Co-Existance of Anit-Virus and SQL Server

  • I haven't looked into this, but what is the stand on installing Anti-Virus software on SQL Servers? We are running 6.5, 7.0 and 2000 SQL Servers.

  • It is considered best to have the server setup in a situation where viruses cannot occurr. In other words do not run other services and items that can be affected directly on the server and do not install apps that have not been scanned by the latest and greatest pattern file (even then avoid this whenever possible anyway). It is also suggested that if you you cannot meet the requirements to prevent possible infection then you must have an antivirus soltuion in place for safety and that you have a backup solution in place (remember when you open yourself to attack you open yourself to lose). However, do not run realtime scans, but rather do scheduled scans. The reason is real time scans are based on changes and open/closing of files, since SQL does a lot of this it can actualy hurt the performance of the server. If you do scheduled scans you can limit impact by picking a low utilization time. Also, they now are offering the ability to add exceptions and pick and choose files/drives to scan (you do not want them to scan any file that is in use by SQL if possible). In addition, do not allow the virsu software to try and quaranteen any file but to log (and if possible send) an alert for later investigation. With all this you can safely run AV with SQL and not impact yourself badly.

    "Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)

  • Thanks for you feedback.

    I am on your side regarding setting up your SQL servers to even not be a target for a Virus Attack. Since coming into this situation we haven't set up any of our SQL Servers since 6.5 with open shares to be accessable by anyone who could infect our server.

    On the scanning software configuration angle, I'm pretty sure we can configure the on-demand scanning to not scan any of the database or log files. Since these are continuously written to, this would really hamper performance. But, in a situation where we have some open shared folders for application interaction, there is a chance to find infected files. Been There Done That.

    In the mean time I'm scanning the shares with a scheduled scanning task to move the files and notify the admin for investigation.

  • I had a very bad experience with a customer who used Command AV on a 2K Server Box. Box would reboot (kernel trap) every time you attempted a terminal server session (took forever to figure out root cause). Otherwise box worked fine.

    Personally, I do not like running AVs on servers as it usually impacts performance. I prefer to put the AV on the peremeter and on all user workstations. If you keep the network share permissions tight (no write access to the SQL server box), keep unpatched versions of IIS off, apply latest service packs and security rollups, and have a good permemeter defense (firewall) you should be OK.

    Keeping a SQL Server box as a standalone server (no domain membership) and behind a firewall on it's own VLAN will also reduce the probability of infection.

  • Agree with Jordan. I don't like running this on servers for a variety of reasons. Set a strong administrative policy that people should not be running browsers, etc. on servers, including email.

    Steve Jones

    steve@dkranch.net

  • Everyone seems to have the same feeling but 1 thing I don't agree with is not having anything in place. Remeber you do have executables and things do happen so you should have something to check with periodically (if not realtime). Also the comment

    quote:


    I do not like running AVs on servers as it usually impacts performance


    I checked today does not have a big impact as log as you are not scanning MDB, NDB, and LDB files being accessed by SQL (these should be somewhere where a good AV app can bypass scanning them). Now I double checked on the realtime stuff with Symantec in place on a production server (yeah I know the shudders I just got, but it has been there for a while and I completely forgot about it running). It has the exceptions on the files but scans all exe, dlls, vbs and such that are accessed realtime (realtime to a vendor means check at open or execute and at close in most cases) the cpu and memory utilization never topped 2% more than without it and that was at load of the server. I am trying to get some baselines from another server that has not got it running (live test server folks, don't freak out). Then I will add it and do again baselines again to see if I impact processing on the server, this is one of our least hardware level machines and should show issues quit nicely. Also in regards to email I have not heard anything happening as SPL_Mail reads the actual text and ignores any formating or code so it should not pose a door for anything.

    "Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)

  • most people only send mail, they do not receive it. If you do this, there is no virus infection. If you read mail, I believe Antares is correct, but I have not tested.

    I would conffigure your profile for TEXT only messages, turn off the preview pane, and if you need to read these messages manually, do it from another machine.

    Steve Jones

    steve@dkranch.net

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply