Liightweight_Anti_Virus_Software

Agree - avast is leightweight an non intrusive.
definitely a fan

Basic ClamAV is not an active scanner, only an on-demand scanner.  It is supposed to work well for mail gateways because they will make the scan request on new emails.

You can read on mcafee's best practices for deployment and exclude *ALL* oracle files

configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is

Yes, and mcafees recommendation in this regard is to not scan oracle data files ever...

ESET seem the best overall managed solution, if you want to cover all Linux, Windows, and OSX systems.  It's lightweight on all of them.  I haven't yet experienced a slowdown on any of the systems so far.  I also don't get complaints from the users.

Avoid McAfee & Symantec.

<<<You can read on mcafee's best practices for deployment and exclude *ALL* oracle files >>>>

I do not manage this but the mcafee operator seems to always add directory or process exclusions.

Is that really normal and how other antivirus software normally works? It sounds like it is mcafee specific.

Is it also normal for A/V scanner to use 100% CPU and hang the machine or that should be considered a piece of junk software?


My understanding is that A/V software should only run real-time if you download a new file to machine and it should be very lightweight and not use more than 10% CPU. Is this correct?

<<<configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is >>>

I have spoke to many DBAs on lnux and no one runs antivirus on it.
Linux is different than windows and you can only damage it if you run malware using root. In windows, all software runs as admin.

I looked at the document. Are you suggesting to turn off real time (on access scanning)  scan and run it on-demand (i.e. once per week)?  

What about if you run it on-demand and it still used 100% of CPU. Is not that still bad software? Can't you say that everything that uses over 20% put performance at risk.

Any ideas how much CPU do Clam AV or avast or sophos or Eset normally use when they run?

Nope, it suggests exclusions for oracle database.
It uses 100% of one CPU core. Dont you have multiprocessor or at least hyperthreading machine at hand?

Once your ePO administrator says they are in place just copy eicar.com file in oracle data directory under whatever file should not be scanned.
If it is caught and cleaned ask tem to fix it. Once thay are good oracle should run fine.
If they dont just immunize your system against antivirus and ignore their woes.

I just searched this document vsel_170_config_guide_en-us.pdf
 for word "oracle" and there is no mention of it at all. Are you sure about your reference?

We have one physical dell 2900 poweredge server with 2 dual or quad core CPUs.
We are running 4 different virtual machines (vmware) on it (crystal, oracle , apache, .NET) etc. We have couple of windows VMs and couple of linux VMs.

I do not know how it is configured (dedicated CPU or shared, etc). But when scanner runs the oracle VM slows down and becomes useless.

Are you saying to copy eicar.com to database files directory or any directory to exclude scans? I doubt my permissions would allow that.

Do you agree that this softwre has major problems versus other scanners? Is it normal for antivirus software to work like this.

My bad,
VSEL_1_7_Best_Practices_Guide.pdf is the right one

I see the recommendation now for *.dbf and *.ctl and *.log.
 
This is just a start as there are OEM tools, java, etc,, etc,,

I recall they added an exclusion for oracle home directory which should include all of those anyway. But is not this really ineffective workaround for malfunction software?

Does other virus software work like using exlcusions and use 100% cpu for normal scans?

It seems the two most popular software is ClamAV and Avast:

http://www.makeuseof.com/tag/free-linux-antivirus-programs/

http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/

Am i reading this right. John Mcafee says mcafee software is the worst on planet. Unbelievable!

http://www.entrepreneur.com/article/230684

http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/01/07/intel-drops-mcafee-name-from-software.html

John McAfee is no longer really involved with his namesake software company and hasn't been for quite some time, but he's right.  Symantec and McAfee are software to avoid.

McAfee's somewhat eccentric, to put it mildly.  He took his millions to Belize a long while back and made an "escape" out of there a year ago and abandoned his compound.  He's currently in the USA and "on the lam".  http://www.usatoday.com/story/tech/2014/03/25/john-mcafee-on-the-lam-blue-ridge-mountains-futuretense/6374671/

You need to have access to mcafee log and to local web interface.
And dont trust "should be excluded anyway" - always drop eicar test file as they actually recommend.

Youre lucky it takes just 100% of CPU link

what do you mean by being lucky if it only takes 100% cpu? that kills the machine performance.

but let me ask you since you are security experts.

before you deploy any antivrus software on any machine with applications running,
do you normally have to setup a dedicated test machine and install the antivirus there and do some sort of certification and document the test results before you can deploy it?

There should be some acceptance procedure in place, definetly it is not you the end consumer who should build test infrastructure.
What they would do with windows desktop and such AV?

Yes, but the test server should have the custom applications running on it too. Then you test the performance of application.

Since you are an expert, would you accept anything that use 99% CPU?

What  is the maximum CPU usage you are willing to accept when scanner runs?

Did you ever use ClamAV andAvast products.

I dont use resident scanner
I use hbedv, bitdefender and f-prot (this the fast one)  in appropriate places where untrusted files from windows can appear. Had the requirement to have mcafee some ago. Why you try to jump into spirit of their request. They say you must have AV configured. Letter-by-letter disabling it is also "configured"

Maximum CPU usage obviously is 100% among all cores, while mcafee just uses one (or there is new engine already that uses more than one ?)

what do you mean by you dont use resident scanner? Does the scanner reside somewhere else and you run it from another machine. is this possible?

 I do not want AV but they keep claiming it is a standard.

Do you also mean you can install it and disable it by adding exclusion to all directories so it is sitting there but doing nothing?

The on-demand might resolve the issue but stanard calls for real-time on access.

Resident scanner is one that runs all the time aka McAfee On-Access Scan\You can evict it with 2 kernel parameters completely, no matter the settings on ePO

yes a couple of boneheads in security.They keep claiming a company standard calls for malware protection and the company seems to use this poison software mcafee. I do not think it has been tested or certified with Linux VM and oracle though.

If you have ideas to counter that let me know.

When you run ESET and ClamAV does it affect your server performance (CPU ?).


<<<You can evict it with 2 kernel parameters completely, no matter the settings on ePO >>

What are those kernel parameters and do you need root privilege for that?

http:#a39957303

it seems blacklisting a service requires to edit a blacklist file which might require root access and reboot server. is this correct?

http://askubuntu.com/questions/110341/how-to-blacklist-kernel-modules

Where can i get that file eicar.com to copy it to the directory for exclusion?

You have to change kernel boot parameters /etc/grub.conf
That in turn requires reboot to apply

Yes the file is locked by root.

ls -alt grub*
-rw------- 1 root root 995 Nov  1  2012 grub.conf

What about that "eicar.com" file mentioned. Where do you get this file from?

go to site www.eicar.com and look for antivirus test file.
remember you need it to test if exclusions of oracle datafiles are in force.

the login is close area. can you download without having a login account?

http://www.eicar.org/86-0-Intended-use.html
Scroll down and copy one-liner
Now if you make that one-liner a .exe file content AV is expected to "clean" it.
Or if you keep it as a line in a text file AV should not react.

Excellent solutions!