Should I install an AV product on my domain controllers?

Question

Should I run a server-specific antivirus, regular antivirus, or no antivirus at all on my servers, particularly my Domain Controllers?

Here's some background about why I'm asking this question:

I've never questioned that antivirus software should be running on all windows machines, period. Lately I've had some obscure Active Directory related issues that I have tracked down to antivirus software running on our domain controllers.

The specific issue was that Symantec Endpoint Protection was running on all domain controllers. Occasionally, our Exchange server triggered a false-positive in Symantec's "Network Threat Protection" on each DC in sequence. After exhausting access to all DCs, Exchange began refusing requests, presumably because it could not communicate with any Global Catalog servers or perform any authentication.

Outages would last about ten minutes at a time, and would occur once every few days. It took a long time to isolate the problem because it was not easily reproducible and generally investigation was done after the issue resolved itself.

Answer 1

Anti-virus software should definitely be running on all machines in a properly-managed network, even if other threat prevention measures are in place. It should run on servers too, for two reasons: 1) they're the most critical computers in your environment, much more than client systems, and 2) they're no less at risk only because nobody actively uses (or at least should not being actively using) them for surfing the web: there's plenty of malware which can automatically spread across your network if it can get hold even of a single host.

That said, your problem is more related to properly configuring your anti-virus software.

The product you're using comes with built-in firewalling: that's something that should be taken into account when running it on server systems, and configured accordingly (or turned off at all).

Some years ago, anti-virus software was (in)famous for randomly deleting Exchange databases if by chance it came across a viral signature inside some e-mail message stored in the physical data file; every anti-virus vendor warned about this in the product manual, but some people still failed to grasp it and got their stores nuked.

There's no software you can "just install and run" without thinking twice about what you're doing.

Answer 2

I'm going to offer a counter point to the prevailing answers to this thread.

I don't think you should be running anti-virus software on most of your servers, with file servers being the exception. All it takes is one bad definition update and your anti-virus software could easily break an important application or stop authentication in your domain entirely. And, while AV software has made substantial progress in its performance impact over the years, certain types of scans can have a negative effect on I/O or memory sensitive applications.

I think there are pretty well documented downsides to running anti-virus software on servers, so what's the upside? Ostensibly, you have protected your servers from whatever nasty-ness that filters in through your edge firewalls or is introduced into your network. But really are you protected? It's not entirely clear and here's why.

It seems like most successful malware has attack vectors that fall into three categories: a) relying on an ignorant end user to accidentally download it, b) relying a vulnerability that exists in the operating system, application or service or c) it's a zero day exploit. None of these should be realistic or relevant attack vectors for servers in a well run organization.

a) Thou Shalt Not Surf the Internet on Thy Server. Done and done. Seriously, just don't do it.

b) Remember NIMDA? Code Red? Most of their propagation strategies relied on either social engineering (the end user clicking yes) or on known vulnerabilities that patches were already released for. You can significantly mitigate this attack vector by making sure you stay current with security updates.

c) Zero day exploits are hard to deal with. If it's zero day, by definition your anti-virus vendor will not have definitions out for it yet. Exercising defense in depth, the principle of least privilege and having the smallest attack surface possible really helps. In short, there's not much AV can do for these types of vulnerabilities.

You have to do the risk analysis yourself, but in my environment I think the benefits of AV are not significant enough to make up for the risk.

Answer 3

All of our servers (including file/sql/exchange) run Symantec Antivirus with realtime scanning and weekly scheduled scans. The software increases the load on the machines by ~2% for average workloads (average 10% cpu usage during the day w/o realtime scanning, 11.5-12.5% with realtime scanning with on our file server).

Those cores weren't doing anything anyways.

YMMV.

Answer 4

I have always had AV software with on-access scanning enabled on all Windows servers and have been grateful for it more than once. You need software that is both effective and well behaved. While I know there are a few who will disagree I have to tell you that Symantec is about as bad a choice as you could make.

"All in one" type packages are rarely as effective as well chosen individual components (as in, I've never seen a decent example yet). Select what you need for protection and then choose each component separately for best protection and performance.

One thing to be aware of is that there's probably no AV product that has decent default settings. Most these days go for scanning both read and write. While that would be nice it often leads to performance problems. Bad enough at ay time but very bad when your DC has problems because a file it needs to access has been locked while the AV scanner is checking it. Most scanners also scan a very large number of file types that can't even be infected because they cannot contain active code. Check your settings and adjust with discretion.

Answer 5

We generally set up AV on a schedule and don't use Real-Time scanning (i.e., files aren't scanned as they are created).

That seems to avoid most issues that come up with having AV on a server. Since no one (ideally) is actually running anything on the server, the need for real time protection is diminished, especially considering the clients have AV with Real Time.

Answer 6

We run Vexira's server product on our servers, but it may be more a function of discounted pricing than effectiveness. We've had several workstations using their desktop product that will refuse to update unless we uninstall and reinstall with the latest version.

Answer 7

I get the feeling that a lot of these problems are caused by people configuring AV on servers as if they were home PCs. This may be down to shortsighted management, tightwad beancounters, rigid adherence to corporate policies that don't take proper account of different needs for different users/machines, or a former admin who wasn't quite up to scratch, but the end result is the same: havoc.

In an ideal world I would say "use a different AV product for your servers as is on your PCs, ensure before you buy it that it's a proper server AV product, and grab anything with the word 'Symantec' on it by the ears and throw it out the door".

Answer 8

On the other side of the coin in 20 years with dozens of clients I have never seen a domain controller that did not have shared drives infected. Even then only infections were files left on the drive and not actual OS infections. The malware we see most that even effects shares is cryptolocker and that does not actually infect servers. It simply encrypts the shared files. If the workstation is properly secured then the server will not get encrypted.

What I do see is the AV software causing problems. I have spent hours trying to figure out what changed only to find an AV update caused the issue. Even when properly configured I have seen issues. I know people will tell me best practices and all are to run AV. I know someone will point out that someday this will bite me for not having AV on every server. Up until just a year ago or so we never saw a cryptolocker and now we variants pretty often (all which fail to be stopped by several different brands of AV properly installed on the workstation by the way.) Maybe some day there will be another worm type virus that infects servers but until that time I am happy to not have to deal with AV issues on my SQL, print, and DC servers.

Answer 9

I realize that this thread is quite old, but I felt that the topic wasn't discussed completely, as the only mention was in regards to Anti-Virus aka, 'AV' software protection on the DC server.

1.) In my opinion software AV's have come a long way in effectiveness, yet there are pitfalls. Not only is the AV potentially buggy, AV's have a tendency to consume memory and not release it, not good, in a production environment, can you really afford that? Ouch.

2.) Think about it... If your first line of defense starts on your DC and on other servers, you are already more than halfway defeated. Why should anyone want to begin their defense scheme on the inside of their servers???? To begin the effort of putting up active resistance against threats at the core of the network universe is insane. Putting up an active defense at this layer of your security model should mean that your network has been obliterated by hackers and you are trying to save your network in a last ditch attempt (yes, your network is no longer connected to anything on the outside and you are actively fighting the infection internally), that is how bad this should be in order to begin your defense on the DC and other servers. Filter out and actively defend against threats long before the threat is on your servers. How so? Item 3.

3.) This is why some CCIE/CCNP's make the big bucks. Any organization worth their salt will buy some type of hardware from Cisco / Barracuda / Juniper, or otherwise to get a hardware solution in place (because software AV doesn't come close to cutting the mustard). Most software AV's (even the often touted as Enterprise versions of Symantec, McAfee, Norton, etc, etc, etc...) simply do not come close to providing you the same protection as an IronPorts setup from Cisco, or other similar products from any major vendor. For a paltry $10k out of your IT Dept budget, you can have very respectable protection that software AV's simply won't provide you.

4.) I've chopped software AV's down to size, so allow me to build them back up. Software AV's, for me, are a must on any 'User' Workstations/PC's, no exceptions. They prevent the unknowing or malicious from hurting/destroying your networks from outside sources, for instance they brought in their flash drive from home and attempted to copy some work they did at home the previous night onto their Workstation. This area is the single biggest reason for having a good software AV. This is why software AV was invented (Vienna virus), for no other reason, woops.... almost forgot the real reason... to heist your money ok ok, nm.

5.) Anyways... Your DC is not really going to benefit or be hindered from having software AV on it. Your DB Servers, Web Servers are going to suffer, no software AV on them unless you really are under a known and sustained attack (you'll know of this firsthand because of IronPorts, etc,... mentioned in point 3).

6.) Last but not least, if you cannot afford a nice setup from Cisco or Juniper, go Linux! If you've got a spare machine or two laying around, check out your options with some of the OpenSource solutions available for your network... They are powerful... and as the chosen answer above highlighted, they must be configured correctly. Remember that CCIE/CCNP guy I was talking about..? Yep.