This discussion is archived
13 Replies Latest reply: Jan 18, 2013 4:25 AM by Osama_Mustafa RSS

AntiVirus on Oracle Server

KeenOnOracle Explorer
Currently Being Moderated
Hi Friends,

You guys have the practice to install antiVirus on Oracle Servers Running Windows or even RedHat?

What do you guys think as a pros and cons?

Tks
  • 1. Re: AntiVirus on Oracle Server
    Dave Rabone Journeyer
    Currently Being Moderated
    On windows exclude anything related to Oracle. Full stop, no questions, no argument.
  • 2. Re: AntiVirus on Oracle Server
    Osama_Mustafa Oracle ACE
    Currently Being Moderated
    KeenOnOracle wrote:
    Hi Friends,

    You guys have the practice to install antiVirus on Oracle Servers Running Windows or even RedHat?

    What do you guys think as a pros and cons?

    Tks
    Which type of anit-virus you want , You just need to install Anit virus or total security.


    But as note, Don't include Oracle Files On ScaN Schudle Since Antivirus could corrupt oracle datafiles , or binary we are talking here about windows and linux , and make sure that if you install Total Security which usually comes with firewall Oracle ports will still available , For Linux which is usually effected by rootkits there's some tools could you use such as rootkits hunter
  • 3. Re: AntiVirus on Oracle Server
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    KeenOnOracle wrote:

    You guys have the practice to install antiVirus on Oracle Servers Running Windows or even RedHat?
    Nope. Never.

    But nor do I have the habit of playing with the trigger of a loaded double barrel shotgun. Pointed at my feet. As that would be kind of idiotic.
    What do you guys think as a pros and cons?
    Being an idiot, or not being idiot?
  • 4. Re: AntiVirus on Oracle Server
    Dave Rabone Journeyer
    Currently Being Moderated
    AV won't corrupt files but can easily crash an instance by locking a file that Oracle wants to write to. Control files especially susceptible to this ... Been there, done that.
  • 5. Re: AntiVirus on Oracle Server
    Osama_Mustafa Oracle ACE
    Currently Being Moderated
    Dave Rabone wrote:
    AV won't corrupt files but can easily crash an instance by locking a file that Oracle wants to write to. Control files especially susceptible to this ... Been there, done that.
    that what we are talking about , I prefer linux for Oracle Installation, Both have advantage and disadvantage.
  • 6. Re: AntiVirus on Oracle Server
    KeenOnOracle Explorer
    Currently Being Moderated
    Billy Verreynne     

    I'm laughing at your courage to write bullshits and offenses behind your desk while drinking soda and eating snacks...
    Wish I had conversation with you in personal to chat a little more professional and seriously.

    All the guys had good arguments, you dont need to be sarcastic. And if install AV on Win server I'm not an idiot, its just my decision. I'm pretty sure you wont have courage to call me idiot face to face (laughing at you again, and a lot!)

    Thanks guys for all the tips.
  • 7. Re: AntiVirus on Oracle Server
    KeenOnOracle Explorer
    Currently Being Moderated
    Billy Verreynne had these comments that do not add anything to anyone. Totally unnecessary.
    """""
    But nor do I have the habit of playing with the trigger of a loaded double barrel shotgun. Pointed at my feet. As that would be kind of idiotic.
    Being an idiot, or not being idiot?
    """"

    all other guys gave some good arguments and tips
  • 8. Re: AntiVirus on Oracle Server
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    The question is How do you secure an Oracle Server?

    If you need to answer that by installing and using anti-virus scanning s/w to scan for infected files on the server, then you have, IMO, lost the security war. Fact. Your database server has been compromised. Fact. Your database server has been infected.

    And what I call idiotic is thinking that now running an anti-virus scanner fixes the problem.

    Security is not about running an anti-virus scanner and sitting with warm fuzzies that your database server (with potentially critical and sensitive business data) is now secure.

    Security is about identifying risks and then mitigating these risks.

    So apologies if you felt my calling the concept of anti-virus s/w on a database server, idiotic, offensive. It was not intended as a personal reflection on you. It was aimed at the horribly flawed concepts used to address security issues. And I'm used to calling a spade, a shovel, in cases like this.
  • 9. Re: AntiVirus on Oracle Server
    Osama_Mustafa Oracle ACE
    Currently Being Moderated
    Actually Billy Has Good Point Here , if you are installing Anti Virus For Security Purpose you have another option and long list to check it.
  • 10. Re: AntiVirus on Oracle Server
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    KeenOnOracle wrote:
    Billy Verreynne had these comments that do not add anything to anyone. Totally unnecessary.
    Comments were aimed at showing how totally unnecessary and ridiculous anti-virus files scanners are as defensive measure on a server.

    Especially a database server - as data is "uploaded" into SQL tables and not into o/s files. So what exactly is an anti-virus scanner suppose to scan?

    Database files? Bad idea. It can crash the database.

    Server executables? Why? These come from trusted installation and patching media - and not some adhoc upload.

    What is the major attack vector for a database server? SQL injection.

    So just how and where does an anti-virus scanner fit into the database server picture?

    Anti-virus scanners is a knee jerk re-action to one of the worse, security wise, operating systems, ever designed and written. Microsoft Windows. And in typical Microsoft fashion, security problems are attempted to be reactively dealt with (after compromisation and infection), and not proactively.

    Not saying that reactive action is not needed - but it should and must play second fiddle to proactive action. I bet that many a Windows database server is managed by an 'admin' that has no idea what services are enabled and what services should not be enabled for a database platform.
  • 11. Re: AntiVirus on Oracle Server
    jgarry Guru
    Currently Being Moderated
    Totally agree with Billy, AV on Windows/Oracle server is a bad idea.

    But I have to add, databases don't always run on what we think of as servers (or conversely, the line is blurred between server and not-server these days).

    For example, I'm running XE on my PC. Work requires AV on my PC. I totally agree with that! Even though there is hardware AV between me and the intertubes. All it takes is one stupid move on my part, like navigating to a web site with a hidden auto download mysterious hacker thing. Or updating java.

    I'm running Oracle on my PC, doesn't that make it a server? How about all the VM's in the company running XE for production purposes? Or super-duper PC's with Oracle running in one VM and SQL Server in another and client emulators in a bunch of others?

    I've never been convinced most places have decent risk management in the first place.
  • 12. Re: AntiVirus on Oracle Server
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Joel, I think one needs to differentiate between client-server (a s/w architecture) and server in a h/w sense that is used to run server s/w for a client-server architecture.

    When dealing with server h/w platform, the checklist is very different from that of a client h/w platform.

    And as you well know, part of that checklist is to determine exactly what server s/w this server h/w will be hosting/running.

    Does it make sense to have a database server as part of a NT domain? Does it need network PnP services? Or the COM+ Event engine? DHCP client service? A print spooler? NetBIOS over TCP/IP? Etc.

    And that is why I find it silly approaching a server h/w platform security as if it is a client h/w platform - ignoring basic server security fundamentals (like reducing attack vectors by only running services required), and instead wanting to use anti-virus tools that are typically for the client h/w security domain...

    Perhaps the real point is that o/s server security is not intended to be the responsibility for a DBA with little server o/s experience and only a basic knowledge of client platform security. As that is when you get an anti-virus s/w slowing down server I/O and even crashing the database when hitting database datafiles - without providing real protection.
  • 13. Re: AntiVirus on Oracle Server
    Osama_Mustafa Oracle ACE
    Currently Being Moderated
    True Billy, to Secure Server there's Long List to do instead of Installing anti virus, As I see ignorant user is the main problem , I always recommend that company should spend small fortune to educate their users, this is the first step and there's lot of steps can avoid you lot of problems and issues. anti virus not of them

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points