Solved

What are best practices for installing antivirus protection on servers?

Posted on 2007-11-29
12
14,315 Views
1 Endorsement
Last Modified: 2013-11-22
What are best practices for installing antivirus protection on servers?   Is there a certain type of server where that's just a bad idea (like a AD DC)?  What about IIS web servers (a huge enterprise server, with over 200 Host Header sites, Perl, PHP, .NET, etc. ISAPIIs, all going on it)?  What are the best solutions for this?
1
Comment
Question by:ksuchy
  • 3
  • 2
  • 2
  • +5
12 Comments
 
LVL 8

Assisted Solution

by:wfcraven12
wfcraven12 earned 100 total points
ID: 20377394
I have AV installed on all my servers (except Exchange since it has it's own).  I have no issues with SAV 10.1.6 at all.  I recently tried Symantec's Endpoint Protection & it was a DISASTER.  Anyway, on our phone, & backup servers I did disable Auto-Protect, but that's pretty much it.
0
 
LVL 21

Assisted Solution

by:nizsmo
nizsmo earned 50 total points
ID: 20377786
I would suggest Trend Micro's Server Security Agent, it is quite efficient, and also is able to provide client computers (if required) protection as well.
0
 
LVL 32

Accepted Solution

by:
r-k earned 200 total points
ID: 20379128
I don't know about best practices, the following is just my personal opinion:

In most cases I would suggest not installing any AV software on a server.

This seems counter-intituitive, but most AV programs are geared towards the end-user desktop. They are most useful in protecting against a user clicking on email attachments, dubious freeware, web links etc. A server should not be used for any these things (email, web surfing, games etc.) so the AV program won't have much to do.

On the down side, an AV program often installs low-level device drivers that scan every file as it is opened. If you're lucky it will only cause a minor slowdown. At worst I've seen it interfere severely with important functions, such as security updates, version updates, halting mail flow, mystery crashes, etc.

The real threat a server faces is from network-borne malware and hacks, so it would be better to focus on securing it in other ways, such as secure passwords, disable unnecessary services, firewall, security patches, etc.

There are two possible cases in which it may be tempting to install AV software on a server - if you're using it as mail server with MS Exchange, or if you're using as a file server. On closer examination I think even these are not necessary. In the case of Exchange server, the AV program must be "exchange-aware", but in my view it is more useful, and more effective, to just install an anti-spam solution that can also block specific attachment types, such as .exe, .zip, .bat etc.  In the case of the file server, install the AV where it belongs - on the user desktops. That way if they try to open an infected file from the file-share it will be caught.

The one exception would be if your server is a terminal server. That is is the only scenario in which AV on the server makes sense.

Just my .02. You should weigh the pros and cons for your situation, of course.
0
 
LVL 8

Assisted Solution

by:wfcraven12
wfcraven12 earned 100 total points
ID: 20379695
as you can see you're going to get differenent answers b/c this really comes down to a matter of personal preference.  r-k does make some good points, but in my personal view I put the AV software on the servers b/c I take the approach that the users generally don't know any better & even though they have some sort of AV app, the "bad people" will always be a step ahead..  so why take a chance?  but like i said before.  this all comes down to what you feel most comfortable with.
0
 
LVL 38

Assisted Solution

by:younghv
younghv earned 150 total points
ID: 20388104
r-k and I have disagreed on this before - but that's OK - and one of the neat things about EE.

I put AV on every computing device in the Domain. If I could trust every user (Administrator or others) to always do the right thing, I might change my approach.

Unfortunately, we live in a world where you are better off safe than sorry.

One of the things they talk about extensively in Security seminars is that we must try to be prepared for 'future unknowns'. Even if it might be safe to not run AV on a server right now, we have no way of knowing what the Black Hats will turn loose on the world tomorrow.

AV everywhere and ABS (Anything But Symantec).

Vic
0
 

Expert Comment

by:thekaramurat
ID: 20873309
For Installing Antivirus Software on Microsoft Servers needs some attention.
Therefore, it has always been a long argument to install and configure different antivirus software on different Microsoft Server Platforms.
Some IT consultants do not even recommend installing antivirus software on Critical Servers.
Of course vendor documentation is very important and must be analyzed before installing any antivirus products to servers.
But Microsoft has its own recommendations and Best Practices to take into consideration.
Therefore it is better to take a closer look to below Microsoft Articles.
First of all I would like start with the most important part of Microsoft Infrastructure. (Domain Controllers)

1.      If your Server holds the domain controller role and there are DNS, DHCP services then we have to review the Microsoft KB article http://support.microsoft.com/kb/822158
a.) %systemroot%\Sysvol folder (include all the sub-folders and files)
b.) %systemroot%\system32\dhcp folder (include all the sub-folders and files)
c.) %systemroot%\system32\dns folder (include all the sub-folders and files)
d.) %systemroot%\ntds

2.      If File Replication (NTFR) service is running on your system, make sure your Anti-Virus software is compatible: KB815263 - Antivirus, backup, and disk optimization programs that are compatible with the File Replication Service http://support.microsoft.com/kb/815263 And exclude:
a.) %systemroot%\ntfrs folder (include all the sub-folders and files)
b.) Files that have the .log and .dit extension

3.      If you have IIS installed, exclude:
a.) The IIS compression directory (default compression directory is %systemroot%\IIS Temporary Compressed Files)
b.) %systemroot%\system32\inetsrv folder
c.) Files that have the .log extension

Refer to the following knowledge base articles for reference:
KB817442 - IIS 6.0: Antivirus Scanning of IIS Compression Directory May Result in 0-Byte File
http://support.microsoft.com/kb/817442

KB821749 - Antivirus software may cause IIS to stop unexpectedly
http://support.microsoft.com/kb/821749

4.      If you have SQL installed, you may want to exclude the SQL folder and databases files (or database file types) from scanning for performance reasons:
KB309422 - Guidelines for choosing antivirus software to run on the computers that are running SQL Server
http://support.microsoft.com/kb/309422

5.      If you have Exchange installed, perform the relevant file-based scanning exclusions listed in Knowledge Base articles:

KB328841 - Exchange and antivirus software
http://support.microsoft.com/kb/328841

KB823166 - Overview of Exchange Server 2003 and antivirus software
http://support.microsoft.com/kb/823166

KB245822 - Recommendations for troubleshooting an Exchange Server computer with antivirus software installed
http://support.microsoft.com/kb/245822

6.      If you have Cluster services, make sure your Anti-Virus software is compatible:

KB250355 - Antivirus Software May Cause Problems with Cluster Services
http://support.microsoft.com/kb/250355
NOTE: If you have a SQL cluster, make sure that you exclude these locations from virus scanning:
a.) Q:\ (Quorum drive)
b.) %systemroot%\Cluster
c.) SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

7.      If you have Sharepoint installed, you should exclude:
a.) Drive:\Program Files\SharePoint Portal Server
b.) Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System
c.) Drive:\MSDEDatabases (particularly on SBS) (where Drive: is the drive letter where you installed SharePoint Portal Server)

Refer to the following knowledge base articles for reference:
KB320111 - Random Errors May Occur When Antivirus Software Scans Microsoft Web Storage System
http://support.microsoft.com/kb/320111

KB322941 - Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server
http://support.microsoft.com/kb/322941

8.       If you have a Systems Management Server (SMS), you should exclude folders:
a.) SMS\Inboxes
b.) SMS_CCM\ServiceData

Refer to the following knowledge base articles for reference:
KB327453 - Antivirus programs may contribute to file backlogs in SMS 2.0 and in SMS 2003
http://support.microsoft.com/kb/327453

NOTE: If you exclude the SMS\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the SMS\Inboxes directory

9.      If you have a MOM (Microsoft Operations Manager) Server, you consider excluding:
a.) Drive:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Operations Manager
b.) Drive:\Program Files\Microsoft Operations Manager 2005 (where Drive: is the drive letter where profiles are located)

10.       If you have an Internet Security and Acceleration Server (ISA) Server, you should exclude:
a.) The ISALogs folder. By default, the ISALogs folder is located in the folder where you installed ISA Server. Typically, this location is Drive:\Program Files\Microsoft ISA Server.
Refer to the following knowledge base articles for reference:
KB887311 - Event ID 5, event ID 14079, and event ID 14176 are logged in the Application log on your Internet Security and Acceleration Server 2000 computer
http://support.microsoft.com/kb/887311
11.      If you have a Windows Software Update Services (WSUS) Server role, you consider excluding:
a.) Drive:\MSSQL$WSUS
b.) Drive:\WSUS
(where Drive: is the drive letter where you installed Windows Software Update
Services)
Also refer to the following knowledge base articles for reference:
KB900638 - Multiple symptoms occur if an antivirus scan occurs while the Wsusscan.cab file is copied
http://support.microsoft.com/kb/900638

For More Information you can check the below links.

KB49500 - List of antivirus software vendors
http://support.microsoft.com/kb/49500

KB129972 - Computer viruses: description, prevention, and recovery
http://support.microsoft.com/kb/129972
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:ksuchy
ID: 20875905
wow. Thanks very much Karamurat.  
0
 
LVL 1

Expert Comment

by:dhav79
ID: 23281263
r-k:

I have to disagree with you.  Yes, you should not be surfing or checking email with one of your production servers, but if a worm should get inside your network, then your servers are surely compromised.  I have SAV installed on all servers except for SQL and Exchange.  In order to install on SQL and Exchange you would have to follow special installation methods so that there arent any issues.  
0
 

Expert Comment

by:Administrator Contact
ID: 35445656
I totally agree with d-k... so many times an AV program on a server causes issues.  scan your servers but certainly you dont want Real Time protection.  This is from 30 years of experience.

Just last week McAfee on Exchange because a client had malware BLOCKED port 25.  
0
 

Expert Comment

by:Administrator Contact
ID: 35445684
oops, teguila and posts may be a bad combo... IT experience since 1991 and r-k. not dk.   New topic, any non drinking in the trenches IT people out there?!
0
 
LVL 32

Expert Comment

by:r-k
ID: 35445996
Lol, thanks itc-mt. I've been away from this board for too long, but your vote of confidence serves as a reminder may be I should get back here once in a while. Go easy with the tequilla, it's only Thursday! All best.
0
 

Expert Comment

by:Administrator Contact
ID: 35451619
Oh brother, didn't even spell tequila right! Still the point is valid and you are welcome r-k!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now