Antivirus on Servers

I am hoping to get some discussion points on installing Antivirus software on your servers.  We are currently in the process of upgrading all our Antivirus clients to the latest McAffee 8.7i with their ePO Agent 4.5.0 to mange the setup.  We previously always installed antivirus on all our servers, however, I am curious now if that is really necessary.  I was looking at removing antivirus from all the servers with the exception of the file servers.  Our environment consists of Windows 2003 R2 servers, these servers host a variety of Domino, Oracle, SQL and Terminal services for our environment.  All our servers are protected under lock and key from any intruders and there is 24/7 security in the building.

Does it make sense to install Antivirus on just the Windows File servers and leave the rest unprotected?  Are there special considerations if you were to install antivirus on a Domino or Oracle server?  Right now, the ePO policy is set to exlude NSF files in the Domino case and the policy is also set to exclude the database files along with their directories.

Input and discussion on your opinions and setups is definitely welcome.
nftcadminsNetwork System AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If the servers do not go on the internet (except for updates), I agree that you won't need the antivirus. The antivirus won't go into the SQL, Oracle and Domino databases anyway, so you just slow the servers down with the antivirus...
If you have file shares going to any of these servers, an infected client could copy infected files or malicious files (such as an autorun.inf file and code) on the share, which could then cause infection to be spread to anyone else accessing the same share.

I still run A-V on servers with real-time scanning and daily scanning. You never know how a new strain of virus will be unleashed in the future - better to be safe.

I guess this is the paranoiah in me.
I think his point was that these servers don't have file shares. Also, workstations running the anti-virus check the documents anyway. If you dont open an infected document on the server - IE no work, powerpoint etc, your infection possibilities are very low. Hacking, however, can be done so carefull control of passwords, keeping windows updates on both servers and workstations, keeping WS updated for their virus software are still very important.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

Nenad RajsicCommented:
every server should have antivirus software installed.

Just imagine if one of your client machines is ends up having a rootkit installed and then from that rootkit a keylogger is installed>your support staff logs on to that machine>hacker has your credentials>installs rootkit on your server>you have no protection to notify you of any suspicious activity>you continue working forever without knowing that your server is under someone else’s control. Not trying to scare you – anything can happen so it’s better to be safe than sorry
I had a root infection at a major university that got to the fileserver. No antivirus detected the rootkit. We can only identify the machines with the rootkit with a sniffer seeing spawning packets. The only way to have total security is to not plug the machines in. Everything is a tradeoff with secruity, speed and access. If a server is only accessed for updates and via databases, the antivirus is probably not adding much in the overall security of that server.
"The antivirus won't go into the SQL...."

Do you remember the SQL-Slammer Disaster?
SteveIT ManagerCommented:
We run Avast antivirus which is quite cost effective and has an Exchange module if required.

I have the antivirus configured for file scanning on all servers (excluding network paths) as well as scanning any internet traffic.

The thing with viruses is sometimes you never know - if the virus is new it could do damage whilst waiting for the fix/notification that the machine is infected; as for useage/performance impact and best practise, i have the above setup and the servers' antivirus is configured to scan the relevant areas which i find provides "peace of mind" whilst sacrificing minimal resources.
They hacked into SQL - Antivirus would not have detected it...
nftcadminsNetwork System AdministratorAuthor Commented:
Great info guys/gals.  I am also leaning towards the better safe than sorry aspect of it all.  The major issue that I was getting at wrt database and antivirus is that I have had in the past, the antivirus on access scanner locked a DB file which causes the database engine to go completely crazy.   Which results in a whole lot of work on my part.  Of course, the AV we were running was McAfee 8i and we are currently moving to 8.7i.  

The point of the question was do get some of your expert experiences and comments (as you have provided) in whether the risk and time of upgrading all the servers to the new version of McAfee differed from the possible risk and time of the unknown future of virus.  Obviously, the better safe than sorry story is valid, except that all the viruses I have ever had to deal with always were the ones that didn't have a fix/solution.

I agree that any server that has random data coming and going from it (such as a file server) wouln't be hurt but doubling up the protection, antivirus on the client and on the server.  We have a very good Windows update policy and utilize the McAfee ePO server to manage the antivirus aspect.  All work very well IMHO.

Please continue with the opinions as the more the merry.
if you did get infected, it would be more defensible to have the virus protection reguardless of the consequences. Good luck with your decision...
Sjef BosmanGroupware ConsultantCommented:
Did you consider to move to servers that are more immune to viruses, e.g. Linux-based.

To the better-safe-than-sorry people: when does infection prevention become a disorder?  ;-)
All Windows servers have are file shares. It's called the admin share. Each drive is shared as;
\\hostname\c$. The drive is only open to admins, but... If you're logged in as an administrative account, and you get a virus that spreads via file shares, guess what? You're servers are vulnerable. Conficker, btw spreads via smb shares.
Rule of thumb, always antiviruus on servers, configure it not to scan any DB files that will cause an application to lock up. Also, good idea to use a different AV product for servers and workstations. That way one might catch what the other doesn't.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveIT ManagerCommented:
We have client antivirus, server antivirus and transport level antivirus in our network switch

This way we get the same protection on client/server (with auto rollout of updates etc) however the switch  A/V is different so fills the gaps of the client/server and vice versa
Same here. I use Kerio firewall with McAfee and AVG both checking transport level. If someone trojans a WS and get administrative access to the admin shares, I doubt if the antivirus on the server will save you. A large customer of mine was attacked that way. The antivirus (symantec) was disabled on the server, all tracks erased, root kits put on over 100 workstations etc. We did a major rebuild, scrub and move of Oracle, SQL etc. Took a few months and lots of money. We had to look at all machines for possible credit card #'s, SSN's etc and notify anybody that might have been compromised.

We let the department use their network without internet access. If we turned on internet access, it would take about 2 hours to use up all the connections on our firewall due to spawning processes even though we couldn't detect any rootkits or virus's with multitudes of rootkit detection programs - symantec, McAfee, Mandiant, Snort, Windows Defender TDSS and many others.

We then created a new domain, setup 'scrubbers' to scrub all data before it went on the new domain, backed up all user data, UNPLUGGED all workstations, setup a temp domain on a switch with the old servers just in case etc.

Lots of time and money - new servers - some new WS's - Added a NAC. Now workstation have to have all windows updates (that we have in the nac - we check for compatiblity first - and antivirus updates before they are authenticated to the domain...
nftcadminsNetwork System AdministratorAuthor Commented:
Again, I appreciate all the comments.  

up_grayed_out: You make a very valid point and I forgot to look at it that way, wrt the admin shares.

ckershner: You definitely sound like you have lots of experience, I appreciate your involvement on this thread and stimulating the conversation

sjef_bosman: LOL!

I think I have all the information that I need.  Thank you all for your participation.
Thanks, lots of luck to you as well. Hope you never have to deal with major hackers. It's not fun.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.