axis payroll Year End Updates are now available »

Application Support Note

ASN-2004-128

Running Anti Virus Software on an axis diplomat installation

Last Reviewed: 05 November 2004

Products affected: axis diplomat 2004 & Anti-virus software

Description: This document outlines the configuration options which we recommend are used with anti-virus software to optimise the performance of axis diplomat without a significant increase in the risk of virus infection. The recommendations in this document refer to third party software and are not intended to be specific instructions relating to any one vendor's anti-virus product.

1. Introduction

Systems AXIS strongly recommends the use of reputable anti-virus software across your system. As with any software, axis diplomat  is vulnerable to attack from malicious virus software which could result in serious damage to your programs and data.

By its nature, anti-virus software is complex and we would recommend that it is always installed and configured by a professional. Incorrectly installed anti-virus software can result in:

(a) Severe performance degradation in the axis diplomat software.
(b) Unexpected program aborts from axis diplomat possibly leading to data corruption. Typically an AXIS abort screen is displayed with error 064/2704.
(c) Failure to protect axis diplomat from virus infection.

axis diplomat is designed to allow the use of operating system security features to help protect its programs and database from accidental or malicious damage whether performed by users or virus software.

2. Pre-requisites

3. Recommendations & considerations

3.1  Install axis diplomat on a secure disk partition (Microsoft NTFS) with file permissions set by the axis diplomat SETUP program (refer to support note ASN-2004-127 for further details).

3.2 Install and configure AV software on all the machines in your system not just the machine which holds the axis diplomat programs and data. Incorrectly configured AV software on a workstation can affect the operation of axis diplomat on a server if the workstation's AV software is configured to protect network drives. You may also be running axis diplomat systems locally on a workstations (for example Payroll) which should be protected.

3.3 Configure the AV software as discussed below  to (a) exclude scanning the axis diplomat data files and (b) avoid multiple scans of a file.

4. AV software configuration.

4.1 File selection

Anti-virus software commonly provides the ability to specify which file types are included in scans. You may find that by default your AV software includes all files on your system. This can cause performance problems as axis diplomat maintains large database files which can take many minutes to scan. This may be acceptable for a scheduled (e.g. overnight) scan but can cause severe performance degradation if the AV software scans these files in real-time.

Fortunately, database files are rarely targeted for virus infection since they are never 'run' and cannot therefore be used as a vehicle to further infect the system.  Since axis diplomat database files can neither propagate viruses nor be cured when infected we recommend that they are excluded from AV scans but advise that you ensure that you have secured your axis diplomat installation by applying file permissions in line with ASN-2004-127.

Access to the axis diplomat data files will then be very restricted, further minimising any risk of damage or infection.

We suggest that you exclude axis diplomat data files from AV scans using the 'Scan specified file types only' method described in section 4.1.1 below.

4.1.1 Recommended method: Scan specified file types only.

This is the simplest method to configure since the file type extensions used by axis diplomat for its data files (.AX?) would not normally be included in the AV software's default exclusion list. It should also mean that files belonging to databases other than AXIS are also excluded. This method is however potentially less secure than that described in the alternative method below as it relies on the system administrator maintaining an accurate and up-to-date list of all file types which pose a potential threat.

4.1.2 Alternative method: Exclude specified files and directories.

Because of the design of axis diplomat, program files and data files are stored on the disk in different folders. The data folders can therefore be excluded from AV scanning whilst still protecting the axis diplomat programs.

At first sight this method may appear simple but in reality can be complex and for this reason we recommend the 'Scan specified file types only' method described in section 4.1.1.

To achieve the exclusion of axis diplomat data files, identify the partition on which axis diplomat is installed and configure your AV software to exclude the files and folders listed below.

Since the drive letter may be required in the path statement you will probably need to change this configuration if you move axis diplomat onto another partition in the future. Also if you have scanning of networked drives enabled (not recommended) you will need to ensure that you configure the AV software on each workstation to exclude these files and folders for the drive letter you have mapped from the workstation to the axis diplomat server.

Also note that if you have installed axis diplomat in a pseudo root by using a substitution (not recommended or supported) this will have been resolved to the file's true path when the file is loaded (and scanned) and therefore it is the true path which must be specified.

\AXIS2004\DATA
\AXIS2004\*.AXZ

Be careful not to exclude the whole of the \AXIS2004 folder structure.

You may also need to exclude files and folders for other databases running on your system which may be a part of the operating system or third party applications.

4.1.3 Exclude specified file types.

Although possible with many AV software products, we do not recommend specifying axis diplomat data files as part of an excluded file types list since on some systems this list may be extensive and is also subject to change should additional axis diplomat packages be added to the system.

Where the exclude specified files mechanism is the only suitable mechanism available the following file types must be excluded for axis diplomat: ..AX?, .LBL, .INI and .$$$

4.2  Scanning Direction

AV software can commonly be configured to scan files as they are opened for writing (incoming), as they are closed (outgoing), or in both directions. Whilst scanning files in both directions may be the most secure this can cause problems for applications programs as attempts by axis diplomat to access its own data files can potentially be blocked by the AV software. 

This occurs when axis diplomat closes a data file and then quickly re-opens the same file, the file open can fail because the AV software has the file open itself for scanning. Under these circumstances an AXIS abort screen may be displayed with error 064/2704 indicating that the axis diplomat data file has been opened by a program other than axis diplomat.

In order to prevent conflicts between axis diplomat and the AV software the axis diplomat data files should be excluded from scanning using one of the two mechanisms outlined in section 4.1 thus making the scanning direction irrelevant. Where this is not possible, set the AV software to scan incoming files only (i.e. scan a file when it is opened but not when it is closed by the application).

4.3 Network drives

Many AV software packages include options to scan files as they are accessed on remote network drives. This should only be necessary if you have machines on your network which are not running the AV software. Assuming that all servers and workstations are correctly running AV software then protecting network drives may result in files being scanned twice, once by the server and once by the workstation.

This double-scanning can result in poor performance which may be particularly noticeable when loading functions for the first time (when loaded a second time the program may be in cache and will thus avoid the AV scan).

For optimal performance we recommend that you disable scanning of remote drives (assuming AV software is running on all computers).

If you decide to run your workstations with scanning of remote drives enabled, you will need to ensure that the AV software on every workstation excludes the axis diplomat data files using one of the methods in section 4.1 above. Note that the drive letter mapped to the server may vary from one workstation to another and so a different AV software configuration may be required on different workstations!

Failure to configure this correctly may result in an axis diplomat abort screen when running in supervisor (single user) mode because in single user mode axis diplomat data files are opened directly by the AXIS process running on the workstation.

5. Diagnosing performance problems

One of the most common causes of performance issues is AV software configuration. The following checklist is designed to help diagnose performance issues by optimising AV software for performance whilst minimising any compromise to security.

5.1 Check that the AV software is configured to scan specified file types only (or alternatively to exclude the AXIS7\DATA folder). If this is not set correctly the AV software may be scanning axis diplomat data files which cannot cause a virus infection but can result in the AV software causing serious performance degradation due to the large size of the files concerned and the time they take to scan.

5.2 Check that the AV software is configured NOT to scan network (remote) drives. Scanning remote drives may result in a file being scanned twice, once by the server and once by the workstation. Very secure but it takes twice the time!

5.3 If no performance improvement has been seen, identify that the AV software is at fault by disabling AV scanning on the server AND all workstations using axis diplomat. If this has no affect on performance then it may be necessary to uninstall the AV software from the system to prove whether it is implicated.

6. Further Information

Examination of AV software scanning activity in researching this ASN was conducted using File Monitor (FILEMON.EXE) from www.sysinternals.com.

Revision History

1.3

22.06.2004

Updated for axis diplomat 2004

1.2

03.07.2002

Added diagnosing performance problems and revamped software config.

1.1

02.07.2002

First Draft
Call Back
This site uses cookies. By continuing to access this site you are accepting the use of cookies by this site.
Read more about cookies...
OK

Cookies are small text files stored on your device when you access most websites on the internet.

This Website uses cookies in order to make the Website easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant and error free as far as we can. Further information about the types of cookies that are used on this Website is set out in the box below.

By using this Website you agree to our use of cookies. You can choose to restrict or block cookies set on the Website through your browser settings at any time. For more information about how to do this, and about cookies in general, you can visit www.allaboutcookies.org. Please note that certain cookies may be set as soon as you visit the Website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies set on the Website may impact the functionality or performance of the Website, or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to law enforcement agencies).

We may sometimes embed content from 3rd party websites such as YouTube. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the dissemination of these cookies and you should check the relevant third party's website for more information.

Cookies We Use

Cookie Description
CookieConfirm The presence of this cookie is used to remember the fact that you have confirmed that you are happy to accept cookies
ASPSESSIONIDxxxxxxxx This is a Session Cookie (session cookies are temporary and are erased when you close your browser). It identifies you from one page to the next and is used, for example, to keep track of your logged-in status.
UserID, account, password These cookies are used to remember your login credentials for when you next visit our website. They are only created if you choose the “Remember Me” option on the login page.
_utma, _utmb, _utmc, _utmz These are cookies created by Google Analytics and are used to provide us information on which web pages are the most popular, and the most popular search terms used by visitors arriving at our site.