1

Possible Duplicate:
Do you run antivirus on your Windows servers?

PRO:

  • Additional security never hurts

CON:

  • slows down performance
  • No way a virus can get on a server (unless you do web surfing there or install strange software)
  • Cost
  • another potential attack vector

Overall, I think it is not worth the effort. What is your take? Did I overlook something?

Note: I talk about Win 2008 web servers + firewall (not Win 2003, SQL, etc).

Community
  • 1
robinc
  • 43
  • 1
  • 6
  • 1
    Another mistake ppl often make is assuming that firewalling a server from the public internet prevents any unauthorized access. I've seen corporate virus outbreaks (including infected servers) at sites that trusted everyone inside the firewall. Joe User takes their laptop home, gets infected, plugs into the corporate network, et voila. – jj33 Dec 14 '10 at 21:18

6 Answers6

11

No way a virus can get on a server (unless you do web surfing there or install strange software)

Without addressing any other points of your argument, the one above is patently, provably, historically untrue.

jj33
  • 11,038
  • 1
  • 36
  • 50
  • Well, yes, BUT will normal anti-virus software detect such issues? And for Win 2008 + firewall I am not aware of any known worm attacks. – robinc Dec 14 '10 at 20:28
  • 4
    +1 for answering much more politely than I could. – Scott Pack Dec 14 '10 at 20:30
  • @robinc: Many compromises are accomplished by exploiting the applications running on your server to drop viruses/rootkits/etc. Your AV should (will hopefully?) prevent the drops from happening. – Scott Pack Dec 14 '10 at 20:32
  • But the only application running will be IIS. Any known issues of compromised IIS7 ? – robinc Dec 14 '10 at 20:39
  • 1
    IIS7 has 5 published vulnerabilities, all of which can be fixed with patches. How willing are you to roll the dice that there will not be another? [Source](http://secunia.com/advisories/product/17543/) – Chris S Dec 14 '10 at 20:42
  • Chris S beat me to it. And let's not forget whatever websites or webapps are being served up via IIS. – Scott Pack Dec 14 '10 at 20:45
  • 1
    Most of the issues tend to come from the web applications that you're running. Unless IIS is only going to be serving static html. – 3dinfluence Dec 14 '10 at 20:46
  • 1
    It sounds like you've already made up your mind that it's not needed and now you're trying to get us to agree with you. I remember a virus earlier this decade that had something like 5 separate attack vectors, at least two of which were exploits in flaws in Windows (file sharing I think) – jj33 Dec 14 '10 at 20:53
  • Actualy he is right. There wer alot of very public IIS exploits in the past - ALL PATCHED 12+ months before hell broke loose, so it was more a darwin test for stupid admins. – TomTom Dec 14 '10 at 21:03
  • Well, I had made up my mind that it is not needed... but I will now seriously reconsider. I am glad I asked! – robinc Dec 14 '10 at 21:06
  • "No way a virus can get on a server (unless you do web surfing there or install strange software)" - depends whether you're incorrectly using the term 'virus' to cover trojans, worms and other sorts of malware. – Alan B Aug 15 '11 at 08:28
7

File-level AV is needed on Servers, it's just the attack vector that's different. If that server allows users to upload any kind of data at all to it (such as all web servers doing anything except serving static pages) it needs AV software. That malware may not be infecting the server but it can infect other clients. An AV alarm on a server can be a very good indication that something bad happened that needs expert review.

Firewalls don't protect against a badly designed application that can get past the firewall.

For example, lets take a hypothetical cross-site scripting vulnerability. There is a script, http://example.com/calendar/addAttachment.asp that drops attachments in a certain directory so they can be appended to calendar events. Since the only way to drop files is to be a logged in user, the writer of the asp page decided to rely on file-level rights to permit people to upload data. Very secure, they thought. The firewall passes TCP/443 and TCP/80 because that's needed for this application.

Nefarious Person (the NP) learns that the exact ASP-page can be called from a guest context. And after a lot of poking around, has found out how to:

  • Drop files in arbitrary locations
  • Where anonymous-user can drop files where they'll then be served

The NP then proceeds to upload some evil software to those locations and through Other Means direct traffic at those links (SEO hijacking, Evil Popups, other drive-by-downloaders) where http://example.com/ becomes a source of malware.

If that server had AV, it would have raised a big red flag the moment the NP tried to upload the evil software. You'd be alerted to this vulnerable application, and your site wouldn't end up on various blacklists of 'untrustworthy sites'.

There is more to Windows security than worm-resistance.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Well, that convinced me. Now checking budget and my options. That might be another question in the near future. – robinc Dec 14 '10 at 21:17
1

PRO: Additional security never hurts

I agree

CON:

slows down performance

No way a virus can get on a server (unless you do web surfing there or install strange software)

Cost

another potential attack vector

I disagree on almost every one of these:

Slows down performance: Who says? Do you have any study data that proves this?

No way a virus can get on a server: See jj33's answer.

Cost: True enough. you'll have to pay for any reputable anti-virus software for your server.

Another potential attack vector: Possibly, but Id argue that anti-virus software reduces the number of attack vectors more than it creates additional attack vectors.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1
    Actually, I hate to say anything that might keep AV off of any machine, but I have run across set ups in the past where AV did slow things down. I can't remember all of the details, but it if memory serves it was on an IVR system that did call recording (as in "your call may be recorded for quality purposes"). If we put AV on the machine in a standard config, it dropped performance on the server to the point where the server was unusable - The vendor wanted AV off, we settled on excluding the recordings directory. – jj33 Dec 14 '10 at 21:16
1

I think this also depends on whether you mean full antivirus (on access) vs. non on access.

If its the on access part that is slowing down the server you should be able to turn off the read aspect and keep the write aspect I would think as long as you do regular scans

Adam Fox
  • 137
  • 5
1

AV on a server. It can be fun when the AV detects the raid driver as a virus and chucks it in quarantine or even thinks the backup job is suspect and stops it.

ax25
  • 231
  • 1
  • 2
0

This depends on the server functionality — some kind of servers are much more vulnerable than others:

  • File servers without an anti-virus might spread the infection even though the malware is not running on the server itself.
  • Terminal servers can be vulnerable to infections due to careless users.
Sergey Vlasov
  • 6,088
  • 1
  • 19
  • 30
  • He specifically stated this is an IIS Web server with all other functionality firewalled off. – Chris S Dec 14 '10 at 20:43
  • @Chris: It's hard to give a good answer if the question is changing :) Also, the point about file servers equally applies to a web server with uploads enabled (as sysadmin1138 noted). – Sergey Vlasov Dec 14 '10 at 21:03
  • Sergey, yes I clarified the question. Thanks for your answer. – robinc Dec 14 '10 at 21:16