Antivirus and Antispam for SBS 2008

I'd like to have a single solution to handle antivirus and antispam on our SBS 2008 box which will be handling company email.

I realize there isn't a definitive answer to my questions but I'd love to at least have some opinions.

1. Would you recommend using a single, server-installed solution for this?
2. Does anyone have experience with MS Forefront for Server (not used for client workstations)? Would you recommend it?
3. If you recommend using MS Forefront, do you also have a recommendation of where to buy it?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Personally I use Forefront for Exchange 2010 on my SBS box but be aware it can eat memory if the box is under-specified in terms of resource. Handles SPAM, Malware and AV.

We buy it through Computacenter.

ebooyensConnect With a Mentor Commented:
I'd recommend Trend Worry-Free Business Security Premium for a couple of reasons:
1. Installation on the server is simple and wizard based and installation on clients is brainless - you can add a shortcut to a logon script or run \\servername\ofcscan\autopcc.exe from any machine and it will automatically uninstall any AV already on these and install itself without any intervention.  Or you could push it out from the management console, again without any intervention on the client.  Very slick.
2. It just works and hardly ever brakes down.
3. You need premium for Exchange but it comes with Trends cloud anti-spam solution - i.e. it takes the load of anti-spam off the server and it's the easiest cloud anti-spam to set up that I've worked with.  User just gets an e-mail if there is an e-mail quarantined (without having to configure users) and the first time they need to log in they just register their account, all automated without administrative intervention

I have to admit that I haven't worked with MS Forefront much sorry but I've worked with many others and Trend is great. You can always install the 30-day trial and move away if you're not happy
HKComputerAuthor Commented:
About 15 users on my box and here's a few quick specs.
  • (4) 15K Hard Drives in RAID 5
  • 12 GB of RAM
  • Dual Quad Core Xeon Processors running at 2.4GHz
Any reason to believe this system will get bogged down?

My biggest complaint with all security software is the massive amount of resources consumed, mostly RAM and HD reads/writes. I've done some unscientific tests on desktop systems using older versions of Symantec products or AVG and the results are simply mind-boggling when it comes to disk reads per second performed by security software. I'd actually like to go without security software on the server and try using a non-resident scanner on the server combined with a gateway solution. Problem is, we don't really have money in the budget right now for a gateway solution.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
You can consider a bundle from GFI.  I find it works very well and provides a great deal of configuration options - you can choose how it deals with each category of spam.  HOWEVER, the configurability also means it can be a little time consuming to setup and require some continually tweaking early on.  Personally, I prefer having flexible control over many other solutions that just ask what to do with spam and not what to do with certain kinds of spam.

As for Antivirus, I have been recommending and installing Sunbelt's VIPRE Enterprise (And Sunbelt was just acquired by GFI, so you are technically going with one company's product, though initially, they won't look or feel much alike.  VIPRE has a very competitive price, but it DOES require a minimum number of licenses.  Frankly, whatever solution you are using on the desktops should be used on the server - that is EXPECTED by virtually all business class antivirus products and is part of the reason finding a SERVER-ONLY AV product is VERY difficult.
Cliff GaliherConnect With a Mentor Commented:
1. Would you recommend using a single, server-installed solution for this?
Absolutely not. There are multiple points of entry for a virus infection and they should be protected. In short, client AV is important (I'd argue MORE important) than server AV. That, inherently, is no longer a "single" installed solution.

2. Does anyone have experience with MS Forefront for Server (not used for client workstations)? Would you recommend it?

Forefront isn't a single product, but is a suite of products. Forefront Security for Exchange, for example, is a great email solution for AV and Spam, but does not scan files at all. So your file server, sharepoint server, and clients are still at risk. Again, best to pair solutions.
I use Forefront Security for Exchange, and Forefront Client Security where I can. I fall back to Symantect EndPoint Security (for clients/file scanning) and Symantec Mail Security (for exchange) when clients are not looking for an MS solution.
Others will recommend other solutions, and mostly it is a religious argument, but since you asked about Forefront specifically, I thought I'd answer. But regardless of the solution, file protection and client protection is *ESSENTIAL* to a safe network.
3. If you recommend using MS Forefront, do you also have a recommendation of where to buy it?
For volume licensing, I have had very good experiences with, but again, this is going to be primarily a "religious" debate.
I agree with leew, Vipre is fantastic - if I get a system with spyware or virusses on it I usually uninstall whatever's on there and install vipre, it is great for clients.

And GFI does give you great control but at the cost of server overhead and the possibility of messing things up if you're not careful.

If I had to recommend one solutions for anti-spam, server and client AV, Trend is the way to go.  I forgot to mention that Trend's server agent comes with built-in anti-spam, so you don't have to use the cloud solution, you could just configure it on the server although it isn't quite as powerful as GFI.  Personally I feel the cloud solution works great, is very secure and it's just so easy it's hard to beat.
Lee W, MVPTechnology and Business Process AdvisorCommented:
Thing is - you don't want to run two products that do the same thing on the same hardware.  But that doesn't mean you don't want multiple products on the network.  For example, a UTM device would be a great idea - but the asker has already stated there is no budget for that.  (Though frankly, I think that's a poor excuse... what's the budget for cleaning up an infection or hacker break in?  Probably no budget for that either, but that willlikely cost a lot more than $600-800 for a good UTM device).
Lee W, MVPTechnology and Business Process AdvisorCommented:
I have an older version of GFI Mail Essentials handling spam filtering... some stuff gets through... but probably only 5-10 messages of spam on most days and it blocks 90%+ of other spam.  The way I configure mine is to completely block (delete without even seeing) things from systems on a couple of blacklists, and then everything else questionable gets thrown into junkmail.  The only stuff in Junk mail that isn't junk 99% of the time is newsletters and the like I haven't gone in and whitelisted yet.

As for Mail Security, that is a resource hog... that said, I have it running on an 800 Mhz box with 500 MB of RAM and it works great.  Yes, the system is pegged... but imagine I wasn't doing something that insane and I had it on a modern system...the resource utilization would be minimal by comparison.
If you really only wanted gateway and client protection I'd say vipre on the clients and a Sonicwall with comprehensive security as your firewall.  But no AV on the server isn't a good idea.  Get the costings of the different products recommended here and go from there.  If I had a 15+ user network I'd want to have a Sonicwall and then Trend WFB with the cloud doing the anti-spam.  You'll need to push your management to form out the money, as leew says, you just need to be hacked or spend 3 days removing malware from the manager's PC while he/she can't work to get them to spend the money after the fact.
HKComputerAuthor Commented:
Concerning antivirus, I'll get my head chopped off (figuratively speaking) if I tell you how we have been running here. All the viruses that have occurred here were before I started even though I'm not taking credit for that, at least not directly. The primary change I made was implementing OpenDNS filtering across the network. Also, the fact that there is an IT administrator here that can get into any computer at any time seems to affect the way the users use their workstations.

I don't think I've ever met a "legitimate" technical person, one who works with Windows anyway, that would recommend going without AV. However, most of us know that some fairly basic precautions (such as OpenDNS filtering and installing the latest windows updates) combined with common sense can greatly minimize the chances of getting infected. You just can't rule out the possibility of a virus or intrusion if you don't use any AV. But the sad part is, you can't rule out the possibility of getting one even when you do have a solid AV solution in place.

Susan Bradley (SBS Diva) posted last year (I think) that she would also like to move away from running resident AV on the server. That's one of the only reasons I was considering it. There appears to be no follow up post saying if she has ever tried this. Also, I can't get her blog to load right now. Appears that site is having a problem.

One other little thing is that I never let anyone use the servers here. Even I do not browse the web or install trial software on our server. I learned at a previous company I worked at how important it is to not use your servers as workstations or test machines.

>You'll need to push your management to form out the money, as leew says,  you just need to be hacked or spend 3 days removing malware from the  manager's PC while he/she can't work to get them to spend the money  after the fact.

Yeah, the IT guy usually gets blamed for this kind of stuff. You get blamed for spending too much money but you get blamed when something happens as well.

HKComputerAuthor Commented:
Here's what Susan Bradely said in her blog post. It's loading fine for me now.

"I'm beginning to think that the wisest thing may be to scan everything  that comes in with perimeter devices, place a/v on the workstations, and  set up a scripted scanner to scan the server but not to put the  antivirus on the server itself."
Well there's two issues here - minimising resource usage and minimising cost.  On the resource side what she's saying makes sense(and in terms of conflicting with other software I guess), but what scripted AV would you use, how would you update the pattern and how would you report on it without having to read through logs?  You can just install the AV agent, disable real-time scanning and enabled scheduled scanning, which would be exactly what she's saying in effect.  Except you have to pay for the AV agent on the server, but I don't think that's her concern.

The thing is you've got a server that's clearly capable of handling the load for 15 users, because it's SBS e-mail is flowing through it and people are storing files on it, so lots of potential for malware.  Users can therefore access infected e-mails and files before the scan comes along, so you're relying on gateway and client AV.  So I don't think you have reason to try and save the resources on that server and the cost of the server agent (Trend for example doesn't distinguish between servers and clients) it isn't worth buying one less license.

But yeah, in the end the people with the money will decide.  I'm not sure how for example a Sonicwall firewall and 15 Vipre licenses will stack up against 16 Trend Premium licenses (well if you add the Sonicwall, probably not well), but you'll need to explain to management what would be best and why and then say OK, we can go for the cheaper option but here's the risk.

Just to add on the Sonicwall, I've just found that where people don't have this bandwidth usage is much higher as it blocks a lot of garbage at the gateway and people pick up spyware if they don't have one (laptop users still pick up stuff at home though, but then they're accountable).  I guess you could just disable local admin rights but that usually isn't very practical.

Good luck!
Cliff GaliherCommented:
Keep in mind that Susan is an SBS-MVP and she is only talking about her own server, not a client's. That has several implications:
1) It is only her data at risk. Risk assessment and risk management is a big part of an IT Pro's job. If she loses data, she blames herself. If your server loses data, YOU get blamed by someone else. Chances are she's not going to fire
2) As the server is under her control, she can enforce best practices to keep risk to a minimum. If *anybody* has access to your server, you can't make the same claim. One bad browser window, one flash exploit, and your server is owned. Then, we are back to point #1. Who gets blamed?
3) As an MVP, specifically an SBS-MVP, and as someone who I happen to know is very knowledgeable in the security arena, she has the expertise to actually know what the pest practices are for #2. And I'm talking *depth* of knowledge here, not casual knowledge. Again, that makes a difference in both taking the risk (#1) and judging the risk (#2).
4) Again, as an SBS-MVP, she has both the experience and access to resources that, if the worst should occur, she can get a server back up from backups and other methods *very* quickly. So, if you consider that risk management must also encompass recovery in the event of a business-continuity event, she is far better equipped to handle an unprotected server than most.
In short, in her shoes, I'd do the same (and, for the record, I do), but I wouldn't recommend it for any of my clients or for the community at large. If I didn't get access to technet, have free support incidents, have access to other SBS MVPs that I've had the privilege of meeting, or those other resources, I wouldn't even follow that practice myself. So this isn't a matter of "practice what you preach" but a matter of unique circumstances and all of that needs to be weighed.
digitapConnect With a Mentor Commented:
We employ GFI MailSecurity and GFI MailEssentials.  Can't say that, with the newer version, we've ever had a virus come through via email.  We've found a configuration between both Exchange and GFI that does a really good job of keeping spam out of the user's Inbox.  We also employ Sonicwall appliances with Security Services.  I can't say that I've EVER seen the Sonicwall block anything viral or whatever.  It says it blocks spam and virus traffic, but I don't think it works.  I'd focus on IPS on the firewall.  Regarding Symantec, it's the worst product you can get right now.  It's bloated and ineffective.  Our clients are CONSTANTLY getting virus with SEP installed.  We end up downloading malwarebytes and installing it on the workstations to clean it off.  All the while, Symantec sits there doing nothing.

My two cents.
thanks for the points!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.