INTRODUCTION

This document details on the Support Policy for configuring Antivirus Scanning on Symmetry SMS Servers and Clients. This document is intended for those who require a more detailed explanation on the reasons for AV Exceptions. The current Symmetry version at the time of release of this document is v9.3, but the information contained applies to all current versions/Editions of Symmetry SMS.

Support Information:
9600-0685 Symmetry Security Hardening Guide, issue 9.3.0v1.pdf
9600-0427 Software Installation Manual, issue 9.3.0v1.pdf

Background:

In some cases, the use of antivirus software can significantly affect the performance of Symmetry, particularly if there is a large transaction rate. To maintain system performance, real-time scanning (which scans files as they are opened) should exclude the following locations. In addition, the following folders should either be excluded from other non-real-time antivirus scanning (or scanned only during quiet periods of the day, but that is not recommended):

An Access Control system is typically a solution which has minimal change from an IT perspective in comparison to other server solutions and therefore can be considered low risk from a virus infection. The core of the system is transactional based, interacting with SQL server. The opportunity to open external links, files, emails or installing additional software which are common forms of virus delivery are limited to clients only and can be restricted using user role permissions. Further details on the scanning practices for each of these locations is addressed below.

SQL Database Files:

The limitation on scanning of SQL Files is due to the significant impact of antivirus software that can affect the performance of Symmetry.

Antivirus Scanning:

Real-time scanning of files as they are opened should exclude SQL Files. A PACS database like that of Symmetry is constantly updating. Unlike many other databases, like an HR system (which may still be very large), Symmetry needs to process thousands of messages in a short time during peak periods.

• Every event/alarm/ operator activity means that another SQL Insert into the transaction tables and MSMQ message. Data is constantly changing.
• Alarms are expected to be received in real time; as they stated, they have a large system with sites around the world. Such a system would expect a very large transactional throughput. For Microsoft SQL to handle a large amount of Insert queries for card swipes and alarms at the same time as Antivirus is performing a real-time monitoring of the database would be detrimental to the performance.

Additional Info:

The limitation on real-time scanning of SQL files is not unique to Symmetry. For additional information on Microsoft best practices for antivirus scanning on SQL Server, please see the link below.

https://support.microsoft.com/en-gb/help/309422/how-to-choose-antivirus-software-to-run-on-computers-that-are-running

Message Queues:

The limitation on scanning of MSMQ Files is due to the significant impact of antivirus software that can affect the performance of Symmetry.

Antivirus Scanning:

Real-time scanning of files as they are opened should exclude MSMQ Files. MSMQ is used to hold the transactions and requests. If this is being monitored by AV it can cause performance issues and delay the processing on the messages that the Symmetry services will be doing. Therefore, the same considerations that affect SQL on Symmetry Systems with high transaction rates will also affect MSMQ.

Program Data/Security Management System folder:

The Program Data/Security Management System folder contains files which are actively being updated/monitored by the Symmetry SMS software, this includes import files/images being passed for badge design.

Antivirus Scanning:

Scanning should exclude Program Data/Security Management System Folder. The Program Data/Security Management System folder contains files which are actively being updated/monitored by the Symmetry SMS software, this includes import files/images being passed for badge design. Files can become corrupt if Antivirus is monitoring this location.

Program Files (x86)/ Security Management System folder:

This location contains files which are actively being updated/monitored by the Symmetry SMS software, this includes license files.

Real-time Antivirus Scanning:

Scanning should exclude Program Files (x86)/Security Management System Folder. This location contains files which are actively being updated/monitored by the Symmetry SMS software, this includes license files. Files can become corrupt if Antivirus is monitoring this location.

Additionally, the Symmetry service executables are also located in the Program Files x86, which if monitored can cause performance issues where transaction or actions will take longer to process. Antivirus scans can therefore result in the Symmetry Activity screen data not to be displayed in real time.

Further Details:

Even with the exclusions in place, full anti-virus scanning of disks should take place only during quiet periods of the day. Real-time scanning should remain permanently enabled.