Guidelines for choosing antivirus software to run on the computers that are running SQL Server

This article provides general guidelines to help you decide which type of antivirus software to run on the computers that are running SQL Server in your environment.

Microsoft strongly recommends that you individually assess the security risk for each computer that is running SQL Server in your environment and that you select the tools that are appropriate for the security risk level of each computer that is running SQL Server. Additionally, Microsoft recommends that before you roll out any virus protection project, test the whole system under a full load to measure any changes to stability and performance.

Virus protection software requires some system resources to execute. You must perform testing before and after you install your antivirus software to determine if there is performance impact to the computer that is running SQL Server.

Security risk factors

• The value to your business of the information that is stored on the computer.
• The required security level for that information.
• The cost of losing access to that information.
• The risk of either virus or bad information propagating from that computer.

High-risk servers

Any server is at some risk of infection. The highest risk servers generally meet one or more of the following criteria:

• The servers are on the public Internet.
• The servers have open ports to servers that are not behind a firewall.
• The servers read or execute files from other servers.
• The servers run HTTP servers, such as Microsoft Internet Information Services (IIS) or Apache. (For example: SQL XML for SQL Server 2000.)
• The servers are also hosting file shares.
• The servers use SQL Mail to handle inbound or outbound e-mail messages.

Servers that do not meet the criteria for a high-risk server are generally at a lower risk, although not always.

Virus tool types

• Active virus scanning: This type of scanning checks incoming and outgoing files for viruses.
• Virus sweep software: Virus sweep software scans existing files for file infection. It detects files after they are infected with a virus. This type of scanning may cause the following SQL Server database recovery and SQL Server full-text catalog file issues:
  • If the virus sweep has opened a database file and still has it open when SQL Server tries to open the database (such as when SQL Server starts or when SQL Server opens a database that AutoClose has closed), the database to which the file belongs might be marked suspect. The SQL Server database files typically have the .mdf, .ldf, and .ndf file suffixes.
  • If the virus sweep software has a SQL Server full-text catalog file open when the Microsoft Search service (MSSearch) tries to access the file, you may experience problems with the full text catalog.
• Vulnerability scanning software: The Microsoft Security Tool Kit CD includes best practice guidelines, information about securing your system, and service packs and patches that can protect your system against virus attacks. It also provides Microsoft tools to help you secure your systems and keep them secure. To download it, visit the following Microsoft Web site:
  http://www.microsoft.com/security/ (http://www.microsoft.com/security/)
• Antispyware software: Spyware and unwanted software refers to software that performs certain tasks on your computer, typically without your consent. For more information about how to help protect the computer from spyware and unwanted software, visit the following Microsoft Web site:
  http://www.microsoft.com/protect/computer/spyware/default.mspx (http://www.microsoft.com/protect/computer/spyware/default.mspx)
  Additionally, Microsoft has released the Microsoft Windows Malicious Software Removal Tool to help remove specific, prevalent malicious software from computers that are running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. For more information about the Microsoft Windows Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:
  890830  (http://support.microsoft.com/kb/890830/ ) The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000

Directories to exclude from virus scanning

When you configure your antivirus software settings, make sure that you exclude the following files and directories from virus scanning. Doing this improves the performance of the files and helps make sure that the files are not locked when the SQL Server service must use them. However, if these files become infected, your antivirus software will not unable to detect the infection.

• SQL Server data files
  
  These files usually have one of the following file name extensions:
  • .mdf
  • .ldf
  • .ndf
• SQL Server backup files
  
  These files frequently have one of the following file name extensions:
  • .bak
  • .trn
• Full-Text catalog files
• The directory that holds Analysis Services data
  
  Note The directory that holds all Analysis Services 2005 data and Analysis Services 2008 data is specified by the DataDir property of the Analysis Services instance. By default, the path of this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data. If you use Analysis Services 2000, you can view and change the data directory by using Analysis Manager. To do this, follow these steps:
  1. In Analysis Manager, right-click the server, and then click Properties.
  2. In the Properties dialog box, click the General tab.
  The directory appears under Data folder.
• The directory that holds Analysis Services temporary files that are used during Analysis Services processing
  
  Note The directory that holds all Analysis Services 2005 and Analysis Services 2008 temporary files during processing is specified by the TempDir property of the Analysis Services instance. By default, this property is empty. When this property is empty, the default directory is used. This directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Data. If you use Analysis Services 2000, you can view and change the directory that holds temporary files in Analysis Manager. To do this, follow these steps:
  1. In Analysis Manager, right-click the server, and then click Properties.
  2. In the Properties dialog box, click the General tab.
  3. On the General tab, notice
  Note the directory under Temporary file folder.
  
  Optionally, you can add a second temporary directory for Analysis Services 2000 by using the TempDirectory2 registry entry. If you use this registry entry, consider excluding from virus scanning the directory to which this registry entry points. For more information about the TempDirecotry2 registry entry, see the "TempDirectory2" section of the following Microsoft Developer Network (MSDN) Web site:
  http://msdn.microsoft.com/en-us/library/aa902654(SQL.80).aspx#sql2k_anservregsettings_topic52 (http://msdn.microsoft.com/en-us/library/aa902654(SQL.80).aspx#sql2k_anservregsettings_topic52)
• Analysis Services backup files
  
  Note By default, in Analysis Services 2005 and in Analysis Services 2008, the backup file location is the location that is specified by the BackupDir property. By default, this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Backup. You can change this directory in the Analysis Services instance properties. Any backup command can point to a different location. Or, the backup files may be copied elsewhere.
• The directory that holds Analysis Services log files
  
  Note By default, in Analysis Services 2005 and in Analysis Services 2008, the backup file location is the location that is specified by the LogDir property. By default, this directory is C:\Program Files\Microsoft SQL Server\MSSQL.X\OLAP\Log.
• Directories for any Analysis Services 2005 or Analysis Services 2008 partitions that are not stored in the default data directory
  
  When you create the partitions, these locations are defined in the Storage location section of the Processing and Storage Locations page of the Partition Wizard.

Considerations for clustering

You can run antivirus software on a SQL Server cluster, but you must make sure that the antivirus software is a cluster-aware version. Contact your antivirus vendor about cluster-aware versions and interoperability.

If you are running antivirus software on a cluster, make sure that you also exclude these locations from virus scanning:

• Q:\ (Quorum drive)
• c:\Windows\Cluster

If you back up the database to a disk or if you back up the transaction log to a disk, you can exclude the backup files from the virus scanning.

For updated security related information, Microsoft recommends that you subscribe to the security alert alias. To subscribe, visit the following Microsoft Web site, and then view the Security Bulletins section: To find general information regarding SQL Server security, including best practices, various security models, and security bulletins, visit the following Microsoft Web site: For more information about additional antivirus considerations on a cluster, click the following article number to view the article in the Microsoft Knowledge Base: