patternsqlMinor
Is it safe to run antivirus software on my database servers?
Viewed 0 times
serversantivirusdatabasesoftwaresaferun
Problem
Some implementations of antivirus software are known to Microsoft to cause a variety of problems for SQL Server, and Microsoft has a support article dedicated just to picking the right antivirus software for your SQL Server hosts.
From your experience, is it safe to run antivirus software on your database servers?
Given all the required antivirus exclusions and caveats to consider, is it practical?
From your experience, is it safe to run antivirus software on your database servers?
Given all the required antivirus exclusions and caveats to consider, is it practical?
Solution
For me, personally, I have not found it practical. But for 15+ years I have worked in environments that were dedicated to isolating and protecting the database servers. All of the activity that can lead to virus and malware infestation on a SQL Server machine can be prevented IMHO. Extremely limited access, no browsing from the server, no hosting of file shares, rigorous firewall protection, principle of least privilege, etc. Some of these lines get blurred a bit depending on the functionality of your server, for example filestream/filetable.
In my experience anti-virus is often a false security blanket. It is either responding as a post-mortem correction or, in some cases, doesn't have the signature yet for the new threat - either because it is not kept up to date by the system administrator or by the vendor (or both). Since rules and exceptions can change over time, if sysadmins can't keep anti-virus signatures up to date, how will they keep the rules and exceptions up to date?
Your goal should be to secure SQL Server so that you aren't concerned about anti-virus. If you're not having sex, you don't need to buy condoms. :-)
In my experience anti-virus is often a false security blanket. It is either responding as a post-mortem correction or, in some cases, doesn't have the signature yet for the new threat - either because it is not kept up to date by the system administrator or by the vendor (or both). Since rules and exceptions can change over time, if sysadmins can't keep anti-virus signatures up to date, how will they keep the rules and exceptions up to date?
Your goal should be to secure SQL Server so that you aren't concerned about anti-virus. If you're not having sex, you don't need to buy condoms. :-)
Context
StackExchange Database Administrators Q#19903, answer score: 9
Revisions (0)
No revisions yet.