106267 - virus scanner software on windows
DESCRIPTION
Antivirus issueTRANSCRIPT
SAP Note
Header Data
Symptom
We recommend and support using a virus scanner to protect against computer viruses and other malware if you use SAP software on Windows servers.
Other Terms
Virus, viruses, virus scanner, antivirus, Anti Virus
Reason and Prerequisites
Note the following:
l SAP does not investigate, recommend or release any virus scan software within the SAP server product validation.
l Hardware partners must use only systems on which no antivirus software is installed or active when determining the performance of systems on which SAP software runs.
Current antivirus software provides the following functions:
l Integrated, permanent virus detection ("realtime scan engine"), real time scan engine Generally, special filter drivers are installed for integrated, permanent virus analysis. These filter drivers attach themselves to the I/O layer of the operation system and monitor each file access of any program there. These drivers require additional system resources, in the form of memory and CPU time. In addition, these drivers, which make an analysis with tools and debuggers more difficult or impossible in case of problems, principally work in the Windows kernel mode.
l Selective virus analysis The use of selective virus analysis is less critical. At a certain time, the virus analysis checks all of the system files for viruses. You can set the time in such a way that the production operation does not change. This does not require any drivers that affect the general system operation.
These assertions only apply to SAP software. You must also take note of the releases and guidelines of the database vendors for servers on which database instances are installed.
Solution
If errors or problems occur when you operate SAP software, SAP examines these in the context of the service contract. If the detailed analysis shows an error in file operations, or in the consumption of critical system resources, (paged pool, non-paged pool, handles), these may be caused by the virus detection. In this case, you must de-install the virus scanner to determine the cause of the error.
Frequently, problems occur during access to files or folders that are local or remote. To eliminate the possibility that the real time scan engine of the virus scanner causes problems with file system operations, the virus scanner should be removed for a short time in these cases. A virus scanner cannot simply be deactivated. It is not sufficient to stop the corresponding Windows services of the virus scanner.
To deactivate a virus scanner, you must remove the software and carry out a reboot of Windows. This is the only way to ensure that the filter drivers (kernel drivers) of the anti-virus software are removed.
We recommend excluding the file shares SAPMNT and SAPLOC from the monitoring via the real time scan engine of the virus scanner. The same applies for all directories of the database (data files, log files, archive logs, and so on).
Known errors in connection with virus scanners on Windows Server operating systems:
106267 - Virus scanner software on Windows
Version 16 Validity: 21.05.2015 - active Language English
Released On 21.05.2015 07:37:32
Release Status Released for Customer
Component BC-OP-NT Windows
Priority Recommendations / Additional Info
Category External error
1. Access error to the file system, local or remote: ¡ Sporadic error messages stating that a file or a file cannot be found, even though they exist
¡ Error when deleting files, usually access problems (access denied) ¡ Error when reading large files, sporadic error "The device is not ready." or similar error messages
2. The virus scanner solution blocked the start of processes because malware was determined in the SAP code, and this malware was caused due to incorrect virus scanner signatures.
3. Virus scanners with integrated network monitoring (network intrusion detection) prevented SAP applications from opening TCP/IP socket connections. The TCP port transferred by the operating system as free was blocked by the virus scanner; the SAP application could not be started.
4. Blue screen of the Windows operating system (operating system crash). Virus scanners principally work in Windows kernel mode. SAP applications work in user mode and cannot cause a blue screen. In four known cases, the virus scanner was the cause of the operating system crashes.
Other Attributes
Validity
This document is not restricted to a software component or software component version
References
This document refers to:
SAP Notes
This document is referenced by:
SAP Notes (3)
NT/INTEL
639486 Anti-virus protection within SAP applications (BC-SEC-VIR)
436883 W32/Nimda virus infestation on SAP Systems
436883 W32/Nimda virus infestation on SAP Systems
743100 Deadlock on information structures S009 and S014 - information/recommendations
639486 Anti-virus protection within SAP applications (BC-SEC-VIR)
Operating system