cancel
Showing results for 
Search instead for 
Did you mean: 
Spo100
Level 7
Report Inappropriate Content
Message 1 of 3

SQLServer.exe On Access exclusions

Any input/clarification woudl be appreciated.  In our environment, we are only using the OnAccess Scanner and only the All Process Policy and have that set to only scan on Writes.  According to Microsoft Guidance for Anti-Virus exclusions, they have a section titled Processes to Exclude from Virus  Scanning and have the following listed.

%ProgramFiles%\Microsoft SQL Server\<Instance_ID>.<Instance Name>\MSSQL\Binn\SQLServr.exe

We run multiple instances and versions on our server, and I'm being asked to provide the full path to the SQLServer.exe for all instances.  Although I can get the list pretty easily, I'm questioning if doing this will have any impact as I think they are mis-interpreting the guidance.

My belief is that because we are usiing the all-processes policy, then the SQLServer.exe is included by default and does not need to be listed as an exclusion.  Plus the policy is to only Scan on Writes, and we won't ever write the SQLServer.exe.   They are reluctant to enable the Low-Risk and High-Risk profiles, but if then did, then SQLServer.exe should be added to the Low-Risk.  Yet that is still different then adding it to the exclusion list.

I know providing them with the full path that they are asking for is the easy thing to do, yet I think it is just cluttering up the exclusion list and confusing people on what they think might or might not be happening. 

Another reason for not adding it is that they already have the full path to the instance defined with exclude all subfolders... 

%ProgramFiles%\Microsoft SQL Server\<Instance_ID>.<Instance Name>\MSSQL\

Which again I believe would be enough to ignore a scan on the SQLServer.exe

2 Replies
McAfee Employee dmcgeary
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: SQLServer.exe On Access exclusions

Rich topic that is prone to misunderstandings.
There is a slew of KB's becuase of this on the topic.
I'd recomend this one, as it has a video
https://kc.mcafee.com/corporate/index?page=content&id=KB55139

If your using  "All Process Policy" that means All Procceses are scanned with One profile.
With that said, only Scanning on Write, is a touchy topic  🙂 
See full reason here from William Warren blog here:
https://community.mcafee.com/t5/Blog/On-Access-Scanner-Improve-Performance-Maintain-Security/bc-p/54...

Attempting to give a short answer i'll quote an Except from a post by 
rmetzger

Level 14
 

 

Quoting William Warren's Blog:

TLDR version

  • Scan When Writing to Disk does not scan while files are being written to disk; it scans files after they have been written to disk. That is also the time files can be Read from disk, meaning, a file can be Opened before the Write Scan occurs or completes. If the Scan When Reading from Disk option is disabled, you can be infected by known malware because it can be launched before the scan occurs.
  • Scan When Writing to Disk does not block access to files until a scan is complete; that is what Scan When Reading from Disk is for.

 

  • Scan When Writing to Disk does not guarantee a scan will occur; that is what Scan WhenReading from Disk is for.

 

William Warren speaks at greater length on this in his blogs and I would highly recommend reading his info.

 

If performance is the issue you wish to address, there are many means available that can improve performance while leaving Scan on Read Enabled.

 

 

Path Forward:

Enable use of High and Low
Turn off read and write scanning for low Risk
And add the Process name SQLServr.exe as a Low risk Process
(look at turning back on Read scanning for Default and leave on for sure in High Risk.)


Add path\patern exclusions to High and default.
Look at a migration plan to ENS where a trust model is used for scan avoidance. 

 

Spo100
Level 7
Report Inappropriate Content
Message 3 of 3

Re: SQLServer.exe On Access exclusions

dmcgeary thanks for the through reply.  I have now watched that video 3 times.  It is the reason I'm questioning the way we are implementing exclusions.  I'm not in control of the way we implement the virus scan, but I have suggested the use of Low and High risk profiles.  The group responsible has said this is a new feature that they are not familiar with and they will review the use in the future, but right now they are confident the exclusions they have are working as desired.

Can I ask a simpilier follow up question...  The guidance from Microsoft where it says Processes to exclude from virus scanning...  It lists the full path to the 3 SQL exe's.   The team here is assuming that by putting the full path to the exe in the exclusion list that they are meeting the guidance from Microsoft and that it will be treated as a 'process' versus simply a file exclusion when the the .exe is read and written.   Does putting in the full path to the .exe in the exclusions mean that VirusScan will treat the process as a Process and exclude any read or writes that exe does from scanning?

Thanks again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community