Showing results for 
Search instead for 
Did you mean: 

Best Practice AV set up on SAP Servers

0 Kudos


Has anyone come across or aware of any best practice guidelines for AV setup on SAP servers, for example, which files/drives should you exclude and configuration tuning/reg-edits required. We have McAfee as our standard AV and we do use the HIPS component.



Accepted Solutions (0)

Answers (1)

Answers (1)

Active Contributor
0 Kudos

My best advise is:

Don't run AV on a database server but rather reconfigure the local/a firewall so that only those ports are open which are necessary to run the SAP application.

Excluding files may help a bit but neverless, as soon as the AV scanner is installed it will hook up to the filesystem layer and slowing down (maybe not significantly) I/O. I've seen weird side effects in upgrades and patch installations due to an enabled scanner although the database files and executables were excluded from scanning.

If you're urged to run Windows servers then I would put them in a separate network segment with a firewall in front and enable only the necessary SAP ports (and printing ports). This has a number of advantages:

- nasty RPC bugs can't be exploited because RPC to the SAP system should be disabled

- there's no need to reboot the Windows machines on every "Microsoft patch day"

A virus scanner adds, especially for production database systems, an indeterministic risc to the business.