Antivirus and servers

I am not a big believer in file level antivirus software running on servers, specially when they are holding domain controllers role or are running exchange services. In my experience they tend to cause more problems than do good. While these problems are often related to misconfiguration of antivirus products they can lead to big problems with infrastructure (e.g. corrupted Active Directory or Exchange database, slow server responses and even Blue Screen of Death (BSOD)). No, I am not naming any vendor names, but I should still have some dump files laying around to prove it ;-). Anyway, they all have their fair share of "issues" :-)

Note: this post talks about file level antivirus, not an antivirus that is installed on e-mail servers to check inbound and outbound e-mails. I would recommend that every e-mail server has an antivirus installed to check arriving e-mails for viruses and other malicious code.

Let's take this idea step-by-step:

Property of the virus is that it can only infect a computer with some user interaction (e.g. user runs an infected file)

Worms on the other hand can infect a computer without any user action. They use vulnerabilities on systems that have not been updated (patched) to infect it. At the same time you cannot really rely on antivirus to protect the computer if the computer has not been updated (patched).
If we take a look at Blaster worm it used DCOM RPC Interface Buffer Overrun Vulnerability to infect the computer. Even up-to-date antivirus did not protect the system from infection, because the operating system itself was vulnerable. Once the operating system was updated, this computer was safe from the worm even without antivirus.

Side note: you could protect yourself from Blaster worm by enabling personal firewall on the computer (e.g. Windows Firewall)

Most common ways of infection
One of most common way of infection is by e-mail. I am yet to see a good reason to read an e-mail on a domain controller or on Exchange server itself.
Downloading infected file from the internet is another common way of infection. Just like with reading an e-mail, I can’t really see a scenario where administrator would need to browse the internet from domain controller. Patches can among other ways be deployed to computers using WSUS server. This is why I usually prohibit access to the internet from servers on the firewall. If I can I go even one step further and prohibit access to the internet for any users that are members of certain groups such as Domain Administrators group in domain.
I usually accomplish this by using Microsoft ISA Server, where you can configure who (user account or group) has access to the internet and who doesn't. You can also easily configure which web sites server has access to and discard all others. This way you can grant the server access to certain Microsoft websites (e.g. Windows Update) and deny access to all others by using URL addresses. Even if IP address of the destination web server changes access to the site will always work as long as URL address stays the same.
Other patches (e.g. driver patches) that are not available through Windows Update site, can be downloaded on the client PC where antivirus should be installed. Once the package was verified it can be copied to the server using USB memory sticks or even over the network.

If you decide to run antivirus software on your servers, make sure it is configured properly. Here are few articles that can help you with this:

Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, or Windows XP

Overview of Exchange Server 2003 and antivirus software

The DHCP service does not start when you start a Windows Server 2003-based computer

Note: I have seen it few times now and this is the reason why I decided to post this. Certain antivirus product(s) forget the exclusions that you set under certain conditions which can cause unexpected problems. (as mentioned corrupted databases etc). If you are running antivirus software on your server, check on the exclusions every once in a while, specially if your server starts to behave oddly all of a sudden.

Add comment