AV software can be a bit of a pain sometimes, then again often it is also a necessity considering the growing importance of cybersecurity.
The key concerns are typically making sure that the AV doesn't take away too much of the computing resources that the DMA needs, or blocks certain things that are vital for the proper functioning of the DataMiner System. To a large extent I guess this is mainly a matter of properly configuring the AV software in the first place, so that it can happily coexist with the DataMiner software and doesn't negatively impact it, and there are some guidelines/recommendations for that in the DataMiner System Requirements.
But I was wondering if aside from those guidelines, anybody had any further practical experiences to share on that specific topic? What kind of AV products have you seen being used on DMAs? What kind of typical issues, if any, have you seen? And what caused those issues and how were they resolved? Any further recommendations or past experiences that can help people to use AV in symbiosis with DataMiner?
Some anti-malware programs seen are: Symantec EndPoint Protection, Trend Micro Inc., Sophos EndPoint Security
One is more invasive than the other, typically a file scan is performed and can affect DataMiner in a way that it's just file access rights which is less of a problem.
More invasive ones are when anti-malware is injecting dll's to monitor system vulnerabilities which seem to affect DataMiner operation a lot more.
Some have even 'quarantined' specific dll's ore exe's of DataMiner because they were doing network related calls.
For normal DataMiner operations it's good practice to always add the DataMiner folder, potential database data folders and dll's and exe's to the exclusions of the anti-malware software.
Ben that is indeed summed up how the AV needs to be configured.
If you want to be sure that nothing is injected in one of the DataMiner processes, know that you can use the CheckAntiVirusDlls BPA (Best Practice Analyzer) to verify this.
It can currently detect injection by the 3 anti-malware programs mentioned by Davy.
I remember a situation where a severe memory leak in one of the the AV processes running on the DataMiner server caused unexpected restarts of our software every few weeks.
Therefore, if you know there's AV software running on the system, I'd say it's good practice to also monitor those processes in DataMiner in a similar way as we normally do for our own SL* processes (CPU, VM size, handles, ...).
Great input Ruben. Thanks!
Another issue with an AV was caused by a failover setup and a central McAfee-setup.
This McAfee setup used a central management platform to monitor the health of the DMA-servers based on the ip. In a failover setup the online agent will use a virtual IP for all his network communication. This caused issues in the McAfee manager as it did not expect the virtual IP and viewed the online agent as unreachable.
They worked around the issue by always setting the "SkipAsSourceFlag" when an agent came online, but this negatively impacts DataMiner functionality.
Great one Brent. Very valuable intel, it’s not the first thing that would come to my mind that this failover scheme could interfere with functionality of an AV.
Hi Brent,
We have a customer that is looking at antivirus software, with McAfee being one of the options. Could you please advise how setting the “SkipAsSourceFlag” will negatively impact DataMiner functionality?
I see from your other ticket (https://community.dataminer.services/question/network-adaptor-not-working-after-failover/?hilite=SkipAsSource) “The skipAsSource flag is indeed added to the NIC. With this flag enabled, the Primary IP will be skipped when communicating with other devices on the network, this way the DMA will always respond using the Virtual IP”
Does this impact on logging onto the Primary IP of the server? e.g. Remote Desktop session.
Hi Brent,
Could you please advise how setting the “SkipAsSourceFlag” will negatively impact DataMiner functionality?
Thanks,
Duc
Hey Duc,
The SkipAsSourceFlag is used to force the online DMA to respond using the Virtual IP to the outside world. This effectively means that from the outside world it is impossible to say which agent is online using just the IP. It gets added to every IP on the agent except for the Virtual IP. This is important for the features where the outside world listens for data coming from the DMA based on IP.
So setting this flag to false will impact this, I do not know all the features that will break but notable examples are, trap sources and devices filtering incoming data sent by he dma using the ip.
Setting it to false with not impact the ability to send data, Remote Desktop Session,… to the Primary or Virtual IP.
Do note that the flag is managed by Dataminer, this means that the flag will be set every time the agents switches. Manually changing this is not recommended by Skyline
Thanks Brent for the response. How would we set the SkipAsSourceFlag in DataMiner?
Thanks,
Duc
Thanks Dave, great input. And for the last paragraph there, I would assume that the things that need to be excluded are fully covered by what is specified in the requirements doc? (copied below)
Exclude the directory C:Skyline DataMiner and the data directory of the database.
Exclude all DataMiner processes (process names starting with SL) and your chosen database application (Cassandra, MySQL, MSSQL).