On Access Scanning & Servers: Your thoughts?

Viruses, hackers and crackers
Post Reply
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

On Access Scanning & Servers: Your thoughts?

Post by Anakha56 »

Morning,

So I thought this might be a interesting discussion topic since it is something that I am just starting to research and make changes to.

So from what I have read so far on certain servers it is either recommended to disable it outright or set exclusions for process and file paths. So for our file server (which has no Internet Access) I have disabled read & rename but left it on for write which has improved our performance on the server drastically. On our Exchange 2010 server (still no Internet access) I have disabled it outright while I get the exclusions up and running. For our SQL servers I am looking at disabling read & rename and toying with write but I am still researching best practices for a MS SQL server and A/V's.

So the question is, what have you done in your environment?

*edit*

Saw this XKCD comic which fits right in... :lol:

Image
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
GreyWolf
Registered User
Posts: 4754
Joined: 06 Aug 2003, 02:00
Processor: PHENOM II 945
Motherboard: Asus M4A78
Graphics card: HIS ICEQ 4850 1GB
Memory: 4GB CORSAIR XMS II 1066
Location: , location, location!

Re: On Access Scanning & Servers: Your thoughts?

Post by GreyWolf »

You exchange server has no internet access?
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Re: On Access Scanning & Servers: Your thoughts?

Post by Anakha56 »

Well it does but not in the end user sense. Soory poor wording...
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: On Access Scanning & Servers: Your thoughts?

Post by hamin_aus »

What kind of shirty servers are you running :?:

We only exclude exchange logs from on-access scanning. Everything else gets scanned

Why would you exclude any of your frequently accessed files on your file server from on-access scanning? Seems counter-intuitive. Those are the files you WANT scanned the most.

For SQL you can exclude either all .MDF and .LDF files, or the location of your SQL data and log dirs, but it's not necessary IMO.

Whats AV software are you using? I wasnt aware you could go dwn to such a granular level with on-access scanning (read/write/rename :?: ) :idea:
Image
Anakha56
Forum Administrator
Posts: 22136
Joined: 14 Jun 2004, 02:00
Processor: Ryzen 1700K
Motherboard: Asus X370
Graphics card: Asus 1060 Strix
Memory: 16GB RAM
Location: Where Google says

Re: On Access Scanning & Servers: Your thoughts?

Post by Anakha56 »

:lol: The servers are good servers :lol:.

hamin read this one for Exchange: http://technet.microsoft.com/en-us/libr ... 32342.aspx and this one for SQL: http://support.microsoft.com/kb/309422 although everything you mentioned on exclusing they mention so you could skip it :).

Sophos Enterprise allows us to select what on-access events should be scanned and not scanned. So right the majority of servers are on the full hog but 3 are currently running with only writes selected.
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
User avatar
hamin_aus
Forum Moderator
Posts: 18363
Joined: 28 Aug 2003, 02:00
Processor: Intel i7 3770K
Motherboard: GA-Z77X-UP4 TH
Graphics card: Galax GTX1080
Memory: 32GB G.Skill Ripjaws
Location: Where beer does flow and men chunder
Contact:

Re: On Access Scanning & Servers: Your thoughts?

Post by hamin_aus »

Anakha56 wrote::lol: The servers are good servers :lol:
Maybe in the 3rd world :P
If on-access scanning is bringing them to their knees, either the servers are sheet or the AV is...

I don't know anyone who uses Sophos and I've never used it myself but I will say that our main file server is a VM box with 2 vCPU's and 8GB vRAM and it has over over 300000 files totaling more than 9TB on it. Full access scanning with Trend enabled and it mostly sits idle... we even shadow copy most of it and also do a ton of DFS sharing out to satellite sites.

Also if I remember past posts of yours, your SQL environment has a lot more issues than intrusive AV. It's almost totally unmanaged - or have you got someone to look at that for you yet?
Image
Post Reply