Antivirus on Servers
I am hoping to get some discussion points on installing Antivirus software on your servers. We are currently in the process of upgrading all our Antivirus clients to the latest McAffee 8.7i with their ePO Agent 4.5.0 to mange the setup. We previously always installed antivirus on all our servers, however, I am curious now if that is really necessary. I was looking at removing antivirus from all the servers with the exception of the file servers. Our environment consists of Windows 2003 R2 servers, these servers host a variety of Domino, Oracle, SQL and Terminal services for our environment. All our servers are protected under lock and key from any intruders and there is 24/7 security in the building.
Does it make sense to install Antivirus on just the Windows File servers and leave the rest unprotected? Are there special considerations if you were to install antivirus on a Domino or Oracle server? Right now, the ePO policy is set to exlude NSF files in the Domino case and the policy is also set to exclude the database files along with their directories.
Input and discussion on your opinions and setups is definitely welcome.
Does it make sense to install Antivirus on just the Windows File servers and leave the rest unprotected? Are there special considerations if you were to install antivirus on a Domino or Oracle server? Right now, the ePO policy is set to exlude NSF files in the Domino case and the policy is also set to exclude the database files along with their directories.
Input and discussion on your opinions and setups is definitely welcome.
If the servers do not go on the internet (except for updates), I agree that you won't need the antivirus. The antivirus won't go into the SQL, Oracle and Domino databases anyway, so you just slow the servers down with the antivirus...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think his point was that these servers don't have file shares. Also, workstations running the anti-virus check the documents anyway. If you dont open an infected document on the server - IE no work, powerpoint etc, your infection possibilities are very low. Hacking, however, can be done so carefull control of passwords, keeping windows updates on both servers and workstations, keeping WS updated for their virus software are still very important.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I had a root infection at a major university that got to the fileserver. No antivirus detected the rootkit. We can only identify the machines with the rootkit with a sniffer seeing spawning packets. The only way to have total security is to not plug the machines in. Everything is a tradeoff with secruity, speed and access. If a server is only accessed for updates and via databases, the antivirus is probably not adding much in the overall security of that server.
"The antivirus won't go into the SQL...."
Do you remember the SQL-Slammer Disaster? http://www.wired.com/wired/archive/11.07/slammer.html
Do you remember the SQL-Slammer Disaster? http://www.wired.com/wired/archive/11.07/slammer.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
They hacked into SQL - Antivirus would not have detected it...
ASKER
Great info guys/gals. I am also leaning towards the better safe than sorry aspect of it all. The major issue that I was getting at wrt database and antivirus is that I have had in the past, the antivirus on access scanner locked a DB file which causes the database engine to go completely crazy. Which results in a whole lot of work on my part. Of course, the AV we were running was McAfee 8i and we are currently moving to 8.7i.
The point of the question was do get some of your expert experiences and comments (as you have provided) in whether the risk and time of upgrading all the servers to the new version of McAfee differed from the possible risk and time of the unknown future of virus. Obviously, the better safe than sorry story is valid, except that all the viruses I have ever had to deal with always were the ones that didn't have a fix/solution.
I agree that any server that has random data coming and going from it (such as a file server) wouln't be hurt but doubling up the protection, antivirus on the client and on the server. We have a very good Windows update policy and utilize the McAfee ePO server to manage the antivirus aspect. All work very well IMHO.
Please continue with the opinions as the more the merry.
The point of the question was do get some of your expert experiences and comments (as you have provided) in whether the risk and time of upgrading all the servers to the new version of McAfee differed from the possible risk and time of the unknown future of virus. Obviously, the better safe than sorry story is valid, except that all the viruses I have ever had to deal with always were the ones that didn't have a fix/solution.
I agree that any server that has random data coming and going from it (such as a file server) wouln't be hurt but doubling up the protection, antivirus on the client and on the server. We have a very good Windows update policy and utilize the McAfee ePO server to manage the antivirus aspect. All work very well IMHO.
Please continue with the opinions as the more the merry.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you consider to move to servers that are more immune to viruses, e.g. Linux-based.
To the better-safe-than-sorry people: when does infection prevention become a disorder? ;-)
To the better-safe-than-sorry people: when does infection prevention become a disorder? ;-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
We have client antivirus, server antivirus and transport level antivirus in our network switch
This way we get the same protection on client/server (with auto rollout of updates etc) however the switch A/V is different so fills the gaps of the client/server and vice versa
This way we get the same protection on client/server (with auto rollout of updates etc) however the switch A/V is different so fills the gaps of the client/server and vice versa
Same here. I use Kerio firewall with McAfee and AVG both checking transport level. If someone trojans a WS and get administrative access to the admin shares, I doubt if the antivirus on the server will save you. A large customer of mine was attacked that way. The antivirus (symantec) was disabled on the server, all tracks erased, root kits put on over 100 workstations etc. We did a major rebuild, scrub and move of Oracle, SQL etc. Took a few months and lots of money. We had to look at all machines for possible credit card #'s, SSN's etc and notify anybody that might have been compromised.
We let the department use their network without internet access. If we turned on internet access, it would take about 2 hours to use up all the connections on our firewall due to spawning processes even though we couldn't detect any rootkits or virus's with multitudes of rootkit detection programs - symantec, McAfee, Mandiant, Snort, Windows Defender TDSS and many others.
We then created a new domain, setup 'scrubbers' to scrub all data before it went on the new domain, backed up all user data, UNPLUGGED all workstations, setup a temp domain on a switch with the old servers just in case etc.
Lots of time and money - new servers - some new WS's - Added a NAC. Now workstation have to have all windows updates (that we have in the nac - we check for compatiblity first - and antivirus updates before they are authenticated to the domain...
We let the department use their network without internet access. If we turned on internet access, it would take about 2 hours to use up all the connections on our firewall due to spawning processes even though we couldn't detect any rootkits or virus's with multitudes of rootkit detection programs - symantec, McAfee, Mandiant, Snort, Windows Defender TDSS and many others.
We then created a new domain, setup 'scrubbers' to scrub all data before it went on the new domain, backed up all user data, UNPLUGGED all workstations, setup a temp domain on a switch with the old servers just in case etc.
Lots of time and money - new servers - some new WS's - Added a NAC. Now workstation have to have all windows updates (that we have in the nac - we check for compatiblity first - and antivirus updates before they are authenticated to the domain...
ASKER
Again, I appreciate all the comments.
up_grayed_out: You make a very valid point and I forgot to look at it that way, wrt the admin shares.
ckershner: You definitely sound like you have lots of experience, I appreciate your involvement on this thread and stimulating the conversation
sjef_bosman: LOL!
I think I have all the information that I need. Thank you all for your participation.
up_grayed_out: You make a very valid point and I forgot to look at it that way, wrt the admin shares.
ckershner: You definitely sound like you have lots of experience, I appreciate your involvement on this thread and stimulating the conversation
sjef_bosman: LOL!
I think I have all the information that I need. Thank you all for your participation.
Thanks, lots of luck to you as well. Hope you never have to deal with major hackers. It's not fun.