cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Antivirus on Netbackup master / media /opscenter server

Go to solution
Brits
Level 6

‎05-04-2015 02:07 AM

hi Team, 

Do we have any official note from symantec that antivirus should not run on master , media and opscenter servers which can impact backups.

I have seen the notes that netbackup files need to exclude from antivirus scanning on master , media servers. But I donot want AV to install on master/media servers for that I need to provide strong reason.

any suggestion please.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎05-04-2015 03:24 AM

I don't think you will win any argument to not have A/V installed on a NetBackup Server or any NetBackup Client.

And we need to keep it simple.

And we need to remember that the principle vector for any virus is Windows itself - so we still need Windows ato be scanned.

IMO I would disable A/V checking on read anyway (so that backups are not checked), and just have A/V check on write (as a virus usually has to be peform some form to write itself in order to replicate) - but also use the five exclusions above.  This will generally be enough.  And covers any installation of NetBaclup (master/media/client) and also OpsCenter.

Other items to exclude:

1) NetBackup BMR Boot Server 'SRT' folders.

2) NetBackup BMR Boot Sever 'TFTPD' folder.

3) NetBackup OpsCenter hot/on-line database backup target folder.

View solution in original post

0 Kudos

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎05-04-2015 03:31 AM

My thoughts/experiences/musings on A/V for NetBackup.

1) A/V is typically implemented at the IO kernel layer - with some parts just below the file system driver, some parts just above.  So, I would think that AV exclusions would be faster and more efficient if folder based.  i.e. if process executable based exclusions are in place then the A/V software has to keep comparing process executable names against a list of executable exclusions too.

2) There are simply too many 'executables' that make up a NetBackup Master Server for you 'add' them all to the process exclusions list.  So, you'll find that most sites go for the folder based exclusions approach, in which case, then there usually are not too many folders to be excluded.

3) Even if we de-consider any type of NetBackup installtion for a moment, then some sites find that read based AV checking is simply too resource expensive during the business day, and so some sites opt for write based AV 'on-access' scanning only, and then have an evening or weekend full file system read sweep (but still definitely ignore the Symantec and Veritas folders).

4) McAfee Enterprise Client has a function to ignore AV during backups, but on my test system McAfee didn't appear to be able to recognise NetBackup Client backups as 'backups' and so this setting is probably only able to detect backups being performed by Windows own backup tools.

.

If you do go for folder based exclusions then I would simply use the following AV exclusion rules (not NetBackup exclusions ;) for all NetBackup installation types, master/media/cliuent, to exclude from A/V any 'Program Files*' folders with sub-folders of Symantec or Veritas, e.g.:

*:\VxCJ*.dat                       (i.e. the NTFS Change Journal files)

C:\Program Files (x86)\Symantec

C:\Program Files (x86)\Veritas

C:\Program Files\Symantec

C:\Program Files\Veritas

...and the any of the four C:\ paths above which also have an equivalent ofn any other drive letters... or change the four above to:

*:\VxCJ*.dat

*:\Program Files (x86)\Symantec

*:\Program Files (x86)\Veritas

*:\Program Files\Symantec

*:\Program Files\Veritas

HTH.

 

 

View solution in original post

0 Kudos
4 REPLIES 4

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎05-04-2015 02:47 AM

There are some good points and links here:

https://www-secure.symantec.com/connect/forums/netbackup-76-antivirus-exclusion

.

Are you able to state which AV software and which version of AV s/w you will be using?  As this may help others with the same AV software tell you how they solved it.

0 Kudos

Go to solution
Brits
Level 6

‎05-04-2015 03:10 AM

symantec endpoint protection 12.1.4

0 Kudos

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎05-04-2015 03:24 AM

I don't think you will win any argument to not have A/V installed on a NetBackup Server or any NetBackup Client.

And we need to keep it simple.

And we need to remember that the principle vector for any virus is Windows itself - so we still need Windows ato be scanned.

IMO I would disable A/V checking on read anyway (so that backups are not checked), and just have A/V check on write (as a virus usually has to be peform some form to write itself in order to replicate) - but also use the five exclusions above.  This will generally be enough.  And covers any installation of NetBaclup (master/media/client) and also OpsCenter.

Other items to exclude:

1) NetBackup BMR Boot Server 'SRT' folders.

2) NetBackup BMR Boot Sever 'TFTPD' folder.

3) NetBackup OpsCenter hot/on-line database backup target folder.

0 Kudos

Go to solution
sdo
Moderator
Moderator
Partner    VIP    Certified

‎05-04-2015 03:31 AM

My thoughts/experiences/musings on A/V for NetBackup.

1) A/V is typically implemented at the IO kernel layer - with some parts just below the file system driver, some parts just above.  So, I would think that AV exclusions would be faster and more efficient if folder based.  i.e. if process executable based exclusions are in place then the A/V software has to keep comparing process executable names against a list of executable exclusions too.

2) There are simply too many 'executables' that make up a NetBackup Master Server for you 'add' them all to the process exclusions list.  So, you'll find that most sites go for the folder based exclusions approach, in which case, then there usually are not too many folders to be excluded.

3) Even if we de-consider any type of NetBackup installtion for a moment, then some sites find that read based AV checking is simply too resource expensive during the business day, and so some sites opt for write based AV 'on-access' scanning only, and then have an evening or weekend full file system read sweep (but still definitely ignore the Symantec and Veritas folders).

4) McAfee Enterprise Client has a function to ignore AV during backups, but on my test system McAfee didn't appear to be able to recognise NetBackup Client backups as 'backups' and so this setting is probably only able to detect backups being performed by Windows own backup tools.

.

If you do go for folder based exclusions then I would simply use the following AV exclusion rules (not NetBackup exclusions ;) for all NetBackup installation types, master/media/cliuent, to exclude from A/V any 'Program Files*' folders with sub-folders of Symantec or Veritas, e.g.:

*:\VxCJ*.dat                       (i.e. the NTFS Change Journal files)

C:\Program Files (x86)\Symantec

C:\Program Files (x86)\Veritas

C:\Program Files\Symantec

C:\Program Files\Veritas

...and the any of the four C:\ paths above which also have an equivalent ofn any other drive letters... or change the four above to:

*:\VxCJ*.dat

*:\Program Files (x86)\Symantec

*:\Program Files (x86)\Veritas

*:\Program Files\Symantec

*:\Program Files\Veritas

HTH.

 

 

0 Kudos