Seems like a waste of resources to me, but our team is currently discussing. What is generally considered the best practice here?
Is it exposed to the internet? Can the system run processes that start executables?
Typically virus scanning systems are something you want on all systems. Worms that can go from PC-to-PC over the network can still attack systems that are not normally exposed to the internet are one of the common justifications for this.
edit another important part is who as Remote Desktop access? These are poential risk points as well if they go out to the internet for anything. Granted you would hope they would know better, but it is still a potential concern
Please see Guidelines for choosing antivirus software to run on the computers that are running SQL Server for help.
Answering this in isolation is hard. You need to consider your overall security strategy of your network. And how exposed the server is. How many staff have access to it and what are their security levels? What other antivirus do u have on the network, is it external facing or just internal? Is antivirus really a performance hit on it if it is just running queries all day long anyway?
All of these are important considerations.
Anti-virus software is typically aimed at end-user PCs, or for scanning emails on servers. I can't imagine any scenario where normal anti-virus software would help on a DB server, since it usually only monitors HTTP connections and does on-access scans of files the user accesses.
For protecting your servers, you need something different, mainly a firewall and perhaps also an intrusion detection system (IDS).
You should run a virus scanner on your servers, but then go into the AV exceptions settings and exclude the folder/files that contain the database files, this way the machine is safe from infection, but it won't rescan the massive database files everything they read & written too, which is all the time.
Also I recommend a lean AV package, like NOD32 by ESET, light on ram, very fast, great multicore support, it will make the least impact on performance.
I'm in favor of having anti-virus on the SQL Server but you must be sure to exclude the mdf, ndf, and ldf files from scanning or you'll hurt your performance. A reasonable compromise if your system has limited exposure is not using the real-time virus scanner and just schedule one check a day.
Another consideration is ensuring that there's some way to notify a sys-admin that there is a virus. Servers don't always get that kind of attention.
HTH Andy
I certainly wouldn't risk no anti-virus, but it is a big performance hit. Making the assumption that no-one will ever use that machine is dangerous (because you might need to install updates etc.), I guess a good compromise would be:
- Install the Antivirus.
- Lock the machine down - e.g. no Windows File Sharing, small set of authorized users, etc.
- Turn the antivirus resident shield off.
- When you copy something onto the machine update the AV and scan the file before opening it.
This is based heavily on the assumption that the people who you allow to log into the machine are responsible. And as always, make sure you are backing up often onto disconnected media (e.g. tapes/DVDs/Internet etc.) - you never know when the next blaster is going to strike.
Frankly, I think anyone who installs AV on ANY application/DB server is flat-out irresponsible. AV is for end-user desktops and file servers. Both of these contexts cannot be tightly controlled and therefore you need prophylactics like AV, SpyWare and DEP.
On average, Windows admins are a group that believe AV on ALL servers means they are protected. This tells me that they are of a lineage that never worry about STDs because they always wear condoms! Both are incredibly and ridiculously irresponsible!
Last week, my orgnaization caused thousands of servers to die because they released an update to McAfee.
In my opinion, the average Windows administrator does not have sufficient education about how malware infects systems and what services make Windows vulnerable. They simply use lots of condoms and hope for the best. When they make a baby or get a devastating STD, they use their get-out-of-jail-free-card and blame the failed condom.
You want more? Raise your hand if you install all of Microsoft's patches without understanding whether or not it even fixes a vulnerability you have or services/software you use. I thought so! (You cannot hide!) Once again, this is an approach like using plenty of condoms and hoping for the best.
Educate yourself and understand WHY your systems are vulnerable and then determine whether or not AV is providing value. If not, you are wasting CPU cycles, wasting MONEY and lowering service levels because you DON'T TAKE YOUR JOB SERIOUSLY.
Don't be fooled by the AV companies. They WANT you to buy thousands of licenses because it's a GREAT, consistent revenue stream for them.