DOCS-11914 BACKPORT (#3188)

Dave Cuthbert · web-flow · commit 6ba0f6637389 · 2023-05-19T11:06:03.000-07:00
diff --git a/source/administration/production-notes.txt b/source/administration/production-notes.txt
@@ -163,6 +163,8 @@ engine other than the one specified by :option:`--storageEngine <mongod --storag
 :binary:`~bin.mongod` must possess read and write permissions for the specified
 :setting:`~storage.dbPath`.
 
+.. include:: /includes/security/fact-antivirus-scan.rst
+
 .. _prod-notes-concurrency:
 
 Concurrency
diff --git a/source/administration/security-checklist.txt b/source/administration/security-checklist.txt
@@ -193,6 +193,10 @@ Pre-production Checklist/Considerations
   to learn more about how you can use MongoDB's key security
   capabilities to build compliant application infrastructure.
 
+Antivirus and Endpoint Detection and Response Scanning 
+------------------------------------------------------
+
+.. include:: /includes/security/fact-antivirus-scan.rst
 
 Periodic/Ongoing Production Checks
 ----------------------------------
diff --git a/source/includes/security/fact-antivirus-scan.rst b/source/includes/security/fact-antivirus-scan.rst
@@ -0,0 +1,15 @@
+If you use an antivirus (AV) scanner or an endpoint detection and
+response (EDR) scanner, configure your scanner to exclude the
+:setting:`database storage path <storage.dbPath>` and the
+:setting:`database log path <systemLog.path>` from the scan.
+
+The data files in the ``database storage path`` are compressed.
+Additionally, if you use the :ref:`encrypted storage engine
+<security-encryption-at-rest>`, the data files are also encrypted. The
+I/O and CPU costs to scan these files may significantly decrease
+performance without providing any security benefits.
+
+If you don't exclude the directories in your ``database storage path``
+and ``database log path``, the scanner could quarantine or delete
+important files. Missing or quarantined files can corrupt your database
+and crash your MongoDB instance.
