Is it safe to install Anti-virus software on a Satellite server?

Latest response

We have a requirement to install Anti-virus software on all of our servers, even Linux servers, specifically Symantec Endpoint Protection.

To install SEP, it has prerequisites of installing Oracle java and the unlimited cryptography extensions. (open java doesn't work)

Is it safe to install these on a Satellite server?

Paul

Responses

Oof... One of my customers had a similar requirement, once. It... Did not go well.

Specifically, each time they had to do their repository imports, the A/V software made the process monstrously-slow (as in tasks that should have taken minutes quite literally took hours to do). That said, if you can't duck the mandate, there are some things you can do to reduce the impact:

  • If your Satellite server is a VM, you may be able to offload the processing to your hypervisor solution
  • If your Satellite's storage comes from an external storage-array, you may be able to use array-based A/V-scanning as a substitute (may be tie-ins available to prior option if your Satellite is virtualized)
  • If you can't offload, you can reduce the impacts by ensuring that your /tmp is a stand-alone filesystem and that it's either hosted on an SSD or (better) a ramfs.

Overall, if you can't not do A/V on your Satellite and you can't do anything to offset the I/O and processing hits, be prepared for your import tasks to be punishingly-slow.

I can make exception policies for certain things - I think it can technically meet the requirement if I just set it to run a periodic scan on a schedule.

I was more wondering about incompatibilities adding Oracle java and the cryptography extensions. I've had the experience of breaking a few applications by updating Java to versions that weren't compatible. Is there anything about the Satellite application that might be affected by that?

SEP can use a separate installation of Java in a custom directory, by specifying the Java binary directory in /etc/Symantec.conf. For example, you could create directory /opt/sep-custom-java, download a tar.gz version of the Oracle JRE, extract it into that directory, add the necessary crypto extensions, and then create /etc/Symantec.conf like this:

[Symantec Shared]
BaseDir=/opt/Symantec
JAVA_HOME=/opt/sep-custom-java/jre1.8.0_121/bin

This is assuming that you're going to install SEP in its default installation path. If you plan to put it elsewhere, edit the BaseDir value accordingly. And yes, the "JAVA_HOME" in Symantec.conf is supposed to actually indicate the location of Java binary directory.

This way, the Oracle Java used by SEP is completely separate from the RedHat openjdk Java used by anything else and has no chance of interfering. The flipside is that it won't be updated by RPMs.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.