December 12, 2003 at 12:58 pm
Windows 2000 Advanced Server with SP3
SQL Server 2000 Enterprise Edition with SP3
Mixed Authentication
I have 4 SQL Servers which exclusively run SQL. No users access these systems as a file server. I don't either. Our HQ office has implemented a server to distribute and install Microsoft Updates on a weekly basis. They also mandate Symantec Anti-Virus with Real-Time Scanning, however they agreed to exclude *.mdf, *.ndf, *.ldf.
On several ocassions in the last 3 weeks, the servers have 'locked-up' requiring a hard shut-down and restart. It appears that the vbtray.exe application is erroring out and then draining system resources until SQL can no longer update.
With the fact that no one uses these systems as a file server, and the Microsoft Updates are installed as Microsoft announces the Security Updates, do we need Anti-Virus software on these systems?
I am listening with an open mind to the vast experience here at sqlservercentral!
Thanks,
Michelle Morris
Michelle
December 12, 2003 at 1:17 pm
For years, I resisted installing anti-virus software on SQL Servers. And honestly, I've never had a SQL Server infected. However, I have recently changed my thinking.
I do now advocate av software, although I insist on lots and lots of testing before deploying to production. Part of the reason for the change is that I'm a very big advocate of security, and I found my stance on av inconsistent. I think in the current climate, we need to close every window of attack that we possibly can.
Besides, if you make a stance to remove the software and your sever does get infected, you've basically lost your job. I don't think your situation would be as grave if you leave the software but your server crashes from it. (Hopefully it won't crash with enough testing.)
December 12, 2003 at 1:19 pm
Sounds like something is up with the AV installation.
We do use AV software on SQL Servers where I work with the same exclusions. There can be a case made for having it when you consider that there have been cases where an exploit is out and no patch is ready.
MS03-039 is an example. Currently, there is a whole lot of grief over a URL obfuscation issue that affects IE, but no patches for December (mind you, the URL obfuscation issue also affects some versions of Netscape and Mozilla/Firebird as well). So there may be cases where a vulnerability is exploited and a virus/worm is generated to attack it. In this case, the AV software may be the only line of defense (once the definitions are out).
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
December 14, 2003 at 10:39 pm
I've had problems with Symantec in the past and have since moved to mcafee corp addition with the same exclusions. I have yet to have a crash that I can blame on mcafee in the last two years. Just anicdotal though, your mileage may vary.
Wes
December 15, 2003 at 7:59 am
What is vbtray.exe and why is it running on your SQL Server?
Given that it appears you have other applications running on you SQL Server, I would definitely run an AV program. I would also suggest inventorying the software running on production SQL Servers.
December 15, 2003 at 10:48 am
My understanding of VBTray.exe is that it is the 'real-time scanning' application of Symantec's AV product. But I can't find mention of it at their website. HQ is opening a trouble ticket with Symantec. Hopefully they can figure out what the problem is.
Thank you all for your responses. I too have been hesitant to run additional software on these servers, but I guess I need to realize there are people in the world with too much free time and I need to do all I can to protect the systems from any possible attack.
Thanks,
Michelle Morris
Michelle
December 15, 2003 at 11:37 am
You mean vptray.exe, right?
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
December 15, 2003 at 12:31 pm
Yes, I missed that. Thanks! Michelle
Michelle
December 16, 2003 at 10:24 am
We run it, exclude the db files as well as the backup folders. No issues. McAfee here.
Steve Jones
http://www.sqlservercentral.com/columnists/sjones
The Best of SQL Server Central.com 2002 - http://www.sqlservercentral.com/bestof/
December 16, 2003 at 11:21 am
Odd that you should be having problems with vptray.exe but it's not unheard of. vptray.exe is what places the shield icon in your system tray when you log on to the server, whether at the console or via Terminal Services. It lets you know at a glance whether the Norton AntiVirus Client is running or not.
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply