Running Virus-Scanning Software on the Same Server as SQL Server

I heard that running virus-scanning software on the same server as SQL Server isn't a good idea because the virus-scanning software claims significant overhead. I looked on Microsoft's SQL Server Web site and found nothing about this topic. Can you give me any information?

What a great question! Let's evaluate three kinds of scanning software—active virus scanning, virus sweep, and vulnerability scanning—to see how they apply to a SQL Server installation.

Active virus-scanning software. We strongly recommend active virus scanning for SQL Servers that

  • run on the Internet
  • read and execute files from other servers
  • run HTTP servers such as Microsoft IIS or Microsoft Apache (e.g., if you use SQLXML to access SQL Server through HTTP on IIS)
  • host file shares
  • use SQL Mail to handle inbound or outbound email messages

The main performance hit takes place at file open and close, and although active virus scanning can cause a perceptible drain on a heavily loaded system, we recommend it for safety purposes.

Virus-sweep software. If the virus-sweep software has no way to exclude SQL Server database files from its scan, the software can negatively affect SQL Server performance by flooding the I/O subsystem with reads, especially on servers with large numbers of files. And if the sweep has opened a file for scanning and you start SQL Server, the software could mark the database as suspect, rendering the database unavailable for access. Also, this type of software catches viruses after they've invaded your hard disk, so your organization is better off reducing the risk of infection in the first place by adopting sound security practices.

Vulnerability-scanning software. Vulnerability-scanning software has been available for HTTP servers for some time. Internet Security Systems (ISS), for example, now offers a scanner for SQL Server 7.0 and 6.5. (You can download a trial version at http://education.iss.net/products/dbsql.) This kind of virus scan is a great way to lock down potential holes. We're not aware of any SQL Server performance loss when you use vulnerability-scanning software.

We also recommend that you subscribe to Microsoft's e-mail security alert alias. For information about how to subscribe, go to http://www.microsoft.com/security, then click Security Bulletins under For IT Professionals. If you have suggestions about how Microsoft can do a better job with SQL Server security, mail your suggestions to sqlwish@microsoft.com.