Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Guest Editorial: Do You Run Antivirus Software on Your SQL Servers?


Guest Editorial: Do You Run Antivirus Software on Your SQL Servers?

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36146 Visits: 18750
I've rarely run AV on a server, except for file servers. And then mostly to prevent the spread from workstation to workstation.

For SQL, we've prevented browsing from most of the servers, prevented people from actively doing things on them except with RPC, so AV hasn't made a lot of sense for us.

If you do it, definitely exclude folders or extensions. You don't want to necessarily do files unless your backups are all run on the same names.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Olga B
Olga B
Mr or Mrs. 500
Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)Mr or Mrs. 500 (596 reputation)

Group: General Forum Members
Points: 596 Visits: 455
Huh, I always assumed that we did run AV on the server boxes. Went to check, and it appears that we don't. It doesn't alarm me, since the servers are dedicated and sit behind the firewall. Still, I can't get rid of a nagging thought - in the unlikely event that we do get a virus, it would be very difficult to explain to TPTB why it was unnecessary to scan the servers. BigGrin
ALZDBA
ALZDBA
SSCertifiable
SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)

Group: General Forum Members
Points: 6974 Visits: 8839
We run AV on all our servers.
For db servers we exclude the db file locatons as well as the location of the backup files.

We recently had an issue with one (of many) SQL2000 instance which lost connectivity (unless time had been set to > 20sec) after installing McAfee 8.5 (+6upd)
Still looking for a valid solution .....

Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere w00t

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution" :-D


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me Alien but most of the time this is me Hehe
D Gillespie
D Gillespie
Valued Member
Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)Valued Member (55 reputation)

Group: General Forum Members
Points: 55 Visits: 192
Excellent topic and some very interesting posts.

Smooooth
bradmcgehee@hotmail.com
bradmcgehee@hotmail.com
SSC Veteran
SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)SSC Veteran (216 reputation)

Group: General Forum Members
Points: 216 Visits: 730
Your answers are all over the place, which is mostly what I expected to see. In my editorial, I avoided telling you what I have traditionally done because I didn't want to bias anyones response. I generally have gone with option "2". I leave don't run any antivirus locally, but scan rermotely once a week during maintenance periods. In addition, I harden each of the SQL Servers as much as possible. In my close to 14 years of managing SQL Servers, I have never had a virus problem yet, even when other servers in the company were having virus issues. Of course, now that I say this, one of my servers will probably get a virus.

Brad M. McGehee
DBA
karl.spam
karl.spam
SSC Rookie
SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)SSC Rookie (34 reputation)

Group: General Forum Members
Points: 34 Visits: 89
on our own dedicated SQL servers we don't run AV. When working with external clients who already have it present on their system we recommend excluding the data/log/backup dirs.
Ed Pearson
Ed Pearson
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 23
When I administered SQL boxes in the past, I turned off the real-time scan on the SQL-only boxes and disabled scanning for the MSSQL/Data folder during regular nightly scans.
Seemed a good trade-off for performance. Granted the SQL boxes were behind firewall and had not direct file access by regular (non-admin) clients.
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (6.8K reputation)

Group: Moderators
Points: 6816 Visits: 1917
Given that the last few successful virus/worm threats attacked SMB/RPC, I believe in running AV on the SQL Server, while setting the AV software not to scan the appropriate file types SQL Server cares about. For instance, Conficker attacks SMB, and therefore, if your SQL Server is on the domain and talking to DCs and other systems (even app servers) using Windows authentication, accessible to most patch management software, remote management, etc., it's going to use those protocols. If you've got a 0-day, then the AV definition may be the only thing that catches and smacks down the virus/worm.

I'd rather take the small performance hit from a properly configured AV software then take the larger risk of the server compromise because someone brought in an infected USB drive, accessed the wrong site on the Internet before it could be properly categorized (especially normally legitimate sites like .edu ones which are often compromised because (a) they aren't being watched as carefully as a commercial site and (b) because of the fact that until reclassified the site is seen as legitimate by the web filtering software most organizations use), or brought in an infected laptop that was in standby or hibernation mode.

K. Brian Kelley
@‌kbriankelley
David in .AU
David in .AU
Mr or Mrs. 500
Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)Mr or Mrs. 500 (530 reputation)

Group: General Forum Members
Points: 530 Visits: 561
I think it all depends.

If your server is in a position where it is accessible to the net at large, then oh yeah, AV that bad boy, run it real time, because a scheduled task isnt going to help you if you are already comprimised. Do it even if you are firewalled, because if a virus uses a valid connection port through the firewall and then uses some unknown/unpatched buffer overflow exploit, well you are just as screwed.

If it is sitting on an internal IP address and is only connected to via an application server or internal management client and even then only via a firewall, then it probably doesnt make much sense.

and if you are an admin that directly downloads random executables and runs them on your production SQL (or any) server without having scanned them, well, you get what you deserve.
StarNamer
StarNamer
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1294 Visits: 1992
Servers I've managed have always gone with a variation of 3(b). That is, AV is installed but settings are adjusted to minimize impact, e.g. only scan on writes to the hard disk, skip certain extensions, etc.

Derek
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search