execution list for windows defender sql server necessary

Question

Hi everyone,

we are planing to change to windows defender. On the last program, we had an exclution list, wich definded the files or directories the anti virus program should not scan files.

Is this necessary if we use the windows defender. Somebody said, microsoft knows what they do?

They won't scan mdf oder ldf files?

Is there anybody with experiences?

Thanks,

Kind regards,

Andreas

Answer 1

It seems to me that Seeya now twice has failed to answer Andreas's question. He is asking about Windows Defender, that is the anti-virus solution that is built into Windows. He is not asking about any cloud service.

I did a quick thing on Google, and I found this text, which may answer some of Andreas's questions.

Answer 2

It doesn't matter which Anti-Virus software you are using, you should exclude several SQL Server files from scanning.
See MS Support: How to choose antivirus software to run on computers that are running SQL Server => Directories and file name extensions to exclude from virus scanning

Answer 3

Hi @Andreas Kreuzberg ,

Welcome to Microsoft Q&A!
This Microsoft Defender plan detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.
Please refer to this document: Enable Microsoft Defender for SQL servers on machines
Also, please read this article: https://goteleport.com/blog/secure-mssql/

Best regards,
Seeya

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 4

Hello Seeya

thanks for your answer, but I'd like to know, if I had to create exclusion list for the windows defender, if it runs on a virtuell machine on prem?

Is there recommandation from microsoft to do, or is the defender clever enough to recognize an sql server with databases? Or will the defender scan all database files, all extended event files and so on?

This could slow down the performance of your sql server.

Thanks,

kind regards,

Andreas

Answer 5

Hi @Andreas Kreuzberg ,

You can check the first link i post which is for Azure-native SQL servers.
What is more, the navigation bar on the left side helps you to access more documents.

If you find it too much trouble to read those documents, please read this: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/defender-for-cloud/defender-for-sql-introduction.md

Or will the defender scan all database files, all extended event files and so on?

Threat intelligence enriched security alerts are triggered when there's:
Potential SQL injection attacks

• including vulnerabilities detected when applications generate a faulty SQL statement in the database
  Anomalous database access and query patterns
• for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
  Suspicious database activity
• for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server

An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about advanced threat protection.

Best regards,
Seeya

---