6.1 Supported antivirus software
Refer to the Experion LX Software Change Notice on how to get more information on antivirus software supported for Experion LX.
6.2 Installing antivirus software on process control nodes
Install antivirus software on every node in the process control network must include:
•
In a Experion LX system:
−
Experion LX Stations
−
Experion LX Server, eServers;
•
Other nodes:
−
Process History Database (PHD) servers;
−
Advanced control nodes;
−
Honeywell and third party application nodes;
−
Non-Windows nodes;
−
Subsystem interface nodes (for example, tank gauging).
Honeywell recommends that you set up special servers for the controlled distribution of
antivirus signature files to the process control network (PCN) as outlined in "Distributing
Microsoft updates and virus definition files."
6. Virus Protection
6.3. Configuring active antivirus scanning
6.3 Configuring active antivirus scanning
Honeywell recommends that you adopt an active virus scanning strategy.
The recommended strategies include ensuring that:
•
Virus scan reports are regularly reviewed;
•
Antivirus software is configured to:
−
Scan the boot sectors of all floppy disks;
6. Virus Protection 6.4. Tuning the virus scanning for system performance
−
Move infected files to a quarantine directory and notify the user that an infected file was found. The user must be allowed to clean up the infection.
6.4 Tuning the virus scanning for system performance
In formulating your virus scanning strategy you may also need to take into account the potential impact on critical system resources.
For example, if your Experion LX is experiencing problems due to low system resources, you may need to:
•
Ensure that antivirus software (and other third party applications) is run only when system resources on the node are adequate to meet system needs.
•
Consider limiting the system resources that are used by antivirus software during scanning. Honeywell has tested anti-viral software successfully on extremely large systems by limiting the CPU utilization of anti-viral software to as low as 10%.
To find the proper balance between server performance and virus protection you may need to make configuration choices such as disabling scanning on reading of files and changing the default process-based scanning to per-process scanning.
For more information about virus scanning and system performance, refer to "About virus scanning and system performance.”
ATTENTION
Do not automatically schedule full system scans on any Experion LX node as this can result in severe degradation of performance, and could therefore:
• Impact the ability of operators to respond to a situation
6. Virus Protection
6.5. Ensuring frequent updates to antivirus signature files
Directories that can be excluded from scanning
Experion LX creates many files during normal operations and the system resource overhead of scanning each of these files for viruses is extremely high. Honeywell tests anti-viral software with the following directories excluded from scanning:
\ProgramData\Honeywell\
\Program Files\Honeywell\<ProductLegacy>\Engineering Tools\system\er
About virus scanning and system performance
The Experion LX system requires a certain amount of system resources (including CPU, memory, disk access), in order to perform reliably. Shortages of these resources may lead to decreased system performance.
When tuning antivirus software, consider balancing performance against risk. On some systems, the high performance of the server node is balanced against the performance of the scanning engine. Some antivirus scanners allow you to set maximum CPU usage. The default installation of antivirus software will generally meet the demands of most
customers. However, for systems with extremely high CPU usage and input/output demands, the default installation of antivirus software may impose system limitations.
Refer to your antivirus software documentation for specific procedures on how to limit CPU utilization.
If your system is experiencing continued resource-related performance problems, there are further steps that you can take to limit the resources consumed by antivirus software.
6.5 Ensuring frequent updates to antivirus signature files
Non-directed virus and worm attacks are common attacks on a control system. A virus that is deemed low risk for corporate systems may pose a high risk to a control system if it causes a denial of service. It is therefore essential to update antivirus signature files frequently by:
•
Subscribing to the updates of your antivirus software vendor(s);
•
Leveraging enterprise antivirus policies and practices.
Where it is not practical to do this daily, it is worth monitoring those websites which publish information about new virus attacks so that the system can be isolated if a specific threat appears.
For recommendations on distributing antivirus updates, refer to "Distributing Microsoft
updates and virus definition files.”
6. Virus Protection 6.6. Testing the deployment of antivirus signature files
6.6 Testing the deployment of antivirus signature files
It is important to test antivirus signature files offline before deploying them. This helps to ensure that the signature file does not break the antivirus software or cause problems on the computer. For example, you could first test the signature files on:
•
A staged test system
•
One or two nodes
In line with the best practice of minimizing communication between the business network and the process control network, Honeywell recommends that updates to antivirus signature files be distributed from a server located in a DMZ as outlined in
"Distributing Microsoft updates and virus definition files.”
When implementing the automatic deployment of signature files, it is also important to:
•
Stagger automatic deployment to eliminate the potential for common cause failure.
For example, deploy to no more than three or four nodes per hour;
•
Follow the recommendations of your antivirus software vendor for distribution server/services;
•
Stage the distribution on a test system.
6. Virus Protection
6.7. Prohibiting email clients on the process control network