Using Antivirus software with Confluence
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Explanation
Although we cannot directly recommend specific antivirus software to use with Confluence, we would like to advise our customers that if you are experiencing slowness with Confluence, try running it with virus checking disabled. Whilst performing scanning and inspection of files, disk I/O and CPU usage can increase, thus slowing Confluence performance. In some cases, this reduction in performance can be dramatic and can even render Confluence impossible to use.
Best practices
Depending on the antivirus software, it may be possible to exclude certain files from scanning:
- Confluence installation directory
- Confluence home directory, in particular the index directory
- Any database-related directories
Some antivirus software may continue to impact Confluence even if these folders are excluded. If slowness is experienced, try running Confluence with antivirus services disabled. In some cases (like Symantec endpoint protection), stopping services may not be sufficient and removal of antivirus software should be considered when troubleshooting performance issues and other related problems. This can occur for many reasons, such as filter level drivers on Windows, and kernel modules for Linux security applications.
Excluding the above locations may prevent functionality problems with Confluence that are caused by interference with individual files and file handles (ie. antivirus software locking files or quarantining them), but performance problems may still occur, especially if anti-virus or security software is still actively generating I/O requests to the same underlying physical disk by scanning other non-Confluence directories.
Anti-virus and security software can also impact network performance if any kind of traffic inspection methods are in use (see below for further details).
Specific issues and workarounds
Below is a short list of specific problems that we've observed in the field. It is by no means an exhaustive list, but provides insight into the possible issues that antivirus and security software can present when installed on Confluence servers.
1. Antivirus winsock issues on Windows
Run netsh winsock show catalog
to see whether your AV is interfering with communication to the TCP stack on your windows box.
Example:
C:\Users\Administrator>netsh winsock show catalog
Winsock Catalog Provider Entry
------------------------------------------------------
Entry Type: Base Service Provider
Description: MSAFD Tcpip [TCP/IP]
Provider ID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Provider Path: %SystemRootsystem32\mswsock.dll
Catalog Entry ID: 1001
Version: 2
Address Family: 2
Max Address Length: 16
Min Address Length: 16
Socket Type: 1
Protocol: 6
Service Flags: 0x20066
Protocol Chain Length: 1
...
Note that sometimes the results are large, so it may need to be put into a file:
C:\>netsh winsock show catalog > c:\results.txt
To view the file:
C:\>notepad c:\results.txt
Ignore this part of the output:
Name Space Provider Entry
------------------------------------------------------
Description: Tcpip
Provider ID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Name Space: 12
Active: 1
Version: 0
What you need to do is look at each of the many entries for Winsock Catalog Provider Entry and confirm that the Entry Type is set to Base Service Provider.
If the Entry Type is set to Layered Service Provider for any of the Winsock Catalog Provider Entry, the Antivirus is interfering.
Resolution: To prevent the winsock issue, reconfigure the AV software to not scan the network, or manually reset the winsock catalog: netsh winsock reset catalog
and reboot the server.
This page has a nice diagram on the windows stack: https://msdn.microsoft.com/en-us/library/ms882974.aspx
From the Layered Service Provider wiki:
A Layered Service Provider is a DLL that uses Winsock APIs to attempt to insert itself into the TCP/IP protocol stack. Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing of all the TCP/IP traffic taking place between the Internet and the applications that are accessing the Internet (such as a web browser, the email client, etc.).
Example describing these problems when using SQL server with antivirus technology: https://support.microsoft.com/en-us/kb/2033448
2. Trend Micro 'Deep Security'
This can be configured to restrict HTTP requests longer than a certain URI length, which in turn causes certain internal URI's to return a HTTP 504 response code to the client - this can break certain page elements.
For further information, refer to Trend Micro's article "URI Path Length Too Long" IPS events appears in Deep Security Agent (DSA)
3. Antivirus software still scanning excluded directories
Older versions of McAfee's Netshield (such as 4.5) have options to exclude folders from scanning, though we have observed instances where this wasn't the case. Upgrading beyond 7.0.0 appeared to fix this.
4. Symantec Antivirus
This should be uninstalled on Confluence servers, especially on systems with slower I/O throughput, as our experiences with it have shown it to cause dramatic performance degradation even when the service is stopped.
References
Performance Tuning
System Requirements
Anti Virus In Jira Applications