Security Basics mailing list archives
RE: Why NOT to disable Real Time Antivirus on Servers
From: "Dunigan, Michael" <mdunigan () umich edu>
Date: Thu, 3 Nov 2005 14:34:54 -0500
The flaw in your friend's argument is the assumption that the workstation connections are "the only way a virus can get in". It may be true, but it is easy to overlook attack vectors for malware. - Maybe you become a victim of a "Zero-day attack" because you can not get a patch, test it, and apply it to all of your servers before malware makes your machines toast. - Maybe you get a patch and find a problem with the patch, so you intentionally don't apply it at first. - Are you running an SMTP service on the server that could allow malware on the server? - SFTP/FTP/WebDAV? - Open file shares that are accessible to partners/vendors/other departments/etc.? The list can go on and on, but you have to make sure that there is NO way to get a file/virus/malware on the server that is not protected. And once your server is compromised, the only way to ensure you have it clean is to rebuild it. I used to run with the mode that your friend supports, but we found that it was just too much risk, so we took a small performance hit and loaded up McAfee on the servers. The performance hit was noticeable, but not a show stopper. "Defense in Depth" is the mantra and loading anti-virus on the servers is a part of that. Mike
-----Original Message----- From: george.peek () gmx net [mailto:george.peek () gmx net] Sent: Wednesday, November 02, 2005 12:34 PM To: security-basics () securityfocus com Subject: Why NOT to disable Real Time Antivirus on Servers Greetings, An Engineer and I are having an argument about keeping Real Time
Antivirus
disabled on servers. His point is keeping Real Time Antivirus Enabled on servers such as
the
Exchange Server takes a huge performance hit on the server. My argument is that keeping real time antivirus software disabled
defeats
the purpose of PREVENTING a server from being infected in the first
place.
Once it is infected, it is all too late already. The antivirus
software is
enabled on the workstations. He argues that since all of the workstations have the antivirus
enabled,
then there is no way for the virus to get in. Mine argument that a virus can still get in through other means. I
need
examples and case studies to refer to. I would like to find different case studies or scenarios where the
real
time antivirus was disabled on the servers, enabled on the PCs, and
the
company still got infected. Also, would like to find solutions to
enabling
real time scan and stream lining it so it does not affect the Exchange Server as bad. Would someone point me in the right direction or post potential case studies. Please post or email me. George.peek () gmx net Thank You
Current thread:
- RE: Why NOT to disable Real Time Antivirus on Servers, (continued)
- RE: Why NOT to disable Real Time Antivirus on Servers Anton Muthu Kumar B (InfoSec) - CTD, Chennai (Nov 03)
- RE: Why NOT to disable Real Time Antivirus on Servers Kirk Brady (Nov 03)
- RE: Why NOT to disable Real Time Antivirus on Servers Nick Duda (Nov 03)
- RE: Why NOT to disable Real Time Antivirus on Servers Steven Jones (Nov 03)
- Re: Why NOT to disable Real Time Antivirus on Servers THAVEEWAT VASAVAKUL (Nov 03)
- Re: Why NOT to disable Real Time Antivirus on Servers barcajax (Nov 03)
- RE: Why NOT to disable Real Time Antivirus on Servers Herbold, John W. (Nov 03)
- RE: Why NOT to disable Real Time Antivirus on Servers Steven Jones (Nov 04)
- Message not available
- RE: Why NOT to disable Real Time Antivirus on Servers Pranav Lal (Nov 07)
- Message not available
- Re: Re: Why NOT to disable Real Time Antivirus on Servers Warren V Camp (Nov 04)
- RE: Why NOT to disable Real Time Antivirus on Servers Dunigan, Michael (Nov 04)
- RE: Why NOT to disable Real Time Antivirus on Servers DMORROW5 (Nov 04)
- RE: Why NOT to disable Real Time Antivirus on Servers Zoran Marjanovic (Nov 04)
- RE: Why NOT to disable Real Time Antivirus on Servers Depp, Dennis M. (Nov 04)
- Re: RE: Why NOT to disable Real Time Antivirus on Servers barcajax (Nov 07)