Kbase 20595: Considerations for Performance and Antivirus Software
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
16/10/2008 |
|
Status: Unverified
GOAL:
How to configure your AntiVirus Software to avoid performance issues.
FIX:
By default, most anti-virus programs install with the option to scan all files, continuously, at medium level security. This means that all files will be scanned every time they are accessed, either by a read or a write action.
Scanning for viruses can considerably slow down any application, including Progress. Even opening a Word document on the server could take as long as 30 seconds. Depending on the security that is required and the tasks the server is handling (other than Progress) the following options can be changed:
- Scheduled vs. continuous:
If security needs are low, the continuous scan can be turned off and schedule a full server scan every night when activity is low. This can be done either during the backup procedure (if 3rd party backup that is used, allows integration with anti-virus software) or outside of the backup window (preferably before, so it is known that the backup is virus free).
- Scanning incoming, outgoing or both:
This means that a file is scanned when it is written to the server (incoming) or read from the server (outgoing) or both. Since the files should be virus free once they are written to disk, there is no chance of infection once they reside on the disk. Therefore it is essentially overkill to re-scan a file every time it is read from the disk. Progress suggests you use "incoming only".
- Scanning all files, using include or exclude list:
By default, all files are scanned, including loads of files that run a very low risk of ever being infected (like temp files). Using include- or exclude lists, scan all .EXE, .DOC, .XLS etc. files, or exclude all .TMP .p .r .w etc files or complete directories (such as \temp or \progress).
- Scanning Quick scan, full Scan, or Heuristic scan:
By default, most scans run a Full scan, scanning the file from beginning to end. Since viruses generally infect the beginning or the end of a file, the Quick option can be used to only scan these areas of a file. A Heuristic scan runs a
full scan and additional tests to see if there are any stealth or morfing viruses hiding in a file.
- Small, medium or large definition file:
Often the virus definition file contains more than 15,000 different viruses, and comparing against this list can take some time. "In the wild", perhaps only a few hundred viruses are actually active, others having been eradicated or only
discovered in test laboratories. The use of a smaller definitions list can increase performance.
Other options to keep in mind while deciding on your anti-virus strategies are:
- Auto Download and Distribution:
In order to keep the antivirus software up to date, the server can be configured to connect to the website of your anti-virus software maker and download the latest virus definition file automatically. This can be scheduled at night on a regular interval.
However, during this process, most Windows NT-based machines try to get as many CPU cycles as possible. For servers that run a 24x7 database, it is recommended that a separate machine is used for AutoDownloading.
Autodistribution automatically updates the other servers in your network with the latest definition files. On Windows NT, this often means that at the end of an update, the server automatically reboots (many times updates also include patches for the software).
Again, in a 24x7 environment or during the backup window, autodistribution is not recommended.
- Quarantine options:
Most anti-virus software has the option of putting a PC or server in quarantine when a virus is found on the machine.
This means the PC cannot be accessed by other machines for a certain period of time. The default value is often set to 4 hours.
Although this option is a good way to protect against spreading a virus, imagine what happens if a database server is put into quarantine for 4 hours. The use of this option needs careful consideration.
- Action to take when virus is found:
In general, the following options are available:
- Al.ert someone with some kind of message (e-mail, SMS, printout, fax etc).
- Copy or move the infected file to a controlled directory.
- Try to repair the file and remove the virus.
- Delete the file.
If the infected file is part of the database, removing, curing or deleting the file can have a disastrous effect on the production environment. Since the only viruses found thus far in Progress have been phantom viruses (false alerts), the best option is to alert someone when a virus is found..