Antivirus on large SQL Server instances

  • All, I'm having an issue where my current antivirus vendor is having issues when scanning my larger sql server machines. These are servers with large amounts of memory 256 GB with >115 GB in use. It appears that when the scan begins to scan the memory, prior to scanning the files, it chokes when it sees all of that memory in use. This causes significant resource contention including timeouts when connecting to SQL Server. We've already contacted the vendor for an enhancement request, but it seems they are unlikely to act on it quickly.

    Is anyone else out there running machines with large amounts of memory with large amounts in use and running antivirus. If so what are you running and how is it performing for you? I'm about to deploy machines with even more memory and I'm concerned this issue will continue, and I'm looking for other alternatives. Local policies state I need to have AV installed and scanning daily (so uninstalling isn't an option), I'm just looking for one that will work with my current systems.

    Thanks,

    -Luke.

    To help us help you read this[/url]For better help with performance problems please read this[/url]

  • Hi,

    in our environment we have excluded mdf,ldf,ndf files from antivirus scanning.



    Praveen D'sa
    MCITP - Database Administrator 2008
    http://sqlerrors.wordpress.com

  • Yes, we do that as well. It is a failing of the product. Not the way it is configured. I'm looking for what av products other people are using on sql servers with large amounts of memory.

    Thanks.

    Luke.

    To help us help you read this[/url]For better help with performance problems please read this[/url]

  • I don't have an answer right now but I have a friend that works with servers that half a half TByte and more. I know he's running some form of AV on them. I'll try to remember to ask him tomorrow.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)
    Intro to Tally Tables and Functions

  • Thanks Jeff! We're looking at upgrading to systems in that neighborhood and want to get this resolved prior to putting them into production.

    Luke.

    To help us help you read this[/url]For better help with performance problems please read this[/url]

  • We use A/V on our servers and a lot of our production SQL Servers have anything from 256GB to 1TB of memory. As well as setting the file exclusions as stated above, we also configured the A/V not to scan the sqlserver.exe service/process or any spawned child processes, and that seems to work fine.

  • I believe the SQLSERVER.exe process is excluded as well. I'm uncertain if we have the option to exclude all spawned processes, but I'll check.

    Can you tell me which AV you are using? If you would rather not post it publicly please send me a private message.

    Thanks,

    -Luke.

    To help us help you read this[/url]For better help with performance problems please read this[/url]

  • McAfee Enterprise runs fine on our servers.

    512 GB of RAM

    We use the exclusions mentioned above and do not have contention with the memory scan.

    Steve

  • Luke L (12/1/2013)


    Thanks Jeff! We're looking at upgrading to systems in that neighborhood and want to get this resolved prior to putting them into production.

    Luke.

    Wow! I talked with that DBA (he has literally dozens of multi-terrabyte databases on his servers and, as I said before, a half Tbyte of memory or more on those servers) and he doesn't run any form of anti-virus on them. I didn't have the time to talk with him at any great length about it but he said that he's not concerned because he's taken care of that problem in some other fashion.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)
    Intro to Tally Tables and Functions

  • Jeff thanks for checking into it. I'm curious how he handles that problem in other ways.

    Thanks also to steve for his response as well.

    -Luke.

    To help us help you read this[/url]For better help with performance problems please read this[/url]

  • For PCI DSS purposes we had to run A/V on SQL Servers, but with it configured in such a way with the exclusions on them, it never caused any performance issues.

  • Luke L (12/2/2013)


    Jeff thanks for checking into it. I'm curious how he handles that problem in other ways.

    Me too! I hoping that he doesn't somehow think that he's simply made his server secure enough to not need it. My feeling even if it's a stand alone machine that's not attached to any network (when's the last time you saw an SQL Server in THAT configuration?), you at least need to check any CD's or DVD's that you may use on the server for upgrades, etc.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)
    Intro to Tally Tables and Functions

  • Jeff Moden (12/2/2013)


    Wow! I talked with that DBA ... and he doesn't run any form of anti-virus on them. I didn't have the time to talk with him at any great length about it but he said that he's not concerned because he's taken care of that problem in some other fashion.

    He's crazy?

    FYI, I feel like a piker, but I do know that Sophos works fine on a quarter-terabyte of RAM and with realtime scanning with the usual mdf, ndf, ldf, bak, trn, etc. etc. exclusions for data files, log files, and backup files.

    I would NOT ever exclude an executable, including sqlserver.exe - what if sqlserver.exe gets infected? What if some does

    copy StealingYourData.exe sqlserver.exe

    sqlserver.exe is also so small it shouldn't matter - it can be scanned whenever.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply