General discussion

Locked

Anti-virus on file servers?

By EdLockett ·
This is an interesting concept that has been bugging me recently. In doing work for our clients we frequently notice that certain anti-virus products cause problems with server performance. The clients can sometimes suffer from 1-2 minute delays just to open a file as the AV is grinding away wasting 50%+ CPU time.

The real question here is, if there is a file server, which serves files to local network clients, why does it even need AV? I can't think of any particularly good reasons why it is worth the performance sacrifice of a perfectly good server to make it thrash about scanning documents for viruses. Particularly when all of the clients have their own AV.

So does a file server, which only allows access by clients to certain shared folders, and no access to any of its system files, never executes any programs interactively and cannot be made to execute a program or change system files remotely, really need to AV scan every file that is opened by the system, to send over the network to a client who is also going to scan it (usually with the same engine and same definitions)? I would be very interested in a general discussion of this.

Consider also the fact that the vast majority of data files cannot contain malware as they are not executable. The only exceptions to this are Office documents which could contain macros. However, the server probably doesn't even have Office installed and wouldn't be trying to execute anything from its shared folders of its own accord. The clients do need AV and would be scanning all files opened themselves anyway.

Extend this idea to servers that have multiple roles. For example, in many small businesses a single server provides all services for network users. It might be a domain controller, file server, Exchange server, proxy server, host a couple of databases. Provided that incoming email is sanitised somehow to protect user mailboxes, does the server in this scenario really need to scan its files for viruses? There is still no real threat of the server operating system itself becoming infected.
Even if a hacker were able to gain access to a theoretical limited user account with permission to log on to the server it would still not be possible for them to infect any sensitive part of the system with any sort of malware.

If a hacker gains access to your admin account, you've had it anyway- no amount of AV will help you then. But viruses, generally, come in executable files. If a server doesn't ever execute any files from the outside world, why is it a good idea for them to have AV? Is it just a gimmick so that vendors make more money through scare tactics?

Please do express your thoughts and opinions on this. If I am missing something glaring in this area I would be pleased to be able to set my mind at rest!

Thanks
Ed

This conversation is currently closed to new comments.

26 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

2 reasons

by Jaqui In reply to Anti-virus on file server ...

1) It's a better policy to "trust nothing" and run the file server av to avoid infesting your network.

2) staff who can save files to the server may have an infected file they do not know about. bringing reason 1 into play.

edit to add:

all the AV software I have seen for enterprise use [ file server ] have the problem of being resource hogs. lower the priority of the av in it's own config settings, and turn off the on access scan, use nightly full scan and on save scanning instead.

Collapse -

Thanks

by EdLockett In reply to 2 reasons

Hey Jaqui... Thanks for your input.
Although the two points I was trying to play on are:
1. The server can't get infected since it never runs any (foreign) executables.
2. The clients can't put infected items on the server, nor become infected if there are such items that they access - because they all have their own anti-virus.
So what I really want to talk about is what circumstances would make a convincing argument to put AV on a file server?

Any further comments/suggestions/discussion from all those bright minds out there?

Collapse -

Any more?

by EdLockett In reply to Anti-virus on file server ...

Any more comments forthcoming on this topic? Thought I would elicit at least a fair response on this... Anyone feeling enthusiastic?

Collapse -

Depends on the servers role.

by 1bn0 In reply to Anti-virus on file server ...

Some applications require interaction on the server itself.

Including having Excel avilable to read the exported data and log files.

Once you are working in that mode, it is often easier to perfomr all realted tasks from the same session on the same server.

As this is also usually doen with an administrative account, you wouldn't get logged on to the server otherwise, it is a good idea to have av installed.

Collapse -

That's interesting

by EdLockett In reply to Depends on the servers ro ...

So the scenario you are covering really is the possibility that an admin who was performing some tasks on the server might accidentally execute some malicious code...
It's a fair point, but one I would say is fairly unlikely. Of course, log files and such produced by Windows services or trusted applications are not going to contain any malicious code. I think usually the admin would either copy or share these files and then access them from his/her workstation rather than paying for another copy of Office to sit on the server.
Really, as long as the server isn't a Terminal Server, the only people using it would be the IT admins. As they are kind of expected to be IT savvy, and they don't really have any need to access the Web or their e-mail whilst logged on at the server, the risks of becoming infected are low?
Maybe there would be some scenarios where the admins would be susceptible to sophisticated social engineering?

Collapse -

By installing a different AV product

by Dumphrey In reply to Anti-virus on file server ...

then what is on the end user computers you add depth to scanning without the problems of double up on the workstation. Not all AV programs catch everything, its hedging your bets.

Collapse -

Good point...

by EdLockett In reply to By installing a different ...

Using a different AV engine on server and on workstation would indeed offer this advantage.
However, most businesses choose to buy one site license, to cover all computers. It would be more expensive and difficult to administer if there were several different vendors' products.
One should be able to trust the labs of their chosen anti-virus vendor. That is the main reason why paid-for AV is better than free AV - there are more resources to investigate and release definitions for new viruses quickly. However, the major players generally all release definitions for new viruses within a short timeframe.
Does anybody else use different products on server / workstation for this reason?

Collapse -

Trus is a bell curve based on experience, reputation, and

by Dumphrey In reply to Good point...

research. You should be able to trust your AV, in much the same way you should trust your seatbelt. But are you to cheep to pay for the airbag in your car? Is the seat belt really enough?
It comes down to how important is your data. Optimally, a gateway appliance is scanning all data streams with product A. Client machines scan the new file with product B, and the file is scanned again on the server with product C.
The mail que scanner should be different from the spam appliance scanner and from the end client scanner.
It all comes down to risk. And even the most trusted names in AV can let you down, hard.
http://www.itp.net/index.php?Itemid=1&id=486507&option=com_content&view=article
http://news.cnet.com/Symantec-patches-antivirus-worm-hole/2100-1002_3-6078160.html
http://www.fastcursor.com/lib/symantec-flaw-patch.asp

Collapse -

Good input

by EdLockett In reply to Trus is a bell curve base ...

I'm not sure exactly why you think "trust is a bell curve". I find that bit a little confusing.

You do indeed have a good point about defence in depth.

Headline: "Budgies to cheep to pay for the airbags in your car!"
I kind of like that idea. Nice one.

Collapse -

IT Consultants

by The 'G-Man.' In reply to Anti-virus on file server ...

who do not know that a virus can spread through network shares is a poor excuse for a professional.

Worst still the applied understanding shown to what a virus can do through such a small attack vector frankly boggles the mind.

That and the total lack of paragraphing in the OP tops the lot.

Back to Networks Forum
26 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums