Morning,
So I thought this might be a interesting discussion topic since it is something that I am just starting to research and make changes to.
So from what I have read so far on certain servers it is either recommended to disable it outright or set exclusions for process and file paths. So for our file server (which has no Internet Access) I have disabled read & rename but left it on for write which has improved our performance on the server drastically. On our Exchange 2010 server (still no Internet access) I have disabled it outright while I get the exclusions up and running. For our SQL servers I am looking at disabling read & rename and toying with write but I am still researching best practices for a MS SQL server and A/V's.
So the question is, what have you done in your environment?
*edit*
Saw this XKCD comic which fits right in...
On Access Scanning & Servers: Your thoughts?
-
- Forum Administrator
- Posts: 22136
- Joined: 14 Jun 2004, 02:00
- Processor: Ryzen 1700K
- Motherboard: Asus X370
- Graphics card: Asus 1060 Strix
- Memory: 16GB RAM
- Location: Where Google says
On Access Scanning & Servers: Your thoughts?
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
-
- Registered User
- Posts: 4754
- Joined: 06 Aug 2003, 02:00
- Processor: PHENOM II 945
- Motherboard: Asus M4A78
- Graphics card: HIS ICEQ 4850 1GB
- Memory: 4GB CORSAIR XMS II 1066
- Location: , location, location!
Re: On Access Scanning & Servers: Your thoughts?
You exchange server has no internet access?
"Every normal man must be tempted at times to spit on his hands, hoist that black flag, and begin slitting throats."
- H. L. Mancken
- H. L. Mancken
-
- Forum Administrator
- Posts: 22136
- Joined: 14 Jun 2004, 02:00
- Processor: Ryzen 1700K
- Motherboard: Asus X370
- Graphics card: Asus 1060 Strix
- Memory: 16GB RAM
- Location: Where Google says
Re: On Access Scanning & Servers: Your thoughts?
Well it does but not in the end user sense. Soory poor wording...
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
- hamin_aus
- Forum Moderator
- Posts: 18363
- Joined: 28 Aug 2003, 02:00
- Processor: Intel i7 3770K
- Motherboard: GA-Z77X-UP4 TH
- Graphics card: Galax GTX1080
- Memory: 32GB G.Skill Ripjaws
- Location: Where beer does flow and men chunder
- Contact:
Re: On Access Scanning & Servers: Your thoughts?
What kind of shirty servers are you running
We only exclude exchange logs from on-access scanning. Everything else gets scanned
Why would you exclude any of your frequently accessed files on your file server from on-access scanning? Seems counter-intuitive. Those are the files you WANT scanned the most.
For SQL you can exclude either all .MDF and .LDF files, or the location of your SQL data and log dirs, but it's not necessary IMO.
Whats AV software are you using? I wasnt aware you could go dwn to such a granular level with on-access scanning (read/write/rename )
We only exclude exchange logs from on-access scanning. Everything else gets scanned
Why would you exclude any of your frequently accessed files on your file server from on-access scanning? Seems counter-intuitive. Those are the files you WANT scanned the most.
For SQL you can exclude either all .MDF and .LDF files, or the location of your SQL data and log dirs, but it's not necessary IMO.
Whats AV software are you using? I wasnt aware you could go dwn to such a granular level with on-access scanning (read/write/rename )
-
- Forum Administrator
- Posts: 22136
- Joined: 14 Jun 2004, 02:00
- Processor: Ryzen 1700K
- Motherboard: Asus X370
- Graphics card: Asus 1060 Strix
- Memory: 16GB RAM
- Location: Where Google says
Re: On Access Scanning & Servers: Your thoughts?
The servers are good servers .
hamin read this one for Exchange: http://technet.microsoft.com/en-us/libr ... 32342.aspx and this one for SQL: http://support.microsoft.com/kb/309422 although everything you mentioned on exclusing they mention so you could skip it .
Sophos Enterprise allows us to select what on-access events should be scanned and not scanned. So right the majority of servers are on the full hog but 3 are currently running with only writes selected.
hamin read this one for Exchange: http://technet.microsoft.com/en-us/libr ... 32342.aspx and this one for SQL: http://support.microsoft.com/kb/309422 although everything you mentioned on exclusing they mention so you could skip it .
Sophos Enterprise allows us to select what on-access events should be scanned and not scanned. So right the majority of servers are on the full hog but 3 are currently running with only writes selected.
JUSTICE, n A commodity which is a more or less adulterated condition the State sells to the citizen as a reward for his allegiance, taxes and personal service.
- hamin_aus
- Forum Moderator
- Posts: 18363
- Joined: 28 Aug 2003, 02:00
- Processor: Intel i7 3770K
- Motherboard: GA-Z77X-UP4 TH
- Graphics card: Galax GTX1080
- Memory: 32GB G.Skill Ripjaws
- Location: Where beer does flow and men chunder
- Contact:
Re: On Access Scanning & Servers: Your thoughts?
Maybe in the 3rd worldAnakha56 wrote: The servers are good servers
If on-access scanning is bringing them to their knees, either the servers are sheet or the AV is...
I don't know anyone who uses Sophos and I've never used it myself but I will say that our main file server is a VM box with 2 vCPU's and 8GB vRAM and it has over over 300000 files totaling more than 9TB on it. Full access scanning with Trend enabled and it mostly sits idle... we even shadow copy most of it and also do a ton of DFS sharing out to satellite sites.
Also if I remember past posts of yours, your SQL environment has a lot more issues than intrusive AV. It's almost totally unmanaged - or have you got someone to look at that for you yet?