What are best practices for installing antivirus protection on servers?

What are best practices for installing antivirus protection on servers?   Is there a certain type of server where that's just a bad idea (like a AD DC)?  What about IIS web servers (a huge enterprise server, with over 200 Host Header sites, Perl, PHP, .NET, etc. ISAPIIs, all going on it)?  What are the best solutions for this?
Who is Participating?
r-kConnect With a Mentor Commented:
I don't know about best practices, the following is just my personal opinion:

In most cases I would suggest not installing any AV software on a server.

This seems counter-intituitive, but most AV programs are geared towards the end-user desktop. They are most useful in protecting against a user clicking on email attachments, dubious freeware, web links etc. A server should not be used for any these things (email, web surfing, games etc.) so the AV program won't have much to do.

On the down side, an AV program often installs low-level device drivers that scan every file as it is opened. If you're lucky it will only cause a minor slowdown. At worst I've seen it interfere severely with important functions, such as security updates, version updates, halting mail flow, mystery crashes, etc.

The real threat a server faces is from network-borne malware and hacks, so it would be better to focus on securing it in other ways, such as secure passwords, disable unnecessary services, firewall, security patches, etc.

There are two possible cases in which it may be tempting to install AV software on a server - if you're using it as mail server with MS Exchange, or if you're using as a file server. On closer examination I think even these are not necessary. In the case of Exchange server, the AV program must be "exchange-aware", but in my view it is more useful, and more effective, to just install an anti-spam solution that can also block specific attachment types, such as .exe, .zip, .bat etc.  In the case of the file server, install the AV where it belongs - on the user desktops. That way if they try to open an infected file from the file-share it will be caught.

The one exception would be if your server is a terminal server. That is is the only scenario in which AV on the server makes sense.

Just my .02. You should weigh the pros and cons for your situation, of course.
wfcraven12Connect With a Mentor Commented:
I have AV installed on all my servers (except Exchange since it has it's own).  I have no issues with SAV 10.1.6 at all.  I recently tried Symantec's Endpoint Protection & it was a DISASTER.  Anyway, on our phone, & backup servers I did disable Auto-Protect, but that's pretty much it.
nizsmoConnect With a Mentor DeveloperCommented:
I would suggest Trend Micro's Server Security Agent, it is quite efficient, and also is able to provide client computers (if required) protection as well.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

wfcraven12Connect With a Mentor Commented:
as you can see you're going to get differenent answers b/c this really comes down to a matter of personal preference.  r-k does make some good points, but in my personal view I put the AV software on the servers b/c I take the approach that the users generally don't know any better & even though they have some sort of AV app, the "bad people" will always be a step ahead..  so why take a chance?  but like i said before.  this all comes down to what you feel most comfortable with.
younghvConnect With a Mentor Commented:
r-k and I have disagreed on this before - but that's OK - and one of the neat things about EE.

I put AV on every computing device in the Domain. If I could trust every user (Administrator or others) to always do the right thing, I might change my approach.

Unfortunately, we live in a world where you are better off safe than sorry.

One of the things they talk about extensively in Security seminars is that we must try to be prepared for 'future unknowns'. Even if it might be safe to not run AV on a server right now, we have no way of knowing what the Black Hats will turn loose on the world tomorrow.

AV everywhere and ABS (Anything But Symantec).

For Installing Antivirus Software on Microsoft Servers needs some attention.
Therefore, it has always been a long argument to install and configure different antivirus software on different Microsoft Server Platforms.
Some IT consultants do not even recommend installing antivirus software on Critical Servers.
Of course vendor documentation is very important and must be analyzed before installing any antivirus products to servers.
But Microsoft has its own recommendations and Best Practices to take into consideration.
Therefore it is better to take a closer look to below Microsoft Articles.
First of all I would like start with the most important part of Microsoft Infrastructure. (Domain Controllers)

1.      If your Server holds the domain controller role and there are DNS, DHCP services then we have to review the Microsoft KB article http://support.microsoft.com/kb/822158
a.) %systemroot%\Sysvol folder (include all the sub-folders and files)
b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files)
c.) %systemroot%\system32\dns folder (include all the sub-folders and files)
d.) %systemroot%\ntds

2.      If File Replication (NTFR) service is running on your system, make sure your Anti-Virus software is compatible: KB815263 - Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service http://support.microsoft.com/kb/815263 And exclude:
a.) %systemroot%\ntfrs folder (include all the sub-folders and files)
b.) Files that have the .log and .dit extension

3.      If you have IIS installed, exclude:
a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files)
b.) %systemroot%\system32\inetsrv folder
c.) Files that have the .log extension

Refer to the following knowledge base articles for reference:
KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File

KB821749 - Antivirus software may cause IIS to stop unexpectedly

4.      If you have SQL installed, you may want to exclude the SQL folder and databases files (or database file types) from scanning for performance reasons:
KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server

5.      If you have Exchange installed, perform the relevant file-based scanning exclusions listed in Knowledge Base articles:

KB328841 - Exchange and antivirus software

KB823166 - Overview of Exchange Server 2003 and antivirus software

KB245822 - Recommendations for troubleshooting an Exchange Server computer with antivirus software installed

6.      If you have Cluster services, make sure your Anti-Virus software is compatible:

KB250355 - Antivirus Software May Cause Problems with Cluster Services
NOTE: If you have a SQL cluster, make sure that you exclude these locations from virus scanning:
a.) Q:\ (Quorum drive)
b.) %systemroot%\Cluster
c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

7.      If you have Sharepoint installed, you should exclude:
a.) Drive:\Program Files\SharePoint Portal Server
b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System
c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server)

Refer to the following knowledge base articles for reference:
KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System

KB322941 - Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server

8.       If you have a Systems Management Server (SMS), you should exclude folders:
a.) SMS\Inboxes
b.) SMS_CCM\ServiceData

Refer to the following knowledge base articles for reference:
KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003

NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the SMS\Inboxes directory

9.      If you have a MOM (Microsoft Operations Manager) Server, you consider excluding:
a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager
b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located)

10.       If you have an Internet Security and Acceleration Server (ISA) Server, you should exclude:
a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server.
Refer to the following knowledge base articles for reference:
KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer
11.      If you have a Windows Software Update Services (WSUS) Server role, you consider excluding:
a.) Drive:\MSSQL$WSUS
b.) Drive:\WSUS
(where Drive: is the drive letter where you installed Windows Software Update
Also refer to the following knowledge base articles for reference:
KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied

For More Information you can check the below links.

KB49500 - List of antivirus software vendors

KB129972 - Computer viruses: description, prevention, and recovery
ksuchyAuthor Commented:
wow. Thanks very much Karamurat.  

I have to disagree with you.  Yes, you should not be surfing or checking email with one of your production servers, but if a worm should get inside your network, then your servers are surely compromised.  I have SAV installed on all servers except for SQL and Exchange.  In order to install on SQL and Exchange you would have to follow special installation methods so that there arent any issues.  
Administrator ContactCommented:
I totally agree with d-k... so many times an AV program on a server causes issues.  scan your servers but certainly you dont want Real Time protection.  This is from 30 years of experience.

Just last week McAfee on Exchange because a client had malware BLOCKED port 25.  
Administrator ContactCommented:
oops, teguila and posts may be a bad combo... IT experience since 1991 and r-k. not dk.   New topic, any non drinking in the trenches IT people out there?!
Lol, thanks itc-mt. I've been away from this board for too long, but your vote of confidence serves as a reminder may be I should get back here once in a while. Go easy with the tequilla, it's only Thursday! All best.
Administrator ContactCommented:
Oh brother, didn't even spell tequila right! Still the point is valid and you are welcome r-k!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.