SQL Server Health Check

How To Configure Antivirus Running On SQL Server

Updated
4 min read
Written by
Mark Varnas
laptop antivirus check

There is a lot of antivirus software from different vendors like Avast, McAfee, Sophos, BitDefender, Kaspersky…

I would first question the necessity of having antivirus software on SQL Server.

Then question it again.

Seriously. I am not joking.

SQL Servers are often internal. Behind firewalls. Not accessible from outside. Only available by internal apps.

Therefore, it may not make sense to run an antivirus on the SQL Server box.

But not everything is under DBA’s control.

When you know you can’t win the antivirus battle, you at least want to configure antivirus software properly.

Microsoft’s best practices lead us to antivirus exclusions.

How to configure antivirus for SQL Server (and improve performance)

Add antivirus exclusions to these:

  • SQL Server processes
    1.  %ProgramFiles%\Microsoft SQL Server\<Instance_ID>.<Instance Name>\MSSQL\Binn\SQLServr.exe;
    2. %ProgramFiles%\Microsoft SQL Server\<Instance_ID>.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe;
    3. %ProgramFiles%\Microsoft SQL Server\<Instance_ID>.<Instance Name>\OLAP\Bin\MSMDSrv.exe;
  • All SQL Server data files
    These will have extensions of .mdf, .ldf, .ndf, .bak, .trn.
  • SQL Server backup files
    These backup files usually have the extensions .bak and .trn.
  • Full-text catalog files
    This is typically the FTData folder in your SQL Server path.
    In each MSSQLX.X folder, there will be multiple FTData folders that need to be excluded from antivirus scanning.
  • Trace files
    These files are created by a user when running a SQL Server Profiler Trace and usually have the extension .trc.
  • Extended Event file targets
    Any Extended Events trace log files, usually have the extension .xel.
  • Third-party SQL backup solution
    If you use a third-party backup software like Idera, Red-Gate, or LiteSpeed, add those file extensions too.
  • Remove FILESTREAM containers (if you use them).
  • Replication executables and server-side COM objects.
  • Files in the Replication Snapshot folder.
  • Schedule scans during the lowest activity hours.

Additional antivirus exclusions for Windows Failover Clusters

Ensure you add these additional antivirus exclusions for Windows Failover Clusters, and, importantly, don’t forget to perform this on each node:

  • The entire quorum/witness disk.
  • The \MSDTC directory on disks used by an MSDTC resource.
  • The \Cluster subdirectory of the Windows installation.
  • All full-text catalog files.
  • If you are using Analysis Services, the entire directory on the shared drives contains all Analysis Services data files.
    If you do not know this location now, remember to set the filter post-installation.
  • Antivirus software should be ‘Cluster-Aware’. Check with the antivirus vendor if it is.

Special cases

Avoid the performance and consistency issues when certain modules are loaded into SQL Server address space (KB 2033238).

If you use any of the following products, check these vendor recommendations:

Here are a few useful links:

Conclusion

Plan A – try not to run Antivirus on SQL Servers.

Plan B – when you have to, then make sure proper antivirus exclusions for SQL Server are added.

Agree? Disagree? Comment below.

Article by
Mark Varnas
Founder | CEO | SQL Veteran
Hey, I'm Mark, one of the guys behind Red9. I make a living performance tuning SQL Servers and making them more stable.

2 thoughts on “How To Configure Antivirus Running On SQL Server”

    • MDF and LDF files are always open and actively being written to. You don’t want Antivirus software to be messing with those files. One – its a performance hit. Two – it can corrupt a file. Antivirus software looks for certain patterns in the file, so its quite possible to find that pattern. And then it will try modify db files and you will end up with corrupt database files.

      I have also seen Antivirus to completely corrupt FileStream databases. As those store files on disk.

      And #3 – Microsoft recommends to skip scanning of SQL db files. More info SQL Server and Antivirus Configuration.

      Reply

Leave a Comment

Managed SQL Server services, consulting, and emergency support from expert DBAs to improve performance, predictability, and cost.

Get started with Red9 today.

Contact us

Discover More

SQL Server Health Check SQL Server Migrations & Upgrades SQL Server Performance Tuning SQL Server Security SQL Server Tips

Discover what clients are saying about Red9

Red9 has incredible expertise both in SQL migration and performance tuning.

The biggest benefit has been performance gains and tuning associated with migrating to AWS and a newer version of SQL Server with Always On clustering. Red9 was integral to this process. The deep knowledge of MSSQL and combined experience of Red9 have been a huge asset during a difficult migration. Red9 found inefficient indexes and performance bottlenecks that improved latency by over 400%.

Rich Staats 5 stars
Rich Staats
Cloud Engineer
MetalToad

Always willing to go an extra mile

Working with Red9 DBAs has been a pleasure. They are great team players and have an expert knowledge of SQL Server database administration. And are always willing to go the extra mile to get the project done.
5 stars
Evelyn A.
Sr. Database Administrator

Boosts server health and efficiency for enhanced customer satisfaction

Since adding Red9 to the reporting and DataWarehousing team, Red9 has done a good job coming up to speed on our environments and helping ensure we continue to meet our customer's needs. Red9 has taken ownership of our servers ensuring they remain healthy by monitoring and tuning inefficient queries.
5 stars
Andrew F.
Datawarehousing Manager
See more testimonials