Our corporate standard is McAfee Enterprise, unfortunately this is non-negotiable.
On two types of servers I'm responsible for, SQL & Web, we have noticed major performance issues with the corporate standard setup.
- Max scan time 45sec
- One policy for all processes
- Scan ALL files on write, read and open for backup
- Heuristics: Find unknown programs, trojans and macros
- Detect unwanted programs
- Exclude: EVT, LDF, LOG, MDF, VMD, , windows file protection)
This of course still causes major slowdowns. IIS .NET recompiles are slow especially with SharePoint, SQL backups and restores, SQL Analysis Services, Integration Services and temp data from them as well.
I have looked from time to time, for some best practices on setting up McAfee of SQL & SQL Analysis Service, SQL Integration Service, Visual Studio, Sharepoint, and .NET web servers in general.
How do people setup McAfee enterprise on their corporate serves keeping security intact, but affecting performance as minimally as possible?
Has anyone run across white papers on these setups? Obviously some are case by case, but there must be some best practices out there somewhere.
I only maintain McAfee on the desktops, but I have found this KB for McAfee exclusions and suggestions on servers:
https://kc.mcafee.com/corporate/index?page=content&id=KB66909
And there is the Microsoft page:
http://support.microsoft.com/kb/822158
The user maintained McAfee sticky forum post that includes McAfee specific wilcards etc.:
http://community.mcafee.com/message/20623#20623
I am adding them to the ePo in case the networks guys get around to asking for them.
I would consider scanning only on writes, not reads. I'd also suggest doing a weekly scan instead of daily if you're doing that. If I'm not mistaken Mcafee has some whitepapers on their portal about how to configure the scanning client for servers with specific apps (exchange, AD, etc).
Also, exclude SQL Backup files based on the extensions you are using. This will reduce the latency on capturing your backups to disk so you can ship 'em off. Exclude .NDF, which is customary to use for additional data files for SQL Server.