Recommendations for Configuration of Antivirus Software

for use with software applications produced by Profitstar Inc.

Date created:Nov 30, 2004

Last updated:Aug 25, 2005

Intended audience:IT professionals and end users

This document is available in electronic form at:

Summary

Many of our clients routinely use antivirus software to protect their computer systems and networks from malicious software attacks. Commonly used antivirus programs include:

  • Norton AntiVirus™ and Symantec AntiVirus™ (both from Symantec Corporation)
  • McAfee®VirusScan®
  • Computer Associates® eTrust™
  • Panda Software antivirus products

This document describes our recommendations for configuring antivirus software for optimal compatibility with the following applications produced by Profitstar Inc.:

  • PROFITstar® (including PROFITstar Suite™)
  • PROFITability®
  • PROFITstar Portfolio™
  • Budget Manager™

Recommended actions

Antivirus programs, performing file-level virus scans,should be configured to specifically exclude file types that are associated with Profitstar data. The exclusions apply only in Profitstar data directories. Omitting Profitstar data files from the virus scans will prevent potential problems with program stability, data integrity, and performance. Scanning other file types—those not associated with Profitstar data—shouldcause no problems. (See page 7 for a complete list of Profitstar data file types.)

IMPORTANT: We are not recommending that antivirus protection in general be disabled. Nor are we recommending that Profitstar program files be excluded from virus protection. We are recommending only that the data files for Profitstar programs be excluded from virus scans.

Why would scanning Profitstar data for viruses cause problems?

At least three kinds of problems might occur when scanning Profitstar data files:

  1. The antivirus program modifies a Profitstar data file.Antivirus programs sometimes incorrectly detect a virus—they identify a virus when in fact no virus is present. (This is called a “false positive”. It is unusual, but quite possible, to encounter false positives when scanning large quantities of binary data.) The antivirus may attempt to “fix” the apparent problem, which involves modifying the supposedly infected file. Any such alteration of a Profitstar data file could cause serious data corruption.
  2. The antivirus program removes a Profitstar data file. Again, suppose the antivirus software encounters a false positive. Rather than attempting to fix the infection, the antivirus may be configured to quarantine the infected file, or to perform a quarantine if an attempted fix fails. For purposes of Profitstar programs which use that file, quarantining is equivalent to deleting. The file will be missing when it’s expected to be there. Again, the consequences for program stability and data integrity could be serious.
  3. The antivirus software causes a sharing violation.This kind of error is possible with “on-demand” scans—those which are launched manually by a user, or automaticallyby a task scheduler. If a Profitstar program attempts to open a data file while it’s being scanned by the antivirus program, a sharing-related I/O error might occur. (This kind of error shouldn’t be encountered with real-time scans.)

Other problems with program stability and data integrity as a result of virus scanning

One PROFITstar user reported “Invalid pointer operation” errors during database-intensive operations,while running with data on a local drive.We were not able to find any obvious problems with the system configuration (available hard drive space, virtual memory settings, etc.). We looked further and found that Computer Associates eTrust antivirus software was running at the workstation, with real-time file protection enabled. When we disabled real-timescanning, the runtime errors no longer occurred. Apparently the antivirus software was introducing instabilities into database-related file operations. The errors were easily reproducible whenever protection was enabled, but never reproducible when protection was disabled. So in this case a definite link was established between PROFITstar program stability and eTrust real-timescanning. (We have not been able to reproduce this behavior in-house at Profitstar Inc. using PROFITstar version 2004c.12 with eTrust version 7.1.)

In two other cases, clients reported severe data corruption in PROFITability (an apparent loss of all numeric data). The symptoms were caused by corruption of a critical index file. In both cases, clients were running eTrust with real-time protection enabled. We don’t have sufficient information to prove a definite link between eTrust and this particular kind of datacorruption, but as a preventive measure we are recommending that data for Profitstar applications be excluded from virus scans.

Potential problems with performance

Real-time file protection can also introduce a significant performance penalty, especially if detection heuristics are being used.[1]So an additional reason to consider disabling real-time file protection is that it might improve the performance of Profitstar programs.

Some users access shared data for Profitstar applications on a network drive. In this case, it is possible for real-time scanning to be enabled twice, once at the server and again at the workstation, imposing a double performance penalty. The shared data should be excluded from real-time protection at the file server and at all client workstations.

Does excluding data from virus protection make my systemsmore vulnerable to attack?

The risk is negligible. Malicious software has to be executed—runby a host computer—inorder to do damage. Profitstar data is not executable, and therefore poses very little virus threat.

How can I minimize my exposure to viruses in the Profitstar data directories?

Data for Profitstar programs resides in directories that could be used by malicious software to store potentially executable and destructive code. Totally excluding the data directories from virus scanscould leave the directories vulnerable to exploitation. A better alternative would be to scan only selected files within those directories. Specifically, we recommend that all file types not associated with data for Profitstar programs be scanned. (Profitstar data-related file types are documented on page 7.) Under this recommended configuration, high-risk file types like executable files would always be scanned, minimizing the risk of malicious exploitation.

What about report files generated by PROFITstar or PROFITability?

Four kinds of report files generated by Profitstar applications are potentially exploitable by viruses:

  1. Adobe Acrobat (.pdf) files
  2. HTML files (.htm or .html)
  3. Zip files (.zip)
  4. Self-extracting report files (.exe)

Adobe Acrobat and HTML files are at relatively low risk of exploitation. Zip files and especially the self-extracting report files would be more of a concern.

None of these 4 report file types is a Profitstar data file type. They will always be scanned if you exclude only those file types listed on page 7.

Doesn’t excluding data from virus scans violate security best practices?

No. It is not unusual for data files to be excluded from virus scans. Files which are not executable, and which are stored in proprietary formats not “understood” by antivirus software, may be legitimately excluded. This is especially true if there is a risk of virus scans interfering with the normal operation of the database in question.

For example, to avoid data corruption, Microsoft strongly recommends excluding certain data files used by Exchange Server from virus scans. Likewise, Microsoft recommends excluding some system data used by Windows 2000 or Server 2003 domain controllers. According to Symantec, Microsoft SQL Server databases should be excluded. Anecdotal evidence from SQL Server administrators supports Symantec’s advice. Refer to the knowledge resources beginning on page 5 for further information.

Data for Profitstar programs is not executable, and is therefore highly unlikely to be targeted by viruses. It is stored in formats, mostly with binary encoding, which are not “understood” by antivirus programs. Furthermore, if antivirus software interferes with the normal operation of the database, serious side effects can result.

Excluding data for Profitstar programs from virus scans does not violate security best practices. It also makes good sense, given the added benefits inprogram stability, data integrity, and performance.

Antivirus Recommendations for Profitstar Applications

Page 1 of 7

Where to go for more information

How to include or exclude files from virus scans

Refer to the knowledge resources from your antivirus provider.

General antivirus information from Microsoft

“Antivirus software: frequently asked questions”

“The Antivirus Defense-in-Depth Guide”

Microsoft’s antivirus business partners (about 2 dozen), including links to each:

“Messaging Hygiene at Microsoft” describes Microsoft’s corporate approach to e-mail security. Note the following: “Organizations that want to employ file-level antivirus software on Exchange Server 2003 servers should use extra precautions. Because the file-level antivirus software is typically not aware of the internal structure of the Exchange-specific data (such as Exchange databases and log files), scanning such contents often results in server failures and may cause data corruption. The file-level antivirus software must be specifically configured to exclude any Exchange Server–related data, such as mailbox stores, transaction logs, temporary directories, message queues, and other relevant file locations.” The same is true for the data used by Profitstar applications.

Microsoft recommends excluding their e-mail server databases and some domain controller directories from virus scans

“Overview of Exchange Server 2003 and antivirus software”

“Exchange and antivirus software”

“Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller”

Symantec recommends excluding SQL Server databases from virus scans

“Can Symantec AntiVirus Corporate Edition scan a SQL database?” [Symantec says no, but does not elaborate on what the consequences of doing so might be.]

“A Short Tour of Symantec System Center 5.0 in Symantec AntiVirus 8.x” ["The 'Exclude selected files and folders' box should be checked if you have large databases, such as SQL, or a local e-mail server like Microsoft Exchange. Certain third-party software packages will also suggest excluding their software from being scanned."]

Anecdotal advice from system administrators re: SQL Server databases & antivirus software

From sqlservercentral.com. (You must be a registered member to view, but membership is free. The advice of contributors to this forum is consistently, “Exclude SQL Server databases from virus protection.”)

If you have further questions, please contact your Profitstar Client Support representative.

Author:Kent Donnelly

Director of Development

Profitstar

Omaha, NE

Antivirus Recommendations for Profitstar Applications

Page 1 of 7

APPENDIX

File types associated with data for Profitstar programs

In data directories for Profitstar programs, the following file types should be excluded from virus scanning:

Antivirus Recommendations for Profitstar Applications

Page 1 of 7

.add

.adi

.adm

.adt

.ai

.am

.bpf

.brs

.bsm

.budget

.dat

.db

.fcs

.frp

.gs5

.idx

.ig5

.ini

.ir5

.lck

.log

.mb

.net

.par

.ps5

.psbudget

.psimage

.psr

.px

.ud5

.val

.wi?

.xg?

.yg?

Antivirus Recommendations for Profitstar Applications

Page 1 of 7

NOTES

  • The same file types should be excluded when scanning files nested in ZIP files. This applies to ZIPped copies of data for Profitstar programs, including PROFITstar or PROFITability backups. Special measures must be taken when these ZIP files reside in directories other than Profitstar data directories.
  • The question mark wild card character ‘?’ represents (in the case of Profitstar files) a single digit from zero ‘0’ to nine ‘9’.

Antivirus Recommendations for Profitstar Applications

Page 1 of 7

[1]Some antivirus software uses heuristics—statistical “rules of thumb”—to detect newly created or previously unknown threats. Heuristic virus detection is based on statistical probability that a threat exists, rather than absolute certainty. It is computationally intensive, so there may be a noticeable decrease in performance when heuristics are enabled.