Security Basics mailing list archives
RE: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers
From: Mike Fetherston <mike_sha () shaw ca>
Date: Mon, 07 Nov 2005 13:33:53 -0500
In fact SAV Corp 10 excludes these paths/drives by default. Mike Fetherston
-----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Friday, November 04, 2005 10:42 PM To: josh () securityfocus com; security-basics () securityfocus com Subject: RE: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers This is a well known and well documented issue on both Microsoft and AV vendor software web sites since Exchange 5.0. You should only run Exchange-aware antivirus products, or in light of that, exclude the many Exchange folders present on any Exchange server. If you exclude the Exchange and temp folders (which Exchange will use), then the risk to the Exchange server is minimal. Most admins should run Exchange antivirus gateway software instead and not worry about the exclusions. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, CHFI, TICSA *email: roger () banneretcs com *cell: 757-615-3355 *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: josh () securityfocus com [mailto:josh () securityfocus com] Sent: Thursday, November 03, 2005 6:23 PM To: security-basics () securityfocus com Subject: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers I've had to deal Symantec/Norton antivirus before on Exchange servers. This is a nightmare waiting to happen and certainly more then a simple performance issue. I have been through a case where our Exchange Server totally bombed and did not respond to requests for 8 hours because of the Symantec Corporate Agent running on the Exchange Server. I did not originally know what the problem was and finally had to call Microsoft. We managed to figure out and turn off the Symantec AV Agent. Also, the issue did not manifest itself for a month or more and we never found out why it chose to happen then... MS recommends against running any filesystem AV on an Exchange Server and it can even corrupt your Information Store. We had lingering permissions issues afterwards that it took a while to clean up. And yes, the appropriate Exchange directories were in the exclusion list. It didn't matter. I know that the alternative of not running local filesystem AV is not particularly attractive, but it's better then crashing your Exchange server. Regards, Josh
Current thread:
- Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers at (Nov 04)
- Re: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers Kenton Smith (Nov 07)
- <Possible follow-ups>
- RE: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers Roger A. Grimes (Nov 07)
- RE: Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers Mike Fetherston (Nov 07)