sam15
asked on
Liightweight_Anti_Virus_Software
Did anyone use or experienced with any good lightweight antivirus on linux/oracle 11g server that does not use much CPU?
I tried mcafee and that thing has major issues in it uses 100% of CPU and kills all applications on machine.
I have seen some mention of ESET, Sophos, ClamAV, f-prot, comodo, rootkit huner, etc.. but I have no experience with them.
I tried mcafee and that thing has major issues in it uses 100% of CPU and kills all applications on machine.
I have seen some mention of ESET, Sophos, ClamAV, f-prot, comodo, rootkit huner, etc.. but I have no experience with them.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Basic ClamAV is not an active scanner, only an on-demand scanner. It is supposed to work well for mail gateways because they will make the scan request on new emails.
You can read on mcafee's best practices for deployment and exclude *ALL* oracle files
configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is
doesn't matter what os it is
Yes, and mcafees recommendation in this regard is to not scan oracle data files ever...
ESET seem the best overall managed solution, if you want to cover all Linux, Windows, and OSX systems. It's lightweight on all of them. I haven't yet experienced a slowdown on any of the systems so far. I also don't get complaints from the users.
Avoid McAfee & Symantec.
Avoid McAfee & Symantec.
ASKER
<<<You can read on mcafee's best practices for deployment and exclude *ALL* oracle files >>>>
I do not manage this but the mcafee operator seems to always add directory or process exclusions.
Is that really normal and how other antivirus software normally works? It sounds like it is mcafee specific.
Is it also normal for A/V scanner to use 100% CPU and hang the machine or that should be considered a piece of junk software?
My understanding is that A/V software should only run real-time if you download a new file to machine and it should be very lightweight and not use more than 10% CPU. Is this correct?
<<<configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is >>>
I have spoke to many DBAs on lnux and no one runs antivirus on it.
Linux is different than windows and you can only damage it if you run malware using root. In windows, all software runs as admin.
I do not manage this but the mcafee operator seems to always add directory or process exclusions.
Is that really normal and how other antivirus software normally works? It sounds like it is mcafee specific.
Is it also normal for A/V scanner to use 100% CPU and hang the machine or that should be considered a piece of junk software?
My understanding is that A/V software should only run real-time if you download a new file to machine and it should be very lightweight and not use more than 10% CPU. Is this correct?
<<<configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is >>>
I have spoke to many DBAs on lnux and no one runs antivirus on it.
Linux is different than windows and you can only damage it if you run malware using root. In windows, all software runs as admin.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I looked at the document. Are you suggesting to turn off real time (on access scanning) scan and run it on-demand (i.e. once per week)?
What about if you run it on-demand and it still used 100% of CPU. Is not that still bad software? Can't you say that everything that uses over 20% put performance at risk.
Any ideas how much CPU do Clam AV or avast or sophos or Eset normally use when they run?
What about if you run it on-demand and it still used 100% of CPU. Is not that still bad software? Can't you say that everything that uses over 20% put performance at risk.
Any ideas how much CPU do Clam AV or avast or sophos or Eset normally use when they run?
Nope, it suggests exclusions for oracle database.
It uses 100% of one CPU core. Dont you have multiprocessor or at least hyperthreading machine at hand?
Once your ePO administrator says they are in place just copy eicar.com file in oracle data directory under whatever file should not be scanned.
If it is caught and cleaned ask tem to fix it. Once thay are good oracle should run fine.
If they dont just immunize your system against antivirus and ignore their woes.
It uses 100% of one CPU core. Dont you have multiprocessor or at least hyperthreading machine at hand?
Once your ePO administrator says they are in place just copy eicar.com file in oracle data directory under whatever file should not be scanned.
If it is caught and cleaned ask tem to fix it. Once thay are good oracle should run fine.
If they dont just immunize your system against antivirus and ignore their woes.
ASKER
I just searched this document vsel_170_config_guide_en-u s.pdf
for word "oracle" and there is no mention of it at all. Are you sure about your reference?
We have one physical dell 2900 poweredge server with 2 dual or quad core CPUs.
We are running 4 different virtual machines (vmware) on it (crystal, oracle , apache, .NET) etc. We have couple of windows VMs and couple of linux VMs.
I do not know how it is configured (dedicated CPU or shared, etc). But when scanner runs the oracle VM slows down and becomes useless.
Are you saying to copy eicar.com to database files directory or any directory to exclude scans? I doubt my permissions would allow that.
Do you agree that this softwre has major problems versus other scanners? Is it normal for antivirus software to work like this.
for word "oracle" and there is no mention of it at all. Are you sure about your reference?
We have one physical dell 2900 poweredge server with 2 dual or quad core CPUs.
We are running 4 different virtual machines (vmware) on it (crystal, oracle , apache, .NET) etc. We have couple of windows VMs and couple of linux VMs.
I do not know how it is configured (dedicated CPU or shared, etc). But when scanner runs the oracle VM slows down and becomes useless.
Are you saying to copy eicar.com to database files directory or any directory to exclude scans? I doubt my permissions would allow that.
Do you agree that this softwre has major problems versus other scanners? Is it normal for antivirus software to work like this.
My bad,
VSEL_1_7_Best_Practices_Gu ide.pdf is the right one
VSEL_1_7_Best_Practices_Gu
ASKER
I see the recommendation now for *.dbf and *.ctl and *.log.
This is just a start as there are OEM tools, java, etc,, etc,,
I recall they added an exclusion for oracle home directory which should include all of those anyway. But is not this really ineffective workaround for malfunction software?
Does other virus software work like using exlcusions and use 100% cpu for normal scans?
It seems the two most popular software is ClamAV and Avast:
http://www.makeuseof.com/tag/free-linux-antivirus-programs/
http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/
Am i reading this right. John Mcafee says mcafee software is the worst on planet. Unbelievable!
http://www.entrepreneur.com/article/230684
http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/01/07/intel-drops-mcafee-name-from-software.html
This is just a start as there are OEM tools, java, etc,, etc,,
I recall they added an exclusion for oracle home directory which should include all of those anyway. But is not this really ineffective workaround for malfunction software?
Does other virus software work like using exlcusions and use 100% cpu for normal scans?
It seems the two most popular software is ClamAV and Avast:
http://www.makeuseof.com/tag/free-linux-antivirus-programs/
http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/
Am i reading this right. John Mcafee says mcafee software is the worst on planet. Unbelievable!
http://www.entrepreneur.com/article/230684
http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/01/07/intel-drops-mcafee-name-from-software.html
John McAfee is no longer really involved with his namesake software company and hasn't been for quite some time, but he's right. Symantec and McAfee are software to avoid.
McAfee's somewhat eccentric, to put it mildly. He took his millions to Belize a long while back and made an "escape" out of there a year ago and abandoned his compound. He's currently in the USA and "on the lam". http://www.usatoday.com/story/tech/2014/03/25/john-mcafee-on-the-lam-blue-ridge-mountains-futuretense/6374671/
McAfee's somewhat eccentric, to put it mildly. He took his millions to Belize a long while back and made an "escape" out of there a year ago and abandoned his compound. He's currently in the USA and "on the lam". http://www.usatoday.com/story/tech/2014/03/25/john-mcafee-on-the-lam-blue-ridge-mountains-futuretense/6374671/
You need to have access to mcafee log and to local web interface.
And dont trust "should be excluded anyway" - always drop eicar test file as they actually recommend.
Youre lucky it takes just 100% of CPU link
And dont trust "should be excluded anyway" - always drop eicar test file as they actually recommend.
Youre lucky it takes just 100% of CPU link
ASKER
what do you mean by being lucky if it only takes 100% cpu? that kills the machine performance.
but let me ask you since you are security experts.
before you deploy any antivrus software on any machine with applications running,
do you normally have to setup a dedicated test machine and install the antivirus there and do some sort of certification and document the test results before you can deploy it?
but let me ask you since you are security experts.
before you deploy any antivrus software on any machine with applications running,
do you normally have to setup a dedicated test machine and install the antivirus there and do some sort of certification and document the test results before you can deploy it?
There should be some acceptance procedure in place, definetly it is not you the end consumer who should build test infrastructure.
What they would do with windows desktop and such AV?
What they would do with windows desktop and such AV?
ASKER
Yes, but the test server should have the custom applications running on it too. Then you test the performance of application.
Since you are an expert, would you accept anything that use 99% CPU?
What is the maximum CPU usage you are willing to accept when scanner runs?
Did you ever use ClamAV andAvast products.
Since you are an expert, would you accept anything that use 99% CPU?
What is the maximum CPU usage you are willing to accept when scanner runs?
Did you ever use ClamAV andAvast products.
I dont use resident scanner
I use hbedv, bitdefender and f-prot (this the fast one) in appropriate places where untrusted files from windows can appear. Had the requirement to have mcafee some ago. Why you try to jump into spirit of their request. They say you must have AV configured. Letter-by-letter disabling it is also "configured"
I use hbedv, bitdefender and f-prot (this the fast one) in appropriate places where untrusted files from windows can appear. Had the requirement to have mcafee some ago. Why you try to jump into spirit of their request. They say you must have AV configured. Letter-by-letter disabling it is also "configured"
Maximum CPU usage obviously is 100% among all cores, while mcafee just uses one (or there is new engine already that uses more than one ?)
ASKER
what do you mean by you dont use resident scanner? Does the scanner reside somewhere else and you run it from another machine. is this possible?
I do not want AV but they keep claiming it is a standard.
Do you also mean you can install it and disable it by adding exclusion to all directories so it is sitting there but doing nothing?
The on-demand might resolve the issue but stanard calls for real-time on access.
I do not want AV but they keep claiming it is a standard.
Do you also mean you can install it and disable it by adding exclusion to all directories so it is sitting there but doing nothing?
The on-demand might resolve the issue but stanard calls for real-time on access.
Resident scanner is one that runs all the time aka McAfee On-Access Scan\You can evict it with 2 kernel parameters completely, no matter the settings on ePO
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes a couple of boneheads in security.They keep claiming a company standard calls for malware protection and the company seems to use this poison software mcafee. I do not think it has been tested or certified with Linux VM and oracle though.
If you have ideas to counter that let me know.
When you run ESET and ClamAV does it affect your server performance (CPU ?).
<<<You can evict it with 2 kernel parameters completely, no matter the settings on ePO >>
What are those kernel parameters and do you need root privilege for that?
If you have ideas to counter that let me know.
When you run ESET and ClamAV does it affect your server performance (CPU ?).
<<<You can evict it with 2 kernel parameters completely, no matter the settings on ePO >>
What are those kernel parameters and do you need root privilege for that?
ASKER
it seems blacklisting a service requires to edit a blacklist file which might require root access and reboot server. is this correct?
http://askubuntu.com/questions/110341/how-to-blacklist-kernel-modules
Where can i get that file eicar.com to copy it to the directory for exclusion?
http://askubuntu.com/questions/110341/how-to-blacklist-kernel-modules
Where can i get that file eicar.com to copy it to the directory for exclusion?
You have to change kernel boot parameters /etc/grub.conf
That in turn requires reboot to apply
That in turn requires reboot to apply
ASKER
Yes the file is locked by root.
ls -alt grub*
-rw------- 1 root root 995 Nov 1 2012 grub.conf
What about that "eicar.com" file mentioned. Where do you get this file from?
ls -alt grub*
-rw------- 1 root root 995 Nov 1 2012 grub.conf
What about that "eicar.com" file mentioned. Where do you get this file from?
go to site www.eicar.com and look for antivirus test file.
remember you need it to test if exclusions of oracle datafiles are in force.
remember you need it to test if exclusions of oracle datafiles are in force.
ASKER
the login is close area. can you download without having a login account?
http://www.eicar.org/86-0-Intended-use.html
Scroll down and copy one-liner
Now if you make that one-liner a .exe file content AV is expected to "clean" it.
Or if you keep it as a line in a text file AV should not react.
Scroll down and copy one-liner
Now if you make that one-liner a .exe file content AV is expected to "clean" it.
Or if you keep it as a line in a text file AV should not react.
ASKER
Excellent solutions!
definitely a fan