Here's an argument that I've had at over a dozen companies:
Obviously, you should not install AV on your SQL Server. I think there is also a general consensus that it doesn't belong on your web server.
But what about all of the other servers in an enterprise?
Do you think it's appropriate to run AV on those machines?
Yes, although for the most part they are configured to scan for viruses overnight with real-time file protection disabled, the exceptions are:
Definitely yes on file servers; you can then scan the files people store on the server without having to rely on desktop AV (which can fail)
Exchange, I'd advise installing a proper exchange product (Sybari AntiGen was the original; that's now MS ForeFront for Exchange but there's lots of competition now) that will scan the content of the emails; there's little point scanning the file system on an exchange server.
AD, I wouldn't bother
OCS, get the Forefront plug-in if you're connecting to the outside world.
Basically, I don't think there's a one-size-fits-all answer to that question; you need to work out where the risks are. Generally, apart from a file server, I wouldn't suggest generic file AV on servers; you want something more specific to the role of the server.
We run AV on everything that has Windows. With basic configuration (excluding databases, scan on write only, etc) the overhead is so minimal that the cost is virtually zero. The one exception in my organization is Hyper-V Servers; which are very carefully isolated from the rest of the network.
Some would argue that the potential benefit is also almost zero; but seeing as the cost is similar they still balance. Security should be applied in layers, not held up by a single point like Atlas.
A couple arguments in favor of running AV on Windows servers:
Generally I'd say you do want some sort of AV on many servers, yes, but, and this is a big one, you need to be careful with the exceptions.
First of all, Anti-Virus products can have a very significant impact on performance, especially with certain workloads. Make sure you are selecting the correct AV product for the machine, and make sure it's configured correctly.
Special note, be really careful with Exchange, and never install client-type AV software on it. We had a guy who brought our Exchange server to its knees at my previous job after he installed an AV client (intended for desktops) on it that was trying to scan every e-mail going in or out and operated very slowly.
Many times it's not up to you. If you're bound by certain policies, it may be required. I'm not current on PCI standards, but back when they first came out, it required us to put AV software on all our servers.
I think the real argument for having AV on windows servers is Worms or other viruses that can spread without the need for a incompetent (or unlucky) admin. It has been a long time since I have seen a good worm that exploited a MS bug and could freely move from computer to computer. This requires no user or admin intervention to spread. Servers are especially dangerous as they are usually on 24x7 and many of them don't get logged onto on a regular basis (i.e. you may not see the problem(s) right away.
You then have to compare that against the risk of having your data stolen, servers potentially damaged, reputation hurt, time spent fixing, paranoia that you didn't clean it all up, etc...
My policy is that ALL windows boxes get AV installed on them (linux is different story). Tweaked to offer protection with minimal performance impact. Also boxes that run functions such as email will need AV that is specifically tailored to that environment. Nothing is worse than AV trying to dig into mail databases and grab viruses...
My two cents. Better be safe than sorry.
For SharePoint, I'd add ForeFront Security for SharePoint. You certainly want AV for documents uploaded to SharePoint.
I have clamwin and do a weekly scan on my file server which doesn't see much activity. I had Symantec AV previously and the scan on file access was killing performance.
Yes. I use Trend Micro for most of my clients. The Worry Free Business Security 5.1 standard for boxes without Exchange and WFBS Advanced for those with.
The client gets installed automatically for the first server, and is an easy install for any others.
The Real Time will hopefully not be needed very often, but the sweeps I select for weekly or daily, after hours, can find things that might have been missed previously (i.e. virus was not part of the previous definitions).
The performance hit is rare, and the alternative is a nightmare, especially for a shared resource like a server.
Although, I have met a few admins who think nothing of re-mastering a box from a backup image... But I'd rather spend my time doing other things. :)
Antivirus is necessary only if "dumb" clients have execution/administrator rights on computers. So if your server admin is "dumb" then you DO need antivirus. If you have a REAL server admin - then he will never run any file on the server that does not come from trusted source. Admin can always scan a file on his own machine.
If a server is set up correctly - then it can NOT be affected by virus, even if there is a virus on it's fileshare. So for me it does not make any sense having antivirus on the server. For exchange - executable files should be forbiden. Have not seen virus in my email for last 6 years.
It is always better to have proper security set up on the client side, than slowing down the server just for the sake of pretending that it will be any safer.
