Re: MS Defender for OL7 Oracle DB servers

Did you try to disable the real-time scanning and just run with the scheduled scans? I am assuming here the real-time is the issue? (I can't tell) - maybe you can run like that until you address the root cause? Just a suggestion that may or not make sense since I don't know the background. For reference, I know we have several ExaCS environments running Symantec SEP (the old one not the cloud version) doing a daily full scan of all the O/S and Oracle SW and then in addition we use Auditbeat (ELK) to monitor for malicious file/config changes (AIDE can also be used for this but we have chosen to standardize on ELK).

With regards why doesn't Oracle? Traditionally Oracle has let security features such as this outside of the database up to other vendors, customers, and integrators. As the topic of security has become more and more in focus, I do feel like Oracle have made some strides - they provide better and better documentation for securing their products for example (e.g. Exadata) and in the Cloud, they are really taking security seriously and there is a whole set of security features that are getting better and better (Cloudguard, Vulnerability Scanning, and others) - not sure if the vulnerability scanning is available yet on the ExaCS/CC platforms but they will come I am sure.

It is a little sad that Oracle does not certify or provide more recommendations around anti-malware but I think it will get there. These Oracle technologies we are talking about leverage a lot of low-level o/s, network, kernel, memory, and device driver features to achieve maximum performance, and as such, they may conflict with various anti-malware features so it gets a bit complicated and I also don't think Oracle database servers in the various forms are a focus for anti-malware vendors. I also think that the market demand has not quite been there until recently and as more and more organizations demand anti-malware on all servers it will get resolved and some best practices will be developed. Right now I feel like we are a little bit on our own but that's said you are in good hands with this forum, Tim and Kellyn :)

Thanks!

Niklas Iveslatt
Senior Partner

Arisant LLC ~ http://www.arisant.com
44 Inverness Dr. E Bldg. C Suite 2 ~ Englewood, CO 80112 mobile: 303.882.4461 ~ main: 303.330.4065 ~ fax: 888.889.0155

  Need to send me something securely? *Click here* <https://arisant.sendsafely.com/u/niklas.iveslatt>

On Sat, Mar 5, 2022 at 12:17 AM tefetufe <coskan_at_gmail.com> wrote:

> Thats great to hear that it can work without any issues as sooner or later
> ask will come back again
>
> We could not find the right combination which is not cpu hungry despite
> multiple calls with microsoft. I wish they have the real working
> combination published so we can try again.
>
> My only question to your argument will be why oracle doesnt bundle it by
> default in 2022 for their exacs and exacc solutuons. Security is sold as
> major feature and malware protection is something they don't have on linux
> is a question mark for me
>
>
>
> On Sat, 5 Mar 2022 at 00:26 Niklas Iveslatt <niklas.iveslattx_at_arisant.com>
> wrote:
>
>> I usually don't speak up much but I am very passionate about security and
>> the protection of people's data in general. I have to say that some kind of
>> antimalware should be installed on all servers, especially on database
>> servers. It is 2022 for goodness sake and we have security breaches galore.
>> All the leading anti-malware vendors have tons of configuration options -
>> both for real-time and scheduled scan configurations.
>>
>> In the last many years I have not seen a case where running antimalware,
>> properly configured, caused issues. This includes deployments we have done
>> on ExaCS, DBCS, and other very Oracle-centric solutions.
>>
>> The requirement needs to be to have anti-malware installed on all servers
>> and then configure it to work with the workload. We as IT people have the
>> responsibility to enforce this in my view.
>>
>> In the case of ms defender, it is a highly intelligent engine that is
>> just getting better and better over time and I see no reason why this
>> should not work - we just finished up an OCI project where this was
>> deployed successfully in a Peoplesoft environment running Oracle databases.
>>
>> Niklas Iveslatt
>> Senior Partner
>>
>>
>> Arisant LLC ~ http://www.arisant.com
>> 44 Inverness Dr. E Bldg. C Suite 2 ~ Englewood, CO 80112
>> <https://www.google.com/maps/search/44+Inverness+Dr.+E+Bldg.+C+Suite+2+~+Englewood,+CO+80112?entry=gmail&source=g>
>> mobile: 303.882.4461 ~ main: 303.330.4065 ~ fax: 888.889.0155
>>
>> Need to send me something securely? *Click here*
>> <https://arisant.sendsafely.com/u/niklas.iveslatt>
>>
>>
>> On Fri, Mar 4, 2022 at 12:37 PM tefetufe <coskan_at_gmail.com> wrote:
>>
>>> Despite being on Exacc and ASM and exclude all binary folders for grid
>>> and db ms defender managed to give us trouble and I finally convinced the
>>> requester team not to have defender on db systems
>>>
>>> Issues
>>> high cpu usage for the process (last thing you want is virus scan bursn
>>> expensive cpu cycles)
>>> I had a cluster crash where defender was looking so suspicious when
>>> issue was happpening, maybe I just saw the excuse that I needed :)
>>>
>>> Since defender is gone did not see any single stability problem
>>>
>>> Also on vmware it gave us big hassle when we wipe huge db sitting on xfs
>>> to refresh it. It was blocking the files to be deleted and all of our
>>> refret automations failed due to being defended by defender.
>>>
>>> My suggestion is avoid at all cost if you can
>>>
>>>
>>>
>>>
>>> On Fri, 4 Mar 2022 at 19:29 Tim Gorman <tim.evdbt_at_gmail.com> wrote:
>>>
>>>> Rich,
>>>>
>>>> As documented HERE
>>>> <https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide#common-applications-to-microsoft-defender-for-endpoint-can-impact>
>>>> ...
>>>>
>>>> *Common Applications to Microsoft Defender for Endpoint can impact*
>>>>
>>>> *High I/O workloads from certain applications can experience
>>>> performance issues when Microsoft Defender for Endpoint is installed. These
>>>> include applications for developer scenarios like Jenkins and Jira, and
>>>> database workloads like OracleDB and Postgres. If experiencing performance
>>>> degradation, consider setting exclusions for trusted applications, keeping **Common
>>>> Exclusion Mistakes for Microsoft Defender Antivirus
>>>> <https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus>**
>>>> in mind. For additional guidance, consider consulting documentation
>>>> regarding antivirus exclusions from third party applications.*
>>>>
>>>>
>>>> Personally, I think any sort of "protective" software running on a
>>>> database server is another good reason to use Oracle ASM, as A/V software
>>>> generally "protects" only filesystem-based files, and do not recognize (or
>>>> bother with) block-special or character-special devices. Just my opinion,
>>>> when you can't prevent A/V software from being used in the first place.
>>>>
>>>> Hope this helps...
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> -Tim
>>>>
>>>>
>>>>
>>>> On 3/4/2022 6:50 AM, Rich J wrote:
>>>>
>>>> Hey all,
>>>>
>>>> Anyone run into any issues running MS Defender on their Oracle DB
>>>> servers on Linux? This would be on OL7 for now (mostly 7.7).
>>>>
>>>> One would think that the Oracle datafile directories plus the ADR tree
>>>> should be excluded. I'm just wondering if there's other common "gotchas"
>>>> that others have run into.
>>>>
>>>> Thanks,
>>>> Rich
>>>>
>>>>
>>>> --
>>> --
>>> Coskan GUNDOGAR
>>>
>>> Oracle DBA
>>>
>>> Email: coskan_at_gmail.com
>>> Blog: http://coskan.wordpress.com
>>> Twitter: http://www.twitter.com/coskan
>>> Linkedin: http://uk.linkedin.com/in/coskan
>>>
>> --
> --
> Coskan GUNDOGAR
>
> Oracle DBA
>
> Email: coskan_at_gmail.com
> Blog: http://coskan.wordpress.com
> Twitter: http://www.twitter.com/coskan
> Linkedin: http://uk.linkedin.com/in/coskan
>

--
http://www.freelists.org/webpage/oracle-l