Skip to main content
Delphix

Delphix Environment Hosts and Antivirus / Endpoint Security Software (KBA8490)

 

KBA

KBA# 8490

Summary

This document outlines points to consider when using antivirus or endpoint security software on Delphix connected Environment Hosts. This document does not present a specific problem and solution. The information here is aimed at helping you understand the implications of using active security solutions on hosts running Delphix Staging instances or VDBs. Antivirus programs can impact both performance and operation. 

The information here is broadly relevant to non-Delphix related hosts also. 

Note

Note:

As a vendor, Delphix maintains a position that you should ensure a reasonable level of security within your environment. However, Delphix does not take any position on the use of specific antivirus or endpoint security software. How you manage security is your decision alone.

 

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
All All

Background

Generally, antivirus software and/or endpoint security software is both intrusive and extremely resource intensive. This is manageable to some degree on personal workstations where, compared to a server, the following is true:

  • The I/O load is light.
  • Any impact is confined to a single user.

It may also be possible to deploy antivirus / endpoint security software effectively on servers with low I/O throughput. However, the general mode of operation for most software of this type is that it:

  • Scans all files being opened and read.
  • Scans incoming traffic over the network.

Therefore, it introduces intensive processing layers between an application and the data. In the case of a database (not specific to Delphix), introducing both latency and consuming compute resources away from the database server is expected to have a negative impact on performance. The more I/O intensive that database, the more severe the impact that antivirus / endpoint-security software is likely to have.

In the case of Staging or Target hosts connected to a Delphix Engine, this problem can be made worse because:

  • The databases probably will generate I/O load to read files.
  • Those files are accessed over the network.
  • The Delphix appliance allows multiple VDBs to be easily hosted on a single server, which increases the I/O load (and therefore file and network traffic the security software will attempt to scan).
  • The Delphix appliance is constantly making connections to the Target and Staging hosts and pushing new executable files which will all be scanned.

However, antivirus / endpoint-security software is not simply file scanning and network scanning. There is a wide range of differences in capabilities and features. To give an example, common security software may provide any of the following:

  • File scanning on schedule
  • File scanning on open
  • File scanning on read system calls
  • IP packet sniffing
  • Layer 3-5 network traffic analysis
  • Binary execution scanning
  • Keystroke analysis
  • Full Windows win32 API replacement (common with some more invasive endpoint security products like Trusteer)
  • Others

For this reason, it is not possible for Delphix to provide simple instructions on what to exclude. The toolkit directory path and VDB mount paths would be logical to put on any exception list, as would traffic on TCP ports 8415, 445, 9100, 3260 and 2049, (indeed all the ports mentioned in Delphix network requirements for your dataset type). However, security software can be unpredictable in what it may do or scan.

Deploying Antivirus / Endpoint-Security Software

Before deploying security software, a security officer and system administrator should ask the following questions:

  • Is this host located on a vulnerable area of the network or a secure area of the network?
  • Is the host at risk from end-user actions that may result in security risks (opening attachments, access to the internet, et cetera)?
  • What is the expected I/O load of the host? 
  • Does the host have sufficient resources and network throughput to cope with the added load of security software? Will that scale well or poorly under extreme I/O loads?
  • What is more important for this host? Performance and service availability? Or security (and possible service disruptions)?
  • Is there another way to secure the host such as a secure subnet, secure location, named user accounts, et cetera)?
  • Probably the simplest question is, if this host was a critical production database server, would you install antivirus / endpoint-security on it?

Possible Impact

It is a fact that negative impact has been observed in many cases due to the specific choices made to secure Delphix connected Environment Hosts. Common problems include:

  • Slow performance (minor degradation).
  • Slow performance (nearly unusable).
  • Service outages (database cannot be provisioned or run).

Example Antivirus and Endpoint Security Software

The following antivirus and endpoint security software solutions have been known to block or quarantine utilities and scripts used by the Continuous Data Engine on Source or Target Environments:

  • Norton Antivirus
  • CrowdStrike
  • Windows Defender Advanced Threat Protection (Microsoft Defender for Endpoint)

The following Privilege Management solutions have been known to prevent the Delphix Connector service from successfully starting or operating on Windows Target hosts:

  • CyberArk EPM

The presence of a solution in the above list does not mean it will cause a problem for all Continuous Data Engine deployments, and the absence of a solution does not imply that it will work in all deployments. The extent to which any solution will affect each environment will depend on its configuration and exceptions.

Possible Solutions

If the choice or configuration of antivirus / endpoint security software is a suspected cause for poor I/O performance, it is possible that one or more of the following actions may resolve the problem:

  • Create an exception list of directories and network interactions that should not be scanned.
  • Or, disable the anti-virus / endpoint-security software service.