Antivirus Exceptions - Yes or No?

  • Hi Folks,

    I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

    The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile.  This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

    I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

    Does anyone have anything to say on the subject and any experiences one way or the other?

    Regards,
    Kev

  • kevaburg - Wednesday, December 6, 2017 6:51 AM

    Hi Folks,

    I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

    The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile.  This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

    I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

    Does anyone have anything to say on the subject and any experiences one way or the other?

    Regards,
    Kev

    I've always been on the "yes" side, especially with BAK and TRN files as had a few exceptions where the AV (also McAfee) was scanning the backup files while we where in the middle of a recovery scenario, and we couldn't recover as the file was locked.

    Theres also the "mass mail worm" blocker as well in McAfee which is a pain when enabled for sp_send_dbmail as you never get any mail, so that's another exclusion I add to the list.

    You then also have the problem if, for some reason unbeknown to man, the auto close option has been set on the database you can get it being scanned while SQL is trying to re-start the database as a user has requested a connection to the closed DB.

    Then there is the very rare occurrences where the SQL service doesn't auto start on boot up as the system isn't ready, (changed to Auto Delayed Start), so if you get that occurrence it could be an issue.

    Just my 2 cents worth...

  • Always exclude. I've used the MS recommendations if I got any push back:
    How to choose antivirus software to run on computers that are running SQL Server

    Here are the McAffee recs:
    Recommended exclusions for Endpoint Security/VirusScan Enterprise on Microsoft SQL Servers

    Sue

  • kevaburg - Wednesday, December 6, 2017 6:51 AM

    Hi Folks,

    I heard an interesting conversation today about whether or not Antivirus Scanning exceptions (in this case provided by McAfee) are necessary or not.

    The premise around saying "no" is that once SQL Server is up and running and the databases are online, SQL Server prevents an external program from directly accessing the datafiles directly hence preventing proactive antivirus scanning solutions from accessing the datafile.  This is done by essentially "locking" the datafile in such a way so that only the SQL Server service user can access the files.

    I come from the school whereby exceptions should be added in order to prevent performance problems resulting from constant threat scanning from an antivirus solution.

    Does anyone have anything to say on the subject and any experiences one way or the other?

    Regards,
    Kev

    You should exclude sql server disk locations.
    The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • I always create exceptions for .bak and .ldf .mdf .ndf.   I also exclude the main SQL Server folders from being scanned.  Years ago someone deleted those exceptions and the server was running poorly.

  • Thanks for the opinions and ideas.  It is always interesting to see how many different ideas and thoughts about the subject are out there!

    I'll stick to my current plan I think..... 🙂

  • Perry Whittle - Wednesday, December 13, 2017 9:40 AM

    The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

    This is actually how it works 😉

    -----------------------------------------------------------------------------------------------------------

    "Ya can't make an omelette without breaking just a few eggs" 😉

  • Perry Whittle - Monday, December 18, 2017 8:38 AM

    Perry Whittle - Wednesday, December 13, 2017 9:40 AM

    The AV software works by injecting itself into the sql server process and so is able to scan anything sql server is using

    This is actually how it works 😉

    I saw the word "injecting" and it brought me to another point.  Is there an anti-virus solution that can detect SQL injection?  I know Oracle has been marketing its Database Firewall for some time now and I was wondering if there is a comparable solution for SQL Server.

  • AV usually runs as a filter driver in the IO stack, not an injection in process.

    Always exclude.

  • I always exclude as well.  In the interest of curiosity, we did do a bit of a test on one server when we were mandated (dictated is more like it) to switch AV software.  It didn't take long to figure out that not having exceptions was a horrible idea.  I got points for "playing nice" with the domain admins in the decision-making process. 😛  That and confirmation were the old good things to come out of the experiment.

  • Ed Wagner - Tuesday, December 26, 2017 8:51 AM

    I always exclude as well.  In the interest of curiosity, we did do a bit of a test on one server when we were mandated (dictated is more like it) to switch AV software.  It didn't take long to figure out that not having exceptions was a horrible idea.  I got points for "playing nice" with the domain admins in the decision-making process. 😛  That and confirmation were the old good things to come out of the experiment.

    Every once in awhile the systems people will re add our DB drives the nightly scans on our servers, predictably trash performance, then predictably take several days to admit they did it.

  • Always exclude. I know in my organization we have to be care of McAfee, both with VirusScan Enteprise and Host Intrusion Prevention. We have VSE setup to exclude .mdf, .ndf, .ldf, .bak, .trn files as well as SQL binary directories. Even if SQL locks the files if on-access scanning is on binary files used (extended stored procs, clr, etc.) will take a hit every time used. Also, as previously stated the Mass Mailing Worm setting will have negative effects if you expect database mail to work but it has not been excluded. Also HIPS will also commonly block things if not configured correctly.

    In my opinion not only should it be excluded, but you need to be ever-wary of it. If policies are controlled centrally through ePO sometimes they get  overwritten or seemingly lost. When that happens things start to break.

    Joie Andrew
    "Since 1982"

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply