave opened only needed IP ports);
4. it's patched with critical security updates just as they released.
With such a configuration there's no way for a virus to come into a system, which makes AV software useless. Alright, there're 2 "but-s":
1. there might come up a virus which exploits unknown vulnerability;
2. not every company can afford such role-targetted servers.
As for the first, while there's such a probability, Microsoft has been doing well on this front for the past moths, and as a rule, they release pathes before the vulnerability is used by virus-makers; for the worst case one could use imaging backup software to quickly restore the system - anyway it would be less expensive than an AV software in terms of purchase, deployment, maintenance, support, server workloads - all mean money. As for the second "but"... well, the way out is consolidation and virtualisation of file-, print-, web-, infra- servers to free up a well-built box(es) dedicated to SQL Server only.
P.S. A couple of years ago, I went to a seminar of a famous AV company and talked to its analysts about usage their AV software on various servers. They said, while an AV software is really the must on a file-server, it's absolutely unneeded on a domain controller and on a database server, =if= 1. these servers are strictly dedicated to their roles; 2. they are promptly patched. Since then, I followed their advice, and the time just confirmed it.
February 9, 2009 at 6:59 am
We have it installed and set to bypass the usual extensions and haven't had any issues. Hopefully there won't be an exploit that use .MDF extensions to sneak by AV, it's probably a matter of time.
Along a similar subject, I'd be curious to hear what other's policies are on server monitoring for SQL boxen; we have standardized on IBM Director and I have banned it on SQL servers due to many problems I've seen with resource consumption, unplanned reboots, etc. It's a little invasive to say the least. Do any others use Director for monitoring SQL hardware? Any stories to share?
February 9, 2009 at 7:23 am
We set up the normal exclusions - some by file extension, some by directory exclusion. And then do a full scan over the weekend maintenance window.
Seems like a common compromise.
Running default settings was a noticeable hit. Lots of I/O and CPU was being consumed, especially during nightly ETL and Cube Builds.
Greg E
February 9, 2009 at 9:00 am
We have a list of files explicitly skipped. Not just file extensions. Plus a complete scan during our maintenance window on Sundays. Plus the server sits behind firewalls, closed ports, and a rather surly attack Beagle. π
Honor Super Omnia-
Jason Miller
February 9, 2009 at 9:58 am
So far we are on the '3(b)' option (Other DBAs leave the AV software on their SQL Servers, but change the default settings so that the scans exclude .mdf, .ldf, .ndf, .bak, .trn, full-text catalog files, and any folders that include Analysis Services data).
My remaining decision is to do a full weekly after hours scan of the entire server and SAN drives or not. Or do we just weekly scan for the file types that are excluded in real time? Will SQL Server 2005 Enterprise have trouble with an after hours scan that it would not have had with real time? We are using McAfee.
Michael
February 9, 2009 at 1:52 pm
I've rarely run AV on a server, except for file servers. And then mostly to prevent the spread from workstation to workstation.
For SQL, we've prevented browsing from most of the servers, prevented people from actively doing things on them except with RPC, so AV hasn't made a lot of sense for us.
If you do it, definitely exclude folders or extensions. You don't want to necessarily do files unless your backups are all run on the same names.
February 9, 2009 at 2:12 pm
Huh, I always assumed that we did run AV on the server boxes. Went to check, and it appears that we don't. It doesn't alarm me, since the servers are dedicated and sit behind the firewall. Still, I can't get rid of a nagging thought - in the unlikely event that we do get a virus, it would be very difficult to explain to TPTB why it was unnecessary to scan the servers. π
February 9, 2009 at 2:23 pm
We run AV on all our servers.
For db servers we exclude the db file locatons as well as the location of the backup files.
We recently had an issue with one (of many) SQL2000 instance which lost connectivity (unless time had been set to > 20sec) after installing McAfee 8.5 (+6upd)
Still looking for a valid solution .....
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution π
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
February 9, 2009 at 2:58 pm
Excellent topic and some very interesting posts.
February 9, 2009 at 3:31 pm
Your answers are all over the place, which is mostly what I expected to see. In my editorial, I avoided telling you what I have traditionally done because I didn't want to bias anyones response. I generally have gone with option "2". I leave don't run any antivirus locally, but scan rermotely once a week during maintenance periods. In addition, I harden each of the SQL Servers as much as possible. In my close to 14 years of managing SQL Servers, I have never had a virus problem yet, even when other servers in the company were having virus issues. Of course, now that I say this, one of my servers will probably get a virus.
Brad M. McGehee
DBA
Viewing 15 posts - 1 through 15 (of 33 total)
You must be logged in to reply to this topic. Login to reply