Results 1 to 14 of 14
  1. #1
    Join Date
    Dec 2007
    Posts
    28

    Unanswered: Running Anti-Virus on a windows Oracle server

    Hi,
    I've got 2 oracle 10g servers running windows 2003. They have been running for a while and so all that's good.
    A flash oracle consultant from one of my software suppliers has flown in and told me to get rid of the anti-virus on the 2 oracle servers. He says that anti-virus should NEVER be run on an Oracle server.
    This is giving me sleepless nights.
    I come from a windows background and i have never put a windows server onto any network without antivirus (unless it was a testing server that i could afford to lose).

    Does anyone else out there run oracle on windows with an AV? I have been doing this for 5 years now and it has been fine. And, until i was told, i didn't realise that my instance was in immanent danger of crashing - i still find it hard to believe, but perhaps i have been lucky? (and i'm certainly not an oracle expert so it really would be luck!)

    My compromise is to add a lot of exclusions for the on-access scanning. I was thinking to add *.dbf, *.log and *.ctl file extensions.
    I wonder if this would be a sensible compromise? And if there are some other oracle file types that should definitely be left out of a virus scan.

  2. #2
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    Your instance isn't going to crash, the problem is that the AV steals a lot of cycles from the processor. It the ONLY thing on the server is the database and you never use it for any other application, how could it get infected.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  3. #3
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    Quote Originally Posted by beilstwh
    ...how could it get infected.
    I believe this qualifies for "Famous Last Words". There are a number of viruses for Windows that can be transmitted just through the network, and need no help from email attachments. The Sasser worm comes to mind.

    What you can (and should) do is exclude the oracle data directories from any on access scan. The datafiles are not executable, so this should not be a large problem.

  4. #4
    Join Date
    Dec 2007
    Posts
    28
    Hmmm... i think i should have emphasized the context more.
    Bear in mind I am talking about Windows servers that have internet access (both for their own updates and so that they may be connected to from outside as remote access is a high priority). I think this changes situation drastically.
    And with those 2 things in mind, and knowing what i know about windows, i think i can never turn on one of these servers without an anti-virus and expect it to still be working by the end of the day.
    And yet the default database advice remains constant: 'dont run AV, it will have an adverse effect on the database and anyway the server won't get infected'.
    ??
    It doesn't make sense from where i'm coming from.
    I look after SMB's running oracle on windows and the questions that come up (once you get it going!) are always security and remote access. This standard approach of 'run your database in an isolated island' and then you won't have any of these issues just doesn't work on small windows networks.
    I wonder when Oracle on Windows will be large enough to deserve its own forum?

  5. #5
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    Instead of relying on FUD (Fear, Uncertainty, and Doubt), you can set up perfmon to trace how much of the system the anti-virus software is taking up. Most AV packages are barely noticeable for most of the day, and can have full scans scheduled for off-peak times.

  6. #6
    Join Date
    Dec 2007
    Posts
    28
    That's a good idea, i don't know how to do that yet but thanks for the tip.
    And yes, of course, the full scans run at off-peak times and they are a concern, but mostly i am concerned with the on-access scanner.
    Also it's more the adverse effects beyond performance issues that i'm trying to find out about, i.e. if instances can really be brought down by an AV which our visiting consultants assure me they can).
    I read an account of an oracle instance (think it was the Burleson site) which had an on-access scanner installed which was locking files while oracle was trying to use them and i can see how this could be potentially disastrous. But this is the worst thing i've found. Also metalink have come up with a response this afternoon:
    "An anti-virus software consumes OS resources heavily. Installing anti-virus software along with Oracle database may impact the database performance. However, there are no other restrictions to install anti-virus software along with Oracle database on Windows Server."

    I would prefer a fuller answer - what exactly does 'no other restrictions' mean? Does this mean the same thing as 'your instance definitely will not fail'?... Well this is what i am taking it to mean and therefore that pretty much tallies with the first half of Bill's answer. i.e. AV's slow oracle down but wont break them.
    So anyway thanks everyone, the anti-virus is definitely staying on my oracle servers no matter what any consultants say.

  7. #7
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    I guess there is a chance that AV could find something in one of the database files that it would mistake for a virus signature and subsequently attempt to remove the "virus", thus damaging the file. I'd say that, as long as you exclude database files from both on-access and regular AV scans, you should be fine.
    ---
    "It does not work" is not a valid problem statement.

  8. #8
    Join Date
    Mar 2010
    Location
    Vienna, Austria
    Posts
    149
    In my opinion, there are basically 2 answers for this question :

    1.) the answer that applies for "strategical" systems (systems that seriously impact your customer existence when they fail)

    There the the rule is easy: No DB server (regardless if Windows, Linux, Solaris, OpenVMS etc. etc.) should ever come closer to the internet as to his DMZ !



    2.) The pragmatic way :

    Whether your customer (or employer) wants to hear it or not: security costs a lot of money. So it is (or should be) a management decision based on a risk - cost analysis:

    If you put your DB - server on the internet it is - let's face it - hackable (if the DBA and the sysadmin are good you'll need CRAYs to do it, but it's hackable).

    So the real question is: what is more expensive/valuable:

    - your data stored in this particular database is stolen/corrupted
    or
    - multiplying the hardware resources to keep up with the overhead of a virus scanner

    This is not even meant cynical.
    If it's just a dynamic web page with basically nothing but PR stuff on it, who cares, if a potential customer - who is supposed to read this stuff anyway - "steals" it, or you have to reinstall the system statistically every 6 months because you have a virus on it ...
    "There is always an easy solution to every problem - neat, plausible, and wrong."
    -- H.L. Mencken

  9. #9
    Join Date
    Aug 2003
    Location
    Where the Surf Meets the Turf @Del Mar, CA
    Posts
    7,776
    Provided Answers: 1
    below is my current configuration
    Internet<->Corporate FireWall<->WebServer<->DMZ Firewall<->Application Server<->FireWall#1<->Internal NetWork<->FireWall#2<->DB Server

    While DB server is secure, it is a royal PITA to service DB from home.
    A manual ssh login occurs to pass through each of the 4 FireWalls.
    FireWall#1 & FireWall#2 come from different vendors.
    You can lead some folks to knowledge, but you can not make them think.
    The average person thinks he's above average!
    For most folks, they don't know, what they don't know.
    Good judgement comes from experience. Experience comes from bad judgement.

  10. #10
    Join Date
    Aug 2009
    Posts
    262
    anacedent . The caliphs of oracle have spoken

    Here in my small call center /softwarehouse, We practiced windows2003 servers WithOut antivirus for quite a while . But now we are run windows based servers with an AntiVirus software.

    is that true Linux OS donot catch viruses? ... atleast oracle consider Linux as its first born child and rest of OS as native americans .

  11. #11
    Join Date
    Jun 2004
    Location
    Liverpool, NY USA
    Posts
    2,509
    When I said nothing else would use it, I assumed that oracle is running on Linux. Personally except for a canned package from a vendor, we have never run oracle on windows.
    Bill
    You do not need a parachute to skydive. You only need a parachute to skydive twice.

  12. #12
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    There might be one or two viruses that target Linux, but they would be very rare. This is more a function of market share than actual vulnerability. When Linux gets up to around 30 - 40&#37; of the PC market, spam-bot wranglers will look to subvert Linux as well.

  13. #13
    Join Date
    Jun 2004
    Posts
    796
    Provided Answers: 1
    Quote Originally Posted by n_i View Post
    I guess there is a chance that AV could find something in one of the database files that it would mistake for a virus signature and subsequently attempt to remove the "virus", thus damaging the file. I'd say that, as long as you exclude database files from both on-access and regular AV scans, you should be fine.
    This is what we do at my place of work. The AV software doesn't interfere with performance but it has on occasion in the past mistaken a Db file as being infected and tried to clean it, rendering it broken.
    90% of users' problems can be resolved by punching them - the other 10% by switching off their PCs.

  14. #14
    Join Date
    Aug 2003
    Location
    West
    Posts
    101
    We run antivirus on all of our windoze servers. For oracle we have this guideline from the antivirus software .....

    Oracle Required Exclusions
    Data files: Data files generally have a .dbf extension) ....\oracle\oradata\*.dbf
    Redo files: Redo files have a .log extension ....\oracle\Inventory\logs\*.log
    Control files: Control files have a .ctl extension ....\oracle\oradata\*.ctl

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •