Re: Experience with Virus Scan software of database servers

  • From: Paul Drake <bdbafh@xxxxxxxxx>
  • To: rlsmith@xxxxxxx
  • Date: Thu, 18 Aug 2005 16:28:03 -0400

On 8/18/05, Smith, Ron L. <rlsmith@xxxxxxx> wrote:
> Has anyone had any experience with Virus Scan software on database servers? 
> We found that after a recent update the virus scan was dominating the server
> and slowing everything down. 
> Ron  

Yes. I've had experience with them. I'm assuming that you're referring
to running Oracle db server on MS win32 OSes.

In the current security environment (SarbOx, HIPAA) I don't think that
a simple "turn them off" response is sufficient. If the admin shares
(e.g. d$) are still open in a domain environment, they are vulnerable
to malware (worm) should the domain controllers be compromised (e.g.

I believe that it real-time anti-virus scans should be left enabled
for the server's OS volume, perhaps even for under the ORACLE_BASE. It
should also be left enabled for partitions that have shares.

If one was to configure the filesystem ownership and permissions such
that only a service account had write access to it and the accounts
localsystem, local administrators had no access ... then I could see
having such directories and their children excluded from the virus
protection software and real-time scan - and be able to back up my
claims under scrutiny of an outside auditor.

I did present on this topic with a presentation name of "Nimda Ate My
Database!" years ago at OOUG for MS Windows 2000 and Oracle 8i. It
mentioned the use of security templates like those that are provided
by CIS. The filesystem ownership and permissions in MS Windows 2003
server and in the Oracle 10g installation were good enough that this
practice was obsoleted by me for the oracle binaries ... but I still
prefer to lock down the files under <vol>\oracle\oradata\%ORACLE_SID%\
so that network backups can't lock them. That reduces those early
morning calls where a controlfile was locked and the instance crashed
due to a misconfigured network backup. Those calls do tend to make a
sleeping BDBAFH a little more cranky than usual.


Other related posts: