Antivirus Scanning...File Exclusions...Why do it?

  • So, there's no question that we'll be running antivirus scanning on our database servers.  This question involves File Exclusions.

    Most people have written that you should be excluding your .MDF/.LDF/.NDF files from virus scanning.  However, I'm not sure I understand why.  The antivirus software won't be able to scan the file until it can gain access to it and if the DB is running the antivirus engine won't be able to get to it...

    The only thing I've read is that there can be issues if the antivirus engine starts a scan at startup that happens to begin before the DB server has grabbed control then the DB file and that may cause the DB to fail to start.  I personally have never seen that happen, though.

    The other files I was surprised no one talks about are the .BAK and .LOG (etc.) files that are written...But again, I don't think the antivirus engine will be able to read it until the DB engine has completed writing the file and at that point why would I care if the antivirus engine scans the file?

    I'll be honest, originally I was a hardcore proponent of excluding DB files from being scanned...But, the more I think about it the less concerned I am.  We even had a recent incident where we had a DB server in production that had an antivirus engine on it without any exclusions for several weeks and never had a problem and didn't notice any performance benefit when we created the exclusions...

    We have both SQL Server and Oracle here and I work on both (though primarily SQL Server)...And, the other DBAs who work primarily on Oracle get crazy when someone brings up the idea of not having the exclusions, though I'm no longer convinced that they are warranted concerns.

    Any thoughts?  Anyone know of any recent whitepaper "Best Practices" that deal with this issue?

    Thanks!

    Mike

  • Thanks Jo...I had already read that article, but appreciate you pointing it out.  I had read it a few weeks ago and just re-read it as a refresher...

    Given that we aren't re-using .bak/.trn files and we aren't using the Full Text engine, I don't see a reason to exclude any files...I don't see the .MDF/.LDF/.NDF as being an issue at startup, though I can see how it could happen.  I bet there's some way you can get the antivirus software to delay its initial scan, though.

  • Okay, you know the antivirus won't be able to scan your database files. But it will try. So, do you really gain anything from seeing all the error messages that it can't scan the .mdf/.ldf (and .ndf if any) files?

    I know it can't scan those files, so why have it keep confirming that to me?

    -SQLBill

  • That's a good question.

    It's more of a question of maintenance and overall protection...And, the assumption that virus/spyware/malware developers *WILL* at some point create a virus that uses a common DB file extension.

    1. Do I want to exclude the DB files in any directory?  No...
    2. Do I want to exclude the DB files in the Data directory?  No...Again, it's not hard to drop a virus file into the default data directory.  Though, if you are hardened appropriately rights should be limited.
    3. Do I want to maintain specific file exclusions for every database server that I have?  No, not really.  I have roughly 70 SQL Server instances, the number of actual databases and database files is obviously much greater than that.  And, that isn't even taking into consideration the Oracle databases.  Having to alter the antivirus exclusion whenever I move a file or create a new database is not going to be a small task, especially since the Security team here is solely responsible for those modifications.

    Anyway, that's where all this is coming from...I'm just trying to find out if there is an inherent and real risk of having an AV engine not exclude database files...

    Furthermore, I've heard rumors that some AV companies are creating scans for DBs themselves, which is probably a wise thing at some point because of all the BLOB data that is being stored in these databases...

  • As far as I can tell it's not the full scan that does the damage to performance - it's the realtime scan! We found a major performance problem with a server that had been set up wrong and databases weren't excluded. Everytime any change happened to the data files the anti-virus spent 30+ secs (it's max time per file) trying to scan the file and locked it completely for database access!

    Performance improved amazingly when the DB files were excluded.

    Cheers


    The Aethyr Dragon

    Cape Town
    RSA

  • The Aethyr Dragon:

    What database system was that?  What AV engine did you have on the server?

     

    Thanks,

    Mike

  • Hi,

    Had two different occurances at two different companies. Both SQL 2000 one was with McAfee and other with Symantec.

    Cheers


    The Aethyr Dragon

    Cape Town
    RSA

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply