3

Possible Duplicate:
Do you run antivirus on your Windows servers?

I see a couple of existing questions on this with apposing viewpoints:

For a virtualized Windows 2008 Server R2 running as a public web server with IIS, should AV be installed?

The site does not allow file uploads at this time, but I can see in the future I may let select users upload documents, pdfs, maybe word and excel. If I cannot scale out to a second server for file serving, should the main web server get AV at that point?

If I should install AV, what products have you had success with and why? Things like performance and footprint as compared to cost.

Thank you.

Community
  • 1
blu
  • 229
  • 3
  • 8
  • 3
    If you have allready found the same question allready asked, do we really need to ask it again? – Sam Cogan Oct 08 '09 at 13:36
  • 1
    because there wasn't a general consensus on what was to be done. – blu Oct 08 '09 at 13:43
  • 1
    and again there is a discrepancy in these answers with no upvotes validating any of it. – blu Oct 08 '09 at 13:44
  • so, you asked a dupe because their wasn't a consensus? – warren Oct 08 '09 at 13:45
  • I asked a more specific question tailored to a refined scenario in an attempt to solicit input – blu Oct 08 '09 at 13:47
  • 4
    You are never going to get a consensus on this subject. The reason is that I am right, and everyone who disagrees with me is wrong. You should always, under (almost) every circumstance, have AV installed on a Windows server, regardless of role (yes, including SQL). There are few exceptions, one being totally isolated labs etc – Izzy Oct 08 '09 at 13:47
  • http://serverfault.com/questions/64883/install-an-antivirus-on-a-web-server-is-this-a-good-idea – warren Oct 08 '09 at 13:48
  • 1
    +1, @Izzy :) ..Windows is targeted - it needs to be protected. All servers are targeted and should be protected in some fashion, but viruses hit Windows heavily, and it's not just from files - unpatched components can leave open doors for attacks, too – warren Oct 08 '09 at 13:50
  • what is "shoftware" – amdfan Oct 10 '09 at 17:53

6 Answers6

5

Yes.

Yes yes.

Yes yes yes.

Yes yes yes yes.

Yes yes yes yes yes.

Yes

We use Microsoft Forefront for our 1000+ Windows servers.

You should ALWAYS have AV installed on a Windows server, for ALL roles (yes, including SQL and Web). There are very few exceptions, one being isolated (physically or logically) labs.

The fools people that say you don't need AV usually cite performance issues. Then get a faster machine, but you better have AV on it. It's as simple as that.

Izzy
  • 8,214
  • 2
  • 30
  • 35
  • 4
    I like how your answer relates to your Gravatar. – Dennis Williamson Oct 08 '09 at 13:41
  • Heh - if only there was a Comment of the Day award, you'd win it today :) – Izzy Oct 08 '09 at 13:42
  • 1
    AV can cause performance problems even on high spec machines depending on your usage. A good compromise if realtime scanning is a problem is to disable that and at least have a daily routine scan (out of hours) – JamesRyan Oct 08 '09 at 14:14
  • Excpet of course that in order to install this magical antivirus software, yuo will have to creat an exception list to prevent it from screwing up the software that you have currently running. As Jesper points out, the antivirus software is unlikely to actually find any viruses on your server whereas a firewall/HIDS will actually stop and prevent viruses – Jim B Oct 08 '09 at 19:50
  • Heuristic detection. – Izzy Oct 08 '09 at 19:53
  • a.Heuristic detection means nothing since you have to exclude all the files that have the potential to infect your system. Not only is it going to be useless at detecting viruses, you'll also have to somehow magically scan the files at upload time and commincate the status back to the user that uploaded them if it failed to pass the test (mind you even if it has a virus it's not possible for an uploaded file to infect the webserver- just the dope that downloads it later). This is like saying installing antivirus is going to protect you from a sql injection attack. – Jim B Oct 09 '09 at 02:23
  • b. Antivirus is for USERS not servers since servers (hopefully by default) should be protected by firewalls and domain and server isolation. The only servers that need to have antivirus on them are ones that are fileservers in your environment or store files for your users- and thats only for a belt and suspenders approach. Now if AV is free for the servers and they don't have performance constraints (eg forefront) there is no harm in installing it. Conficker (ass an example) will not be caught by AV software until you have it but a proper HIDS will block it. – Jim B Oct 09 '09 at 02:30
3

NO, you should not install antivirus software on a web server, at least not as your first choice. You should install a Host Intrusion Detection System (HIDS) like Samhain, Tripwire or the like.

The question is a duplicate of this older question, please see my answer there. The gist of it is that HIDS has a better detection rate against hacks than antivirus (AV) software.

If you enable uploads of Office types of documents, i.e. PDFs, Word docs and other documents that can embed active content, then a normal antivirus package would make sense IMHO, to scan for macro viruses in the uploaded content.

This answer assumes that your web server is completely separated from your internal office network -- which should be a obvious security practice under all circumstances.

Edit: To clarify, AV follows a 'blacklist' approach, i.e. it has signatures for a known list of 'bad' programs, and alerts you (and optionally takes action itself) when it sees one of these 'bad' programs on your server.

HIDS follows a 'whitelist' approach, i.e. it has a list of all the programs on your server that should be there, and alerts you whenever executable code is added or changed without your approval. This approach will have a better detection rate against one-of-a-kind hacks and zero-day exploits, at the expense of (many) more alerts being given, especially if you don't take the time to configure the HIDS optimally.

Community
  • 1
2

If you have any Windows machine online, you need a firewall, and (I think) a good non-invasive antivirus. I prefer ESET's range of products - they have a low memory footprint, and are very reasonably priced for personal and business use.

1

to quote my answer from here from another duplicate of this question, which was also asked on superuser..

Yes, always. Quoting my answer from superuser:

If it's connected to any machines that may be connected to the Internet, then absolutely yes.

There're many options available. While I personally don't like McAfee or Norton, they are out there. There's also AVG, F-Secure, ClamAV (though the win32 port is no longer active), and I'm sure hundreds more :)

Microsoft has even been working on one - I don't know if it's available yet outside of beta, but it does exist.

ClamWin, mentioned by @J Pablo.

Community
  • 1
warren
  • 17,829
  • 23
  • 82
  • 134
1

It depends on if it's connected to other systems directly. If your server connects to a hardware-based firewall (e.g. a separate router) and no other (Windows) systems can access it, then you can take a risk and not install a virus scanner. The firewall should block all traffic to this server except port 80, thus your system would be reasonable safe from any work attacks. And even though users can upload files to your server, as long as you don't execute their contents, your system will be reasonable safe.

However, it's very likely that you will connect this server with other computers in a local network, thus this server can be attacked by worms. Of course, if all other computers in your network are Linux or Apple computers, risks will be very small again. If those other computers are using good virus scanners then the chance of your server being infected by them would be very limited. If another system would still be infected then that virus scanner wouldn't protect your server either...

But in the end, my answer is still "YES" simply because there is a risk. I would even install a virusscanner on a stand-alone computer with no network access, simply because I can't predict what will happen to it in the future. Sooner or later, someone might infect it by a virus on an USB stick or because someone did connect it to the network and then Hell will break loose...

I am a fan of the McAfee scanner, and scanner only, since it keeps itself up-to-date very well, it doesn't give too many false positives and it doesn't slow down your system too much. It is a bit memory-hungry compared to other scanners but we're talking about tens of megabytes in memory footprint differences.

Wim ten Brink
  • 1,045
  • 6
  • 13
-5

No You should not need Antivirus software on a web server to protect the webserver. File uploads will not give your web server viruses, howwever you might want to protect users that download those files, in which case you might want to protect them from other users. That being said you shouldn't be opening theses files on your web server, and it should be configured so that you cannot execute things from that directory

Jim B
  • 23,938
  • 4
  • 35
  • 58
  • 3
    -1 Internal worm outbreak? How do you plan to save your server and corporate data/intellectual property? – Izzy Oct 08 '09 at 13:44
  • Internal worm outbreak? that's possible with a firewalled webserver? Not in this reality. – Jim B Oct 08 '09 at 19:31
  • 2
    No sorry - you cannot put all of your faith in a firewall, especially with zero-day exploits. Having an AV *with* a firewall, on the other hand, is better practice. You are assuming that there is only a narrow attack vector (the file uploads), but the box is running Windows. –  Oct 08 '09 at 19:40
  • your're advocating installing an antivirus solution (that cannot protect against 0-day exploits) and then saying that you also need a firewall (that can in fact protect against 0-day exploits and virus vectors) but the only way to be safe against 0-day exploits is to have both. Sorry but reality doesn't lie. I've run over 150 windows 2003 and up webservers hosting thousands of sites with a (roughly) combined total of 150 million hits a week with nothing but firewalls/ids and never a virus in the past 5 years. (now code exploits that's a whole nother issue). – Jim B Oct 09 '09 at 02:18