Does ‘on-access’ scanning by Antivirus impact Red Hat Enterprise Linux system performance?

Contents

• Overview
  • Applicable Environments
  • Useful References and Guides
  • Introduction
  • Points to consider if you are using antivirus
  • What is ‘on-access’ scanning?
  • What should I protect using ‘on-access’ scanning?

Overview

Applicable Environments

• Red Hat Enterprise Linux (RHEL) 7 or 8 with the High Availability Add-On
• Red Hat Enterprise Linux for SAP Solutions
• Antivirus Software

Introduction

With this knowledge article we wish to give an indication of the impact on system performance by an Antivirus software (mainly real-time/on-access scan of OS binaries). Users are encouraged to reach out to respective antivirus software vendor when you see performs issue on the system due to antivirus.

Useful References and Guides

• Production Support Scope of Coverage
• Is any virus protection software needed for Red Hat Enterprise Linux?

Points to consider if you are using antivirus

• Anti-Virus scanning does not come resource-free.
• Customers cannot expect the AV services to use little or NO CPU.
• Anti-Virus scanning will open and close lots of files in quick succession, increasing disk I/O and using CPU and memory.
• On-access scanning will use additional I/O, CPU and memory

What is ‘on-access’ scanning?

• On-access scanning is ‘real-time’ scanning. Essentially, you set a configuration that includes several directories that you wish to continually scan. You can then decide whether to scan when a file is opened or when a file is opened and closed. This runs continually as a service.

• When applications open files that require scanning, there is a delay while the system completes the scan. For most files, the scanning takes only a fraction of a second. However, large files, archive files, and compressed files can take several seconds or minutes.

What should I protect using ‘on-access’ scanning?

What you protect with on-access scanning depends on the use of the server and its function:

• If the system has interactive users and they have directory level access under /home, then adding /home would be sensible.
• If the server is used for FTP transfers, then you should protect the FTP directories.
• If the server has a Read/Write NFS mount that is shared between other machines, then you should protect this mount point.

The whole point of on-access scanning is to protect areas of your file system that are volatile, where files are being uploaded, created or written to on a regular basis. It is not to protect areas that are static, like program objects, database files, etc.

What you should NOT scan using ‘on-access’ scanning:

• You should not configure on-access scanning to scan your entire filesystem.
• You should not configure on-access scanning to scan your operating system files.
• You should use an ‘on-demand’ scan to protect your OS files, as these are generally static.

Important Note: If you blindly set on-access scanning to scan your entire system without having a planned configuration, then you should expect increased usage of CPU, Memory and disk I/O.

Please refer to Antivirus product specific vendor documentation on how to implement exclusions or reach out to your respective AV vendor for their assistance.