Recommended IFS Apps9 Server (DB/MID) antivirus exclusions

  • 8 October 2020
  • 4 replies
  • 334 views

Userlevel 4
Badge +10
  • Hero (Partner)
  • 60 replies

We currently do not have any antivirus exclusions set up on our AV suite (Trend Micro Security Agent) on our IFS Oracle DB/Middleware servers (12c Ent/Apps 9).

Does anybody want to contribute to this topic regarding best practice? Or what you decided to implement and why?

We are doing some work on DR scenarios and noticed during our testing that AV was causing some user login delay - hence the conversation.

Thanks in advance,

Pete


4 replies

Userlevel 5
Badge +10

Hi @pwlm,

I don’t know about best practice, but our current exclusions include:

On the Middleware Server…

E:\IFS\

On the Database Server...

E:\app\
F:\fast_recovery_area\
F:\oradata\

Userlevel 5
Badge +10

Hi @pwlm 

I see you raised this one recently. I am also reviewing this, as our operations team is wanting to push a new AV product at our main IFS DB and MW servers.

I cant speak for everyone, but this sends shivers down my spine. I feel that AV software is more likely to cause downtime/performance issues than what it is protecting us from. Also, are our servers already protected sufficiently in other ways (Firewalls/Network config/Internet access etc...)?

After a quick glance on the internet I have read that Anti-virus can cause Oracle to hang and even cause corruption…. Of course, we all agree protection of our ERP systems is needed.

I suspect we will go ahead with the following:

  • Exclude all database file types including datafiles, tempfiles, controlfiles, redologs, archivelogs (FRA), password file.
  • Exclude the IFS Home area on middleware.
  • Schedule scans to only occur outside of working hours, so probably running on Sunday.

If anyone else has a view on this, please jump in.

Thanks

Mike

Userlevel 7
Badge +16

Hi @pwlm 

I cant speak for everyone, but this sends shivers down my spine. I feel that AV software is more likely to cause downtime/performance issues than what it is protecting us from.

 

Today’s antimalware situation is terrible all around.

 

If software works without antimalware but fails with it in place, the first reaction by a software vendor is to say “we don’t support antimalware”. It’s cheaper to say this than to investigate ways to mitigate the effects of it. I’ve found, for example, that the Apache Ant scripts in the Extended Server installation attempt to delete temporary files, but they can’t be deleted if they’re still being scanned. In our development environment, I wrapped those deletion attempts with <retry> blocks in the Ant scripts and was able to make those issues go away without any exceptions in place. The existence of antimalware is too commonplace in the enterprise environment to ignore.

 

Policies that dictate the standardized use of antimalware aren’t always made by technicians; they’re made by management organizations rightfully concerned with risk exposure. However, those policies leave out important details on what ought to be allowable as an exception. As an extreme example, if you exclude every file and every process, what’s the point of saying you have an antimalware solution in place at all?

 

I’m very hopeful that the move to a serverless cloud-native architecture will improve this situation tremendously. (I sincerely doubt companies like Google or Microsoft or Amazon are running McAfee or Norton on all their servers!) If you were only sending application code to a platform vendor and were releasing control of the OS platform itself, then the attack surface becomes significantly smaller. You wouldn’t have to worry about one of your own administrators doing something silly like reading their email or browsing the web directly from the server.

Building from a recipe, like with Docker, means all the knowledge of that platform is baked in; if it completely falls over, provided the data tier isn’t compromised, you would be able to rebuild it from scratch without having to worry about rebuilding a golden palace only one admin fully understands.

The announcement that IFS is looking at Docker was for me the most exciting revelation of the last IFS World Conference.

Userlevel 2
Badge +4

Hi everyone,

Please refer to the Anti-Virus section of the IFS Technical Documentation here for IFS recommendations:

https://docs.ifs.com/techdocs/foundation1/020_installation/020_installing_fresh_system/010_planning_installation/012_middle_tier_considerations/default.htm

 

Reply