February 27, 2006 at 8:43 am
So, there's no question that we'll be running antivirus scanning on our database servers. This question involves File Exclusions.
Most people have written that you should be excluding your .MDF/.LDF/.NDF files from virus scanning. However, I'm not sure I understand why. The antivirus software won't be able to scan the file until it can gain access to it and if the DB is running the antivirus engine won't be able to get to it...
The only thing I've read is that there can be issues if the antivirus engine starts a scan at startup that happens to begin before the DB server has grabbed control then the DB file and that may cause the DB to fail to start. I personally have never seen that happen, though.
The other files I was surprised no one talks about are the .BAK and .LOG (etc.) files that are written...But again, I don't think the antivirus engine will be able to read it until the DB engine has completed writing the file and at that point why would I care if the antivirus engine scans the file?
I'll be honest, originally I was a hardcore proponent of excluding DB files from being scanned...But, the more I think about it the less concerned I am. We even had a recent incident where we had a DB server in production that had an antivirus engine on it without any exclusions for several weeks and never had a problem and didn't notice any performance benefit when we created the exclusions...
We have both SQL Server and Oracle here and I work on both (though primarily SQL Server)...And, the other DBAs who work primarily on Oracle get crazy when someone brings up the idea of not having the exclusions, though I'm no longer convinced that they are warranted concerns.
Any thoughts? Anyone know of any recent whitepaper "Best Practices" that deal with this issue?
Thanks!
Mike
February 27, 2006 at 10:48 am
There is an article about it:
http://www.sqlservercentral.com/columnists/bkelley/sqlserversecuritydealingwithantivirusprograms.asp
February 27, 2006 at 11:42 am
Thanks Jo...I had already read that article, but appreciate you pointing it out. I had read it a few weeks ago and just re-read it as a refresher...
Given that we aren't re-using .bak/.trn files and we aren't using the Full Text engine, I don't see a reason to exclude any files...I don't see the .MDF/.LDF/.NDF as being an issue at startup, though I can see how it could happen. I bet there's some way you can get the antivirus software to delay its initial scan, though.
February 27, 2006 at 12:36 pm
Okay, you know the antivirus won't be able to scan your database files. But it will try. So, do you really gain anything from seeing all the error messages that it can't scan the .mdf/.ldf (and .ndf if any) files?
I know it can't scan those files, so why have it keep confirming that to me?
-SQLBill
February 27, 2006 at 12:59 pm
That's a good question.
It's more of a question of maintenance and overall protection...And, the assumption that virus/spyware/malware developers *WILL* at some point create a virus that uses a common DB file extension.
Anyway, that's where all this is coming from...I'm just trying to find out if there is an inherent and real risk of having an AV engine not exclude database files...
Furthermore, I've heard rumors that some AV companies are creating scans for DBs themselves, which is probably a wise thing at some point because of all the BLOB data that is being stored in these databases...
February 28, 2006 at 12:54 am
As far as I can tell it's not the full scan that does the damage to performance - it's the realtime scan! We found a major performance problem with a server that had been set up wrong and databases weren't excluded. Everytime any change happened to the data files the anti-virus spent 30+ secs (it's max time per file) trying to scan the file and locked it completely for database access!
Performance improved amazingly when the DB files were excluded.
Cheers
The Aethyr Dragon
Cape Town
RSA
February 28, 2006 at 7:02 am
The Aethyr Dragon:
What database system was that? What AV engine did you have on the server?
Thanks,
Mike
February 28, 2006 at 7:17 am
Hi,
Had two different occurances at two different companies. Both SQL 2000 one was with McAfee and other with Symantec.
Cheers
The Aethyr Dragon
Cape Town
RSA
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply