Hi @pwlm,
I don’t know about best practice, but our current exclusions include:
On the Middleware Server…
E:\IFS\
On the Database Server...
E:\app\
F:\fast_recovery_area\
F:\oradata\
Hi @pwlm
I see you raised this one recently. I am also reviewing this, as our operations team is wanting to push a new AV product at our main IFS DB and MW servers.
I cant speak for everyone, but this sends shivers down my spine. I feel that AV software is more likely to cause downtime/performance issues than what it is protecting us from. Also, are our servers already protected sufficiently in other ways (Firewalls/Network config/Internet access etc...)?
After a quick glance on the internet I have read that Anti-virus can cause Oracle to hang and even cause corruption…. Of course, we all agree protection of our ERP systems is needed.
I suspect we will go ahead with the following:
- Exclude all database file types including datafiles, tempfiles, controlfiles, redologs, archivelogs (FRA), password file.
- Exclude the IFS Home area on middleware.
- Schedule scans to only occur outside of working hours, so probably running on Sunday.
If anyone else has a view on this, please jump in.
Thanks
Mike
Hi @pwlm
I cant speak for everyone, but this sends shivers down my spine. I feel that AV software is more likely to cause downtime/performance issues than what it is protecting us from.
Today’s antimalware situation is terrible all around.
If software works without antimalware but fails with it in place, the first reaction by a software vendor is to say “we don’t support antimalware”. It’s cheaper to say this than to investigate ways to mitigate the effects of it. I’ve found, for example, that the Apache Ant scripts in the Extended Server installation attempt to delete temporary files, but they can’t be deleted if they’re still being scanned. In our development environment, I wrapped those deletion attempts with <retry>
blocks in the Ant scripts and was able to make those issues go away without any exceptions in place. The existence of antimalware is too commonplace in the enterprise environment to ignore.
Policies that dictate the standardized use of antimalware aren’t always made by technicians; they’re made by management organizations rightfully concerned with risk exposure. However, those policies leave out important details on what ought to be allowable as an exception. As an extreme example, if you exclude every file and every process, what’s the point of saying you have an antimalware solution in place at all?
I’m very hopeful that the move to a serverless cloud-native architecture will improve this situation tremendously. (I sincerely doubt companies like Google or Microsoft or Amazon are running McAfee or Norton on all their servers!) If you were only sending application code to a platform vendor and were releasing control of the OS platform itself, then the attack surface becomes significantly smaller. You wouldn’t have to worry about one of your own administrators doing something silly like reading their email or browsing the web directly from the server.
Building from a recipe, like with Docker, means all the knowledge of that platform is baked in; if it completely falls over, provided the data tier isn’t compromised, you would be able to rebuild it from scratch without having to worry about rebuilding a golden palace only one admin fully understands.
The announcement that IFS is looking at Docker was for me the most exciting revelation of the last IFS World Conference.