axis diplomat 2008 Kernel Support Notes |
||
3. Configuring Anti-Virus Software with AXIS Diplomat |
||
This Application Support Note outlines the configuration options that we recommend are used with anti-virus software to optimise the performance of axis diplomat without a significant increase in the risk of virus infection. The recommendations in this document refer to third party software and are not intended to be specific instructions relating to any one vendor's anti-virus product. PLEASE NOTE THAT AXIS FIRST PROVIDES SUPPORT ON axis diplomat AND THIRD PARTY PRODUCTS ONLY ON A CONTRACT BASIS. THIS APPLICATION SUPPORT NOTE IS DESIGNED TO PROVIDE A USER WITH MODERATE EXPERIENCE OF THE PRODUCTS USED WITH SUFFICIENT INFORMATION TO PERFORM THE OPERATIONS DESCRIBED. AXIS FIRST REGRET THAT WE CANNOT PROVIDE SUPPORT ON THIS PROCEDURE UNLESS BOTH axis diplomat AND SYSTEMS SUPPORT CONTRACTS ARE IN PLACE. Introduction Axis First strongly recommends the use of reputable anti-virus software across your system. As with any software, axis diplomat is vulnerable to attack from malicious virus software which could result in serious damage to your programs and data. By its nature, anti-virus software is complex and we would recommend that it is always installed and configured by a professional. Incorrectly installed anti-virus software can result in:
axis diplomat is designed to allow the use of operating system security features to help protect its programs and database from accidental or malicious damage whether performed by users or virus software. Pre-requisites
Recommendations & considerations Install and configure AV software on all the machines in your system not just the machine which holds the axis diplomat programs and data. Incorrectly configured AV software on a workstation can affect the operation of axis diplomat on a server if the workstation's AV software is configured to protect network drives. You may also be running axis diplomat systems locally on a workstations (for example Payroll) which should be protected. Configure the AV software as discussed below to (a) exclude scanning the axis diplomat data files and (b) avoid multiple scans of a file. AV software configuration Anti-virus software commonly provides the ability to specify which file types are included in scans. You may find that by default your AV software includes all files on your system. This can cause performance problems as axis diplomat maintains large database files which can take many minutes to scan. This may be acceptable for a scheduled (e.g. overnight) scan but can cause severe performance degradation if the AV software scans these files in real-time. Fortunately, database files are rarely targeted for virus infection since they are never 'run' and cannot therefore be used as a vehicle to further infect the system. Since axis diplomat database files can neither propagate viruses nor be cured when infected we recommend that they are excluded from AV scans but advise that you ensure that you have secured your axis diplomat installation by applying file permissions in line with Application Support Note 1066381. Access to the axis diplomat data files will then be very restricted, further minimising any risk of damage or infection. We suggest that you exclude axis diplomat data files from AV scans using the 'Scan specified file types only' method described below.
Scanning Direction AV software can commonly be configured to scan files as they are opened for writing (incoming), as they are closed (outgoing), or in both directions. Whilst scanning files in both directions may be the most secure this can cause problems for applications programs as attempts by axis diplomat to access its own data files can potentially be blocked by the AV software. This occurs when axis diplomat closes a data file and then quickly re-opens the same file, the file open can fail because the AV software has the file open itself for scanning. Under these circumstances an AXIS abort screen may be displayed with error 064/2704 indicating that the axis diplomat data file has been opened by a program other than axis diplomat. In order to prevent conflicts between axis diplomat and the AV software, the axis diplomat data files should be excluded from scanning using one of the mechanisms outlined above, making the scanning direction irrelevant. Where this is not possible, set the AV software to scan incoming files only (i.e. scan a file when it is opened but not when it is closed by the application). Network drives Many AV software packages include options to scan files as they are accessed on remote network drives. This should only be necessary if you have machines on your network which are not running the AV software. Assuming that all servers and workstations are correctly running AV software then protecting network drives may result in files being scanned twice, once by the server and once by the workstation. This double-scanning can result in poor performance which may be particularly noticeable when loading functions for the first time (when loaded a second time the program may be in cache and will thus avoid the AV scan). For optimal performance we recommend that you disable scanning of remote drives (assuming AV software is running on all computers). If you decide to run your workstations with scanning of remote drives enabled, you will need to ensure that the AV software on every workstation excludes the axis diplomat data files using one of the methods described above. Failure to configure this correctly may result in an axis diplomat abort screen when running in supervisor (single user) mode because in single user mode axis diplomat data files are opened directly by the AXIS process running on the workstation. Diagnosing performance problems One of the most common causes of performance issues is AV software configuration. The following checklist is designed to help diagnose performance issues by optimising AV software for performance whilst minimising any compromise to security.
Further Information Examination of AV software scanning activity in researching this ASN was conducted using File Monitor (FILEMON.EXE) from http://technet.microsoft.com/en-us/sysinternals/ |
||
|
||