SAP on Windows and Anti Virus Scan
Security considerations for SAP on Windows is an issue which is in focus at any Windows datacenter. There are many solutions available to secure Windows as well as SAP on the various layers – from using firewalls to secure port configurations, using IPSEC for network communication or implementiong solutions like Network Access Protection. One topic which I have discussed now several times is when and how to use Anti Virus Scan for backend application server.
To say it upfront, even when SAP servers in a datacenter are typically not connected directly to the public internet and any other measure of security has been optimized, virus scan on this server is still recommended. However, as online scans cause additional load on IO, it may also cause some contention problems if executed with critical part sof the application or Windows O/S. It’s therefore required to exclude some files or directories from AV scans in order to maintain best performance of a SAP installation. Fortunately, there is quite a bit of reference available what to consider for exclusions. The information below is not specific to a certain AV software but is true for all kinds of AV solutions.
Windows Server 2003 and Windows Server 2008 AV exclusions
%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\security\*.edb
%windir%\security\*.sdb
%windir%\security\*.log
%windir%\security\*.chk
%windir%\softwaredistribution\*.cab
%windir%\system32\ccm\cache\*.cab
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\security\database\*.sdb
%allusersprofile%\NTUser.pol
%Systemroot%\system32\GroupPolicy\**\registry.pol
File Exclusions:
Wsusscan.cab file and the Wsusscn2.cab
Windows Server Failover Cluster Services:
%windir%\Cluster
Q:\ (quorum)
DNS:
%windir%\system32\dns (all subfolders and files)
WINS:
%windir%\system32\wins (all subfolders and files)
Print Servers:
%systemroot\System32\Spool (all subfolders and files)
Microsoft SQL Server 2000/2005/2008 AV exclusions
SQL Server data files:
.mdf
.ldf
.ndf
SQL Server backup files:
.bak
.trn
SAP AV exclusions
\usr\sap\
\SAPDB\
\SAPDATA1\
\SAP_DB\
NODE0000\*.???????????????
NODE0001\*.???????????????
SAPSprint.exe
lsagent.exe
*.container??????
*.dmp
*.errlog
*.flg
*.INI
*.JAR
*.log
*.lrg
*.node??????
Hyper-V AV exclusions
If the Windows Server is used as Hyper-V server and hosts virtual machines, there are also some considerations for Virus Scan exclusions required. The following files and directories should be excluded from real-time scanning in order to avoid problems:
· Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)
· Custom virtual machine configuration directories
· Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)
· Custom virtual hard disk drive directories
· Snapshot directories
· Vmms.exe
· Vmwp.exe
Please refer to Microsoft KB article 961804 for more info on Hyper-V AV exclusions
Additional info and references
Virus scanning recommendations for Windows Server 2003 or Windows 2000
https://support.microsoft.com/kb/822158
Guidelines for choosing antivirus software to run on the computers that are running SQL Server
https://support.microsoft.com/kb/309422
Recommended Forefront Client Security file and folder exclusions for Microsoft products
https://support.microsoft.com/kb/943556
Overview of Exchange Server 2003 and antivirus software
https://support.microsoft.com/kb/823166
Guidelines for choosing antivirus software to run on the computers that are running SQL Server
https://support.microsoft.com/kb/309422
Considerations when using antivirus software on ISA Server
https://technet.microsoft.com/en-us/library/cc707727.aspx
- Josef