Running antivirus software on your VM that runs Retool can increase CPU usage and infrastructure costs. This usually happens because you antivirus will aggressively scan files that change frequently in your environment (ie. container layers, logs, temporary files, and database data directories).
Most antivirus tools think if a file changes, it might be malicious. In containerised workloads, frequent file changes are normal and expected, so this assumption isnβt always true. This means that scanning these paths can add overhead without providing much additional security.
For most Retool container deployments, the following paths can typically be excluded from antivirus scanning as they do not contain executable code :
- Container runtimes - responsible for constantly pulling images, starting containers, and managing CPU, memory, and storage, etc.. This means they store current states
Typical paths:
- /var/lib/docker (Docker)
- /var/lib/containerd (Kubernetes)
- Overlay filesystems - where files are constantly written, updated, copied, and deleted (similar to sticky notes). This includes caches, temporary files, logs, and runtime metadata, not long-term application data
Typical paths:
- /var/lib/docker/overlay2/ (Docker)
- /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/ (Kubernetes)
- Log directories - the operating system does not execute log files, and antivirus scanning cannot meaningfully block threats by inspecting them.
Typical paths:
- /var/lib/docker/containers//-json.log (Docker)
- /var/log/pods/ (Kubernetes)
- Database data directories - these contain binary database files and transaction logs
Typical paths:
- /var/lib/postgresql/
- /var/lib/postgresql/data/
- Temporary directories - hold short-lived, non-persistent runtime data
Typical paths:
- /tmp
- /var/tmp
You may want to avoid heavy antivirus scanning on Retool-specific directories as this can also cause performance degradation without providing much additional security.
Here are some examples of Antivirus you may be running on your VM
- Microsoft Defender for Endpoint β Azure (native), also supported on AWS & GCP
- CrowdStrike Falcon β Azure, AWS, GCP (cloud-agnostic)
- SentinelOne β Azure, AWS, GCP (cloud-agnostic)
- Trend Micro (Cloud One / Deep Security) β Azure, AWS, GCP
- Sophos Intercept X β Azure, AWS, GCP
- McAfee / Trellix β Azure, AWS, GCP
- ClamAV β Azure, AWS, GCP (open-source, VM-level)
Before applying exclusions broadly, validate them with your security team and ensure they align with your organisationβs security requirements and deployment configuration.