Application Support Note

ASN-2000-128

Running Anti Virus Software on an AXIS Diplomat installation

Last Reviewed: 05 November 2004

Products affected: AXIS Diplomat 2000 & Anti-virus software

Description: This document outlines the configuration options which we recommend are used with anti-virus software to optimise the performance of AXIS Diplomat without a significant increase in the risk of virus infection. The recommendations in this document refer to third party software and are not intended to be specific instructions relating to any one vendor's anti-virus product.

1. Introduction

Systems AXIS strongly recommends the use of reputable anti-virus software across your system. As with any software, AXIS Diplomat  is vulnerable to attack from malicious virus software which could result in serious damage to your programs and data.

By its nature, anti-virus software is complex and we would recommend that it is always installed and configured by a professional. Incorrectly installed anti-virus software can result in:

1. Severe performance degradation in the AXIS Diplomat software.
2. Unexpected program aborts from AXIS Diplomat possibly leading to data corruption. Typically an AXIS abort screen is displayed with error 064/2704.
3. Failure to protect AXIS Diplomat from virus infection.

AXIS Diplomat is designed to allow the use of operating system security features to help protect its programs and database from accidental or malicious damage whether performed by users or virus software.

2. Pre-requisites

• A working AXIS Diplomat 2000 installation.
• Anti-virus software installed on the server which contains the AXIS Diplomat programs and data.

3. Recommendations & considerations

3.1  Install AXIS Diplomat on a secure disk partition (e.g. Microsoft NTFS or Novell NetWare) with file permissions set by the AXIS Diplomat SETUP program (refer to support note ASN-2000-127 for further details).

3.2 Install and configure AV software on all the machines in your system not just the machine which holds the AXIS Diplomat programs and data. Incorrectly configured AV software on a workstation can affect the operation of AXIS Diplomat on a server if the workstation's AV software is configured to protect network drives. You may also be running AXIS Diplomat systems locally on a workstations (for example Payroll) which should be protected.

3.3 Configure the AV software as discussed below  to (a) exclude scanning the AXIS Diplomat data files and (b) avoid multiple scans of a file.

4. AV software configuration.

4.1 File selectionAnti-virus software commonly provides the ability to specify which file types are included in scans. You may find that by default your AV software includes all files on your system. This can cause performance problems as AXIS Diplomat maintains large database files which can take many minutes to scan. This may be acceptable for a scheduled (e.g. overnight) scan but can cause severe performance degradation if the AV software scans these files in real-time.Fortunately, database files are rarely targeted for virus infection since they are never 'run' and cannot therefore be used as a vehicle to further infect the system. 

Since AXIS Diplomat database files can neither propagate viruses nor be cured when infected we recommend that they are excluded from AV scans but advise that you ensure that you have secured your AXIS Diplomat installation by applying file permissions in line with ASN-2000-127.

Access to the AXIS Diplomat data files will then be very restricted, further minimising any risk of damage or infection.We suggest that you exclude AXIS Diplomat data files from AV scans using the 'Scan specified file types only' method described in section

4.1.1 Recommended method: Scan specified file types only.

This is the simplest method to configure since the file type extensions used by AXIS Diplomat for its data files (.LBL and .<company id>) would not normally be included in the AV software's default exclusion list. It should also mean that files belonging to databases other than AXIS are also excluded. This method is however potentially less secure than that described in the alternative method below as it relies on the system administrator maintaining an accurate and up-to-date list of all file types which pose a potential threat.

4.1.2 Alternative method: Exclude specified files and directories.

Because of the design of AXIS Diplomat, program files and data files are stored on the disk in different folders. The data folders can therefore be excluded from AV scanning whilst still protecting the AXIS Diplomat programs.At first sight this method may appear simple but in reality can be complex and for this reason we recommend the 'Scan specified file types only' method described in section 4.1.1.

 

To achieve the exclusion of AXIS Diplomat data files, identify the partition on which AXIS Diplomat is installed and configure your AV software to exclude the files and folders listed below. Since the drive letter may be required in the path statement you will probably need to change this configuration if you move AXIS Diplomat onto another partition in the future.

 

Also if you have scanning of networked drives enabled (not recommended) you will need to ensure that you configure the AV software on each workstation to exclude these files and folders for the drive letter you have mapped from the workstation to the AXIS Diplomat server.

 

Also note that if you have installed AXIS Diplomat in a pseudo root by using a substitution (not recommended or supported) this will have been resolved to the file's true path when the file is loaded (and scanned) and therefore it is the true path which must be specified.

\AXIS7\DATA
\AXIS7\AX7TLICN.LBL
\AXIS7\AX7TPARM.<company id>
\AXIS7\AX7TFTBL.<company id>

 

Be careful not to exclude the whole of the \AXIS7 folder or the \AXIS2000 folder structure.

 

You may also need to exclude files and folders for other databases running on your system which may be a part of the operating system or third party applications.

4.1.3 Exclude specified file types.

Although possible with many AV software products, we do not recommend specifying AXIS Diplomat data files as part of an excluded file types list since on some systems this list may be extensive and is also subject to change should additional AXIS Diplomat company data sets or packages be added to the system. (For example a system running three sets of company accounts, payroll and fixed asset register would need to exclude *.CO1, *.CO2, *.CO3, *.PO1, *.PO2, *.PO3,*.FO1, *.FO2 and *.FO3.)

 

Where the exclude specified files mechanism is the only suitable mechanism available the following file types must be excluded for AXIS Diplomat: .<company id> (e.g. CO1, CO2 etc.); .LBL, .INI and .$$$

4.2  Scanning DirectionAV software can commonly be configured to scan files as they are opened for writing (incoming), as they are closed (outgoing), or in both directions.

Whilst scanning files in both directions may be the most secure this can cause problems for applications programs as attempts by AXIS Diplomat to access its own data files can potentially be blocked by the AV software.  This occurs when AXIS Diplomat closes a data file and then quickly re-opens the same file, the file open can fail because the AV software has the file open itself for scanning.

Under these circumstances an AXIS abort screen may be displayed with error 064/2704 indicating that the AXIS Diplomat data file has been opened by a program other than AXIS Diplomat.In order to prevent conflicts between AXIS Diplomat and the AV software the AXIS Diplomat data files should be excluded from scanning using one of the two mechanisms outlined in section 4.1 thus making the scanning direction irrelevant. Where this is not possible, set the AV software to scan outgoing files only (i.e. scan a file when it is opened but not when it is closed by the application).

4.3 Network drivesMany AV software packages include options to scan files as they are accessed on remote network drives. This should only be necessary if you have machines on your network which are not running the AV software. Assuming that all servers and workstations are correctly running AV software then protecting network drives may result in files being scanned twice, once by the server and once by the workstation.

This double-scanning can result in poor performance which may be particularly noticeable when loading functions for the first time (when loaded a second time the program may be in cache and will thus avoid the AV scan).For optimal performance we recommend that you disable scanning of remote drives (assuming AV software is running on all computers).If you decide to run your workstations with scanning of remote drives enabled, you will need to ensure that the AV software on every workstation excludes the AXIS Diplomat data files using one of the methods in section 4.1 above. Note that the drive letter mapped to the server may vary from one workstation to another and so a different AV software configuration may be required on different workstations!

Failure to configure this correctly may result in an AXIS Diplomat abort screen when running in supervisor (single user) mode because in single user mode AXIS Diplomat data files are opened directly by the AXIS process running on the workstation.

5. Diagnosing performance problems

One of the most common causes of performance issues is AV software configuration. The following checklist is designed to help diagnose performance issues by optimising AV software for performance whilst minimising any compromise to security.

5.1 Check that the AV software is configured to scan specified file types only (or alternatively to exclude the AXIS7\DATA folder). If this is not set correctly the AV software may be scanning AXIS Diplomat data files which cannot cause a virus infection but can result in the AV software causing serious performance degradation due to the large size of the files concerned and the time they take to scan.

5.2 Check that the AV software is configured NOT to scan network (remote) drives. Scanning remote drives may result in a file being scanned twice, once by the server and once by the workstation. Very secure but it takes twice the time!

5.3 If no performance improvement has been seen, identify that the AV software is at fault by disabling AV scanning on the server AND all workstations using AXIS Diplomat. If this has no affect on performance then it may be necessary to uninstall the AV software from the system to prove whether it is implicated.

6. Further Information

Examination of AV software scanning activity in researching this ASN was conducted using File Monitor (FILEMON.EXE) from www.sysinternals.com.

- End -

THE INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SYSTEMS AXIS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL Systems AXIS Limited OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES.

Published by Systems AXIS Limited. AXIS, AXIS Envoy, AXIS Ambassador, AXIS Diplomat and the AXIS logo are trademarks of Systems AXIS Limited. All other product names are trademarks of their respective owners.© Copyright 2002 Systems AXIS Limited. All rights reserved.

Revision History