SharePoint and Anti-Virus

Intro

SharePoint is a great collaboration tool for businesses, offering a versatile platform for sharing and managing content online. However, as with other content management systems and the native file system, SharePoint is also vulnerable to malware, viruses, malicious code and possibly unauthorized documents, posing potential threats to your company data and web content.

To secure content and prevent your SharePoint CMS (Content Management System) from becoming a repository of infected files, you need to have a system in place, as well as policies, to ensure the optimal results to prevent potential threats from entering your environment via SharePoint.

A third party Antivirus software can help detect, clean and remove viruses from infected files, however, having an Antivirus solution alone does not make the environment virus free nor ensure adequate protection against threats.

How Content is Stored in SharePoint

Before we go into the approaches to use to help ensure virus protection in your SharePoint servers, let us see how content is actually stored in them.

The documents that are uploaded in SharePoint are saved in binary format in the SQL server database that it uses. (ref: http://sharepointsolutions.blogspot.in/2008/08/exactly-where-sharepoint-documents-are.html ). So, basically the files are stored within the SQL “content databases” and they are normally accessed via web browser such as Internet Explorer, and also can be accessed from Windows Explorer or other ‘client’ program (ref: http://www.go4sharepoint.com/Forum/files-stored-physically-5228.aspx ). Normally this content does not hit the client computer unless the end user ‘Downloads’ the file or ‘Opens with Client’ (such as MS Word on end user machine), then that will create a cached copy of the file on the end user/client machine. Otherwise, the content mostly stays on SharePoint.

The Windows file system also contains SharePoint data. Mostly this is not end user content so has a slightly lower probability of being infected by a virus but still should be protected. This is typically going to be files located in the Layouts folder or somewhere in the ‘SharePoint Root’ directory.

Clients will access content in SharePoint (which resides in SQL) but normally at some point will hit the client machine in web browser cache, MS Office cache, SharePoint temp/drafts directory, OneDrive, or if the user just saves to his/her desktop. This means you have the ability to catch an infected virus from client machines.

SharePoint DLLs and related Shared DLLs have a risk of being infected by a virus. Often virus rules need to exclude certain directories for performance reasons, and so sometimes certain DLLs, EXEs etc can remain vulnerable and difficult to catch if a virus is opening up a vulnerability on your system. I think the best way to help prevent issues like this would be to keep your Windows and SharePoint patches up to date. I would not always install all of the latest patches, as this may also be problematic, but I would ensure I keep an eye out for recent security fixes and set a schedule to apply them if it relates to my environment.

Virus via Email

Content can be added to a SharePoint site by sending an email if the list or library is set up first to receive the email. This can be a useful function but could open up an area of vulnerability. Especially if you have contractors or outside consultants/vendors/auditors who may bring their own machines into your network.

If you want to share email discussions, pictures, documents or calendar items with your team and also want the content to be added in the document library, then this can be easily done in one step by sending an email. List and libraries like discussion boards, announcements, calendars, document libraries, picture libraries, form libraries and blogs can be set up to receive emails easily in the on premise SharePoint 2013 and 2016. This is however, is not a feature that’s supported in Office 365. (ref: https://support.office.com/en-us/article/Add-content-to-sites-by-sending-e-mail-b989a9f3-14de-4e59-9faf-b843ec40cabb ).

SharePoint-Specific vs. non-SharePoint Anti-Virus Tool

Protecting your SharePoint Servers and Windows SharePoint Services is crucial to keep your content and company information safe from viruses and threats. With Microsoft doing away with its Forefront product line, which was a streaming antivirus solution, there has been a growing demand for 3rd party tools as the antivirus protection.

McAfee, Sophos, Symantec, BitDefender and TrendMicro are some of the vendors that support SharePoint for antivirus.

While these vendors offer tools have not been designed specifically for SharePoint, such as anti-virus software that is installed on the end-user workstation or on a Windows Server, they offer a good level of protection to help catch viruses before they are uploaded to SharePoint or when an end-user downloads them. Some of these vendors also offer SQL anti-virus solutions that may help detect viruses/malware in the SharePoint content databases. However, it is recommended to look at anti-virus solutions that were designed for SharePoint when you want to protect the files stored in the content databases. It is recommended by Microsoft that these ‘SharePoint specific AV programs’ use the ‘VS API’ or also known as the ‘SharePoint Portal Server Virus Scanning Application Programming Interface’ to handle threats. ref: https://support.microsoft.com/en-us/kb/322941, http://www.sptechcon.com/news/sharepoint-and-antivirus-protection

The difference between using a SharePoint specific AV tool and a non-SharePoint AV program is that the latter doesn’t get any support for SharePoint Server specific issues, such as changes in the SharePoint API due to a SharePoint Service Pack or Cumulative Update. Non-SharePoint specific AV will not hook into the SharePoint API/code base to more efficiently handle and catch viruses and malware threats, such as catching a threat before it enters the content database.

In addition to that, in case of a technical issue, the users of the non-SharePoint antivirus solution may be advised by the Microsoft Product Support Services to disable or remove the solution until the time the issue has been identified. On the other hand, the SharePoint agent (SharePoint specific AV program) will have often have features that allow Administrators to configure (and enable or disable) scanning at multiple levels (web application, site collection or site level) and often have a built-in functionality to monitor the performance of the antivirus solution. This helps with troubleshooting issues and optimize the use of anti-virus software in your SharePoint environment.

(ref: https://support.microsoft.com/en-us/kb/322941).

Anti-Virus Protection for SharePoint Servers

Your Anti-Virus solution must perform real-time scans of all files downloaded and uploaded from your SharePoint servers; hence the AV must be used for all SharePoint web servers. Apart from file and application servers, the antivirus solution usually will need to be run on (and configured for) all web front-end applications and the SQL server.

Exclusions

An important note, is that there will be certain performance concerns when you do not set exclusions on SharePoint servers. These are ‘configuration settings’ you normally need to manually set on each server. Some random errors like – “the document could not be checked out, because of the error (0x80040e92)” or “the document you are attempting to check is currently in use” etc. may occur when the antivirus software runs on Microsoft Web Storage System in SP Portal Server. (Ref: https://support.microsoft.com/en-us/kb/320111 ).

As mentioned above, there are certain folders, which have to be EXCLUDED from antivirus scanning to avoid unexpected behavior. Some of the web server extensions like Logs, Applications, Temporary ASP.NET files, Synchronization Service etc., based on the SP environment you are on. Microsoft recommends setting up exclusions for file directories and certain SharePoint applications. You can find the complete list here. (Ref: https://support.microsoft.com/en-in/kb/952167 )

Configuring Antivirus with SharePoint

Many times the Real Time Antivirus (RTAV) scanning can cause problems in systems without any exclusion set up. This is due to the nature of these programs and having handles on the different read/write threads can cause significant performance impact and therefore causing a negative experience for users. Here are some typical exclusions you may want to consider when configuring your on-access/real-time scanning exclusions. I also included some references to see details on these topics/exclusions:

  • Exclusions for Windows Servers – Turn off scanning of Windows Update or Automatic Update related files, Windows Security files, Group Policy related files, and Active Directory and Active Directory-related files. Also, turn-off scanning of SYSVOL, DFS, DHCP, DNS and WINS files. ( ref: https://support.microsoft.com/en-us/kb/822158 )
  • Exclusions for SharePoint Servers –As mentioned above, certain folders in web server extensions need to be excluded when using a file-level antivirus program. These include but nor restricted to – Logs, Applications, Temporary ASP.NET files, Synchronization Service etc., based on the SP environment you are on. (ref: https://support.microsoft.com/en-in/kb/952167)
  • Exclusions for SQL Servers – The directories and file-name extensions that need to be excluded from antivirus scanning are
    – SQL Server data files (extensions with .mdf, .ldf, .ndf)
    – SQL Server backup files (extensions with .bak, .trn)
    – Full-Text catalog files
    – Trace files
    – SQL Audit files (for SQL Server 2008 and later versions)
    – SQL Query files
    – Directory that holds Analysis Services data, Analysis Services temporary files,
  • Analysis Services backup files, Analysis Services log files etc.
    – File stream data files (for SQL Server 2008 and later versions)
    – Remove BLOB Storage files (for SQL Server 2008 and later versions)
    – Directory that holds Reporting Services temporary files and Logs
  • The processes that need to be excluded from antivirus scanning are

SQL Server 2012
1. %ProgramFiles%\Microsoft SQL Server\MSSQL11.<Instance Name>\MSSQL\Binn\SQLServr.exe
2. %ProgramFiles%\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
3. %ProgramFiles%\Microsoft SQL Server\MSAS11.<Instance Name>\OLAP\Bin\MSMDSrv.exe

SQL Server 2008 R2
1. %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\MSSQL\Binn\SQLServr.exe
2. %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
3. %ProgramFiles%\Microsoft SQL Server\MSSQL10_50.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2008
1. %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\MSSQL\Binn\SQLServr.exe
2. %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
3. %ProgramFiles%\Microsoft SQL Server\MSSQL10.<Instance Name>\OLAP\Bin\MSMDSrv.exe
SQL Server 2005
1. %ProgramFiles%\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLServr.exe
2. %ProgramFiles%\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\Bin\ReportingServicesService.exe
3. %ProgramFiles%\Microsoft SQL Server\MSSQL.2\OLAP\Bin\MSMDSrv.exe
(Ref: https://support.microsoft.com/en-us/kb/309422 )

  • Optimal Settings for RTAV – Corporate standard setups in antivirus programs that include settings such as – Scan ALL files on write, read and open for backup, one policy for all processes, detect unwanted programs etc. can cause system slowdowns especially with SharePoint and SQL servers. Therefore, certain recommendations like scanning on Writes and not Reads, setting up a weekly scan instead of daily, excluding SQL backup files based on the extensions used etc. can help improve the performance while keeping the servers secure. (ref: http://serverfault.com/questions/137064/antivirus-configuration-for-dedicated-sql-and-dedicated-iis-servers )

Prevention & Security

Many viruses may not only corrupt data, but may compromise security of your environment and open back doors to unwanted visitors. Therefore, as part of your SharePoint or Company Anti-Virus strategy should include Security Protocols or a Security Governance Plan to ensure things like service accounts have strong passwords and use recommended naming conventions that are not easy for an attacker to guess or use brute force dictionary hack methods of entry for example.

Ensure you have some sort of email filtering and protection as well, such as for MS Exchange Server. Many viruses come from email so this is almost an obvious spot to reduce the chances a virus will get to SharePoint.

Web Browser versions, ensure these are as up to date as possible. Older versions of web browsers are often required to support some ‘legacy’ application that do not function with newer browser versions. This can be fine if users only use this browser for the internal application, however there are still some loopholes if using old versions of IE. In a perfect world, keep your web browsers of your end users up to date, they have security patches that prevent many malicious attacks from web sites.

Firewall/gateway/proxy should be used. Although these are different types of network appliances, the idea is the same, filter and block unwanted traffic from easily entering your site and from users getting to certain web sites. Keep these appliances patched as well.

Hardening your SharePoint environment goes beyond this blog but it is worth mentioning that even if you have anti-virus software protection, it is important to also take preventative measures to minimize damage from an infection, like using least privileged accounts and hardening SQL server(s), SSL, or even using a reverse proxy server, installing Windows and SharePoint security updates.

Here are some articles on SharePoint Security and Server Hardening: https://technet.microsoft.com/en-us/library/cc262849.aspx, http://sharepointpromag.com/sharepoint-2010/sharepoint-security-server-hardening, https://technet.microsoft.com/en-us/library/hh377941.aspx

Third Party Tools for SharePoint Antivirus

  • There are several SharePoint-specific antivirus solutions that integrate with the Microsoft VS API and support the latest version.
    ESET Security – supports SP Server 2013 and includes remote management via ESET Remote Administrator. This is the closest in functionality to Forefront Protection that was discontinued by Microsoft and provides several features as per VS API recommendations.
  • McAfee – supports SP Server 2013 / SP Foundation Server 2013, SP Server 2010 /SP Foundation Server 2010, SP Server 2007 / Windows SP Services 3.0
  • Symantec – supports SP Server 2013, SP Server 2010, SP Serer 2007, SP Server 2003, Windows SP Services v3.0 and v2.0
  • TrendMicro PortalProtect – supports SP Server 2013 Enterprise Edition, SP Server 2013 Standard Edition, SP Foundation 2013
  • BitDefender – It doesn’t yet support SP Server 2013 but can be used for earlier versions

While choosing a SharePoint-specific antivirus solution, users should look for features like centralized or remote management, real-time or on-demand scanning, reporting formats matching your requirements and quarantine features, administrator notification, cost and licensing options. (Ref: http://windowsitpro.com/security/sharepoint-antivirus-solutions)

SharePoint Essentials Toolkit

If interested, here is a tool that helps with Permissions and Security Reporting, and more, I put a direct download link below. No server install, you can install it right from your machine to connect to your environment. It’s an awesome product!

Download a Trial Version of the SharePoint Essentials Toolkit

sharepoint-essentials-tookit-product

2016-10-04_21-52-26

Conclusion

This is what I suggest you do to reduce the risk of virus attacks on your SharePoint Environment(s):

  1. Ensure service and farm SharePoint & SQL login ids and passwords are strong/complex, safely kept, and follow Microsoft recommendations for hardening accounts.
  2. Email / Exchange server(s) have filtering and virus scanning enabled and working correctly
  3. Web proxy server or similar to filter and prevent users from visiting certain web sites, disallowing certain traffic, filter by rules, etc
  4. (Applies to on-premise only) Ensure Windows Server and Office/SharePoint Security patches are as up to date as possible. As new viruses and vulnerabilities are found, attackers quickly develop viruses to exploit them (if they had not already), so getting Security Updates within a reasonable time frame of when they are announced is important to make sure new active virus threats are stopped.
  5. Similar to above #4, Client machines should be patched and have security fixes as well as receiving AV updates in a timely fashion. Virus/infection reporting alerts & updates is just as important as installing the actual AV program.
  6. Implement AV exclusions, End User Client AV, SharePoint Server AV, SQL AV, set up exclusions and ensure virus scanning is optimal for performance
  7. Firewall and farm topology is configured correctly and firewall/gateway appliances are patched as well.
  8. Have disaster recovery and backup/restore plans in case of infection on machines as well as on any or all servers.

Depending on your organization requirements you may need greater account security protocols, more aggressive patching timelines but I have found above points are some minimal guidelines to help ensure you are not an easy target for intrusion/infection.

References:

http://www.mcafee.com/in/resources/data-sheets/ds-security-for-microsoft-sharepoint.pdf
http://sharepointsolutions.blogspot.in/2008/08/exactly-where-sharepoint-documents-are.html
http://www.go4sharepoint.com/Forum/files-stored-physically-5228.aspx
https://support.office.com/en-us/article/Add-content-to-sites-by-sending-e-mail-b989a9f3-14de-4e59-9faf-b843ec40cabb
http://www.harbar.net/archive/2013/02/22/Antivirus-and-SharePoint-2013.aspx
https://support.microsoft.com/en-us/kb/322941
https://support.microsoft.com/en-us/kb/320111
https://support.microsoft.com/en-in/kb/952167
https://support.microsoft.com/en-us/kb/822158
https://support.microsoft.com/en-us/kb/309422
http://serverfault.com/questions/137064/antivirus-configuration-for-dedicated-sql-and-dedicated-iis-servers
http://windowsitpro.com/security/sharepoint-antivirus-solutions

Do you use SharePoint? Try our toolkit
Download SharePoint Essentials Toolkit Now
Download the SharePoint Essentials Toolkit
Follow me

Chris Ang - CCNA, A+, MCPD, MCTS

Chris Ang (New York, NY USA) is a SharePoint Architect with 20 years experience in programming and network infrastructure.

Currently working at QIPoint (http://www.qipoint.com), he has helped architect and develop SharePoint Enterprise products for customers such as the U.S. Navy, U.S. Army, U.N. Security Council of Netherlands, Australian Government, U.S. Dept of Treasury, U.S. Dept of Justice, Canadian Dept of Defense, Scotiabank, JPMorgan CHASE Bank, Intel, Ford Motors, Microsoft, NASA, DARPA, SNC Lavalin, Penguin Books, and more.

He is a proud father of 2, and when he has any spare time, he loves to paint portraits of his kids.
Follow me

Latest posts by Chris Ang - CCNA, A+, MCPD, MCTS (see all)

2 thoughts on “SharePoint and Anti-Virus

  1. I’m missing AVG – the file server edition. It has integration with sharepoint! A bit dirty, it flags the file as infected and the database will be locked or something, but the license is cheap. It is very cheap!

Leave a Reply