Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 4907 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Servers - disabling on-access scanning

PeterG

Interested on other people's thoughts on disabling on-access scanning for servers.

:14041


This thread was automatically locked due to age.
  • 0

    Hi,

    Do you have any particular server roles in mind?  AD/DNS/File server/SQL?

    Certain roles will be impacted more by AV scanning than others.  If you think about the level of file I/O on a machine based on it's role and how many files and the type of files make up the set of frequently accessed files you can start to make informed decisions on configuration/exclusions.  

    I would start with exclusions before disabling on-access as long as it was practical and then maybe consider the scanning options after that, i.e. on-read/on-write and then various types of scanning such as suspicious files/suspicious behaviour.


    One way of determining the possible exclusions that might help "lighten the load" on the machine would be to run ProcessMonitor (if not considered too dangerous on a live server) during normal operation for maybe a couple of minutes filtered just by file operations.  Then go to "Tools" - "File Summary" and sort by opens and closes.  This will give you an idea of the files being opened and closed regularly.
    Likewise "Resource Monitor" which comes with Vista+ as accessible from TaskManager can also be used to establish such information. The "Disk" tab from that will show you what's going on.

    Hope that offers something.

    Regards,

    Jak 

    :14051
  • 0

    Rather than disabling scanning, you may find it better to either:

    a) add lots of exclusions depending on server role (see MS TechNet site for recommended exclusions)

    or

    b) change to scan on write rather than scan on read

    :14121
  • 0

    We disable on access scanning on our Windows SBS 2008 & Server 2003 with SQL 2005.  This was a recommended setup from our IT provider that I inherited and decided to keep. We do have PureMessage running on there so I suppose we are doing at least some on access scanning on the SBS server.

    Instead we do a full scan every week during off-peak hours, prevent server access to all but a few employees, regular patch and update, enable Internet Explorer enhanced security configuration, physical lock of the tower doors to prevent device connection.

    We've had Sophos break on the application server due to a forced reboot which meant it was out of action for 8 months and couldn't be uninstalled due to file corruption. Finally fixed it and the scheduled scan has come back negative. Consequentially I'm still none too worried about having on access on either server. 

    Of course I am no expert so don't take me as such!

    :14125