SAP on Windows and Anti Virus Scan

  • [アーティクル]

Security considerations for SAP on Windows is an issue which is in focus at any Windows datacenter. There are many solutions available to secure Windows as well as SAP on the various layers – from using firewalls to secure port configurations, using IPSEC for network communication or implementiong solutions like Network Access Protection. One topic which I have discussed now several times is when and how to use Anti Virus Scan for backend application server.

To say it upfront, even when SAP servers in a datacenter are typically not connected directly to the public internet and any other measure of security has been optimized, virus scan on this server is still recommended. However, as online scans cause additional load on IO, it may also cause some contention problems if executed with critical part sof the application or Windows O/S. It’s therefore required to exclude some files or directories from AV scans in order to maintain best performance of a SAP installation. Fortunately, there is quite a bit of reference available what to consider for exclusions. The information below is not specific to a certain AV software but is true for all kinds of AV solutions.

Windows Server 2003 and Windows Server 2008 AV exclusions

%windir%\SoftwareDistribution\Datastore\Datastore.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
%windir%\SoftwareDistribution\Datastore\Logs\tmp.edb
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00001.jrs
%windir%\SoftwareDistribution\Datastore\Logs\Edbres00002.jrs
%windir%\security\*.edb
%windir%\security\*.sdb
%windir%\security\*.log
%windir%\security\*.chk
%windir%\softwaredistribution\*.cab
%windir%\system32\ccm\cache\*.cab
%windir%\SoftwareDistribution\Datastore\Logs\Res1.log
%windir%\SoftwareDistribution\Datastore\Logs\Res2.log
%windir%\security\database\*.sdb

%allusersprofile%\NTUser.pol
%Systemroot%\system32\GroupPolicy\**\registry.pol

File Exclusions:

Wsusscan.cab file and the Wsusscn2.cab

Windows Server Failover Cluster Services:
%windir%\Cluster
Q:\ (quorum)

DNS:
%windir%\system32\dns (all subfolders and files)

WINS:
%windir%\system32\wins (all subfolders and files)

Print Servers:
%systemroot\System32\Spool (all subfolders and files)

Microsoft SQL Server 2000/2005/2008 AV exclusions

SQL Server data files:
.mdf
.ldf
.ndf

SQL Server backup files:

.bak
.trn

SAP AV exclusions

\usr\sap\

\SAPDB\

\SAPDATA1\

\SAP_DB\

NODE0000\*.???????????????

NODE0001\*.???????????????

SAPSprint.exe

lsagent.exe

*.container??????

*.dmp

*.errlog

*.flg

*.INI

*.JAR

*.log

*.lrg

*.node??????

Hyper-V AV exclusions

If the Windows Server is used as Hyper-V server and hosts virtual machines, there are also some considerations for Virus Scan exclusions required. The following files and directories should be excluded from real-time scanning in order to avoid problems:

· Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)

· Custom virtual machine configuration directories

· Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)

· Custom virtual hard disk drive directories

· Snapshot directories

· Vmms.exe

· Vmwp.exe

Please refer to Microsoft KB article 961804 for more info on Hyper-V AV exclusions

Additional info and references

Virus scanning recommendations for Windows Server 2003 or Windows 2000
https://support.microsoft.com/kb/822158

Guidelines for choosing antivirus software to run on the computers that are running SQL Server
https://support.microsoft.com/kb/309422

Recommended Forefront Client Security file and folder exclusions for Microsoft products

https://support.microsoft.com/kb/943556

Overview of Exchange Server 2003 and antivirus software

https://support.microsoft.com/kb/823166

Guidelines for choosing antivirus software to run on the computers that are running SQL Server

https://support.microsoft.com/kb/309422

Considerations when using antivirus software on ISA Server

https://technet.microsoft.com/en-us/library/cc707727.aspx

- Josef

Comments

  • Anonymous
    June 21, 2010
    Great, thank you very much for the details!

  • Anonymous
    October 24, 2010
    visit : www.bigclasses.com Globol Online Training SAP All Modules,Data Warehousing,SAS,Microsoft Technologies, JAVA,Administration. Contact us: +1 302 525 2655

  • Anonymous
    May 02, 2012
    It  provides the technical foundation for SAP applications.The information about SAP NetWeaver Development is very useful. It is very helpful who are looking for the  <a href=”www.architectsap.com/.../sap-netweaver-development-services”>SAP NetWeaver Development</a>.

  • Anonymous
    May 20, 2012
    It provides the technical information about <a href=www.architectsap.com/.../> SAP Testing</a>. Those who want any information regarding this fill free to contact us.

  • Anonymous
    May 21, 2012
    It provides <a href=”http://www.architectsap.com”>sap consultants</a> to customers globally and also provides the information about development, support services.