General discussion

Locked

Anti-virus on file servers?

By EdLockett ·
This is an interesting concept that has been bugging me recently. In doing work for our clients we frequently notice that certain anti-virus products cause problems with server performance. The clients can sometimes suffer from 1-2 minute delays just to open a file as the AV is grinding away wasting 50%+ CPU time.

The real question here is, if there is a file server, which serves files to local network clients, why does it even need AV? I can't think of any particularly good reasons why it is worth the performance sacrifice of a perfectly good server to make it thrash about scanning documents for viruses. Particularly when all of the clients have their own AV.

So does a file server, which only allows access by clients to certain shared folders, and no access to any of its system files, never executes any programs interactively and cannot be made to execute a program or change system files remotely, really need to AV scan every file that is opened by the system, to send over the network to a client who is also going to scan it (usually with the same engine and same definitions)? I would be very interested in a general discussion of this.

Consider also the fact that the vast majority of data files cannot contain malware as they are not executable. The only exceptions to this are Office documents which could contain macros. However, the server probably doesn't even have Office installed and wouldn't be trying to execute anything from its shared folders of its own accord. The clients do need AV and would be scanning all files opened themselves anyway.

Extend this idea to servers that have multiple roles. For example, in many small businesses a single server provides all services for network users. It might be a domain controller, file server, Exchange server, proxy server, host a couple of databases. Provided that incoming email is sanitised somehow to protect user mailboxes, does the server in this scenario really need to scan its files for viruses? There is still no real threat of the server operating system itself becoming infected.
Even if a hacker were able to gain access to a theoretical limited user account with permission to log on to the server it would still not be possible for them to infect any sensitive part of the system with any sort of malware.

If a hacker gains access to your admin account, you've had it anyway- no amount of AV will help you then. But viruses, generally, come in executable files. If a server doesn't ever execute any files from the outside world, why is it a good idea for them to have AV? Is it just a gimmick so that vendors make more money through scare tactics?

Please do express your thoughts and opinions on this. If I am missing something glaring in this area I would be pleased to be able to set my mind at rest!

Thanks
Ed

This conversation is currently closed to new comments.

26 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Thanks, but rather

by EdLockett In reply to IT Consultants

Rather than put down the topic of the discussion, why don't you contribute to it? Discussion is, after all, the purpose of the forum and the intended reult of the exercise of posting.
I would be interested to discuss with you the reasons behind the statements you make. Please, explain how you think a file server might become infected with a virus through a file share.
Many others and I would be most enlightened, and would be grateful for the new knowledge.
Or maybe, if you were prepared to discuss, you might learn something new yourself!
I look forward to the elaboration of your points, if you are in fact not just a bridge-dwelling troll creature.

PS. In Britain at least, widely-accepted writing style dictates that a new paragraph consists of a new line and an indentation. As one cannot use <tab> in a textarea, I did indeeed just use line breaks. Looking at it now, it would probably have looked better with double line breaks between paragraphs. Oh, and I would have liked to justify it as well, but the world is not perfect.

Collapse -

Great

by EdLockett In reply to What like this guy...

Hmm yes, I feel that all reading this discussion can come away benefitting from your insight. Good effort.

I think the point made in the quoted post is perfectly valid. Do you disagree? Please discuss...

On a different note, I did take your advice about the layout. Happy Mr. Troll now?

Equal Opportunities Commission.

Collapse -

Is late, I know

by alexisgarcia72 In reply to Thanks, but rather

This post have some time now. But I found it because I'm investigating about performance issues where the culprit is the AV (Mcafee) in a powerfull file server. As a troubleshooting step, I removed the AV for some minutes. Disk busy messages from one specific app I have now drop to 0 ~20%... so the AV is the culprit, no doubt.

I'm looking another ways to lock down the server (Cisco CSA for example) instead of the AV.

But is true, the Virus risks is not only present when users run an exe file or something, a single share in a server can expose the system to full infection.

Collapse -

More ideas, please...

by EdLockett In reply to Anti-virus on file server ...

Does anybody have any good explanations of what kinds of risks would be opened up by not having anti-virus on file servers?
I'm really trying to get some good discussion going on this 'what if' scenario...

Collapse -

Well

by The 'G-Man.' In reply to More ideas, please...

What do viruses infect?
What do file servers hold?
Where do these files come from?

Are all the upload vectors covered by another scanner or scanners?

What if someone was working directly on the server and downloaded a file?

What if an install on the server had a virus contained within (this has happened)?

What if a TSR virus was run on the server that did not write to disk?

Wait....

Virus scanners scan more than just files!

Now that is put to bed the thread can die.

Collapse -

Example...

by EdLockett In reply to Well

For the purposes of this discussion, we are working with a simplified theoretical example. I am trying to get people to visualise a concept so that we can exchange ideas.

To go back to the original scenario, a file server is accessed only by local client computers that all have AV.

So, to clarify...

Are all the upload vectors covered by another scanner or scanners?
Yes, in this example, for the sake of the discussion. Clients on the local network only place files in the shares.

What if someone was working directly on the server and downloaded a file?
Only the administrator is permitted to log on to a server interactively. It is not best practice to use servers for day-to-day activity such as browsing or downloading untrusted software.

What if an install on the server had a virus contained within (this has happened)?
It's a file server. Windows was installed from an official media. There is no other software. For the sake of the example, to base a discussion upon.

What if a TSR virus was run on the server that did not write to disk?
Not sure what you mean by this one. How does something get into memory without being read from some medium first? TSR was a technique that stood in for multitasking in DOS - it's no longer really useful.

I'm sorry that you have such a problem with this discussion, G-Man. It was meant to stimulate some intelligent conversation about a theoretical concept. You seem unable to overcome the reaction of putting people down and stifling an exchange of information and thoughts because something strikes you as being different to what you perceive to be the norm.

Please, if you have something constructive to contribute to the discussion, I would be glad to hear it. Otherwise, you don't have the right to call other people or to dictate what happens in a public forum. I would advise you don't bother - it won't make you popular like it might have done at school.

Collapse -

I did have something useful to say...but

by The 'G-Man.' In reply to Example...

your strange assumptions just stifle the conversation. Besides if one had said nothing (as you put it) then your response would not exist :-)

Besides in my opinion you are just fishing for information to take to the boss for a "look what I can do" moment.

Your history on this very site makes it a dead giveaway.

Collapse -

Meh

by EdLockett In reply to I did have something usef ...

Thanks for wasting my time.

Collapse -

You missed the EDIT

by The 'G-Man.' In reply to Meh

as you posted when I was editing.

Back to Networks Forum
26 total posts (Page 2 of 3)   Prev   01 | 02 | 03   Next

Related Discussions

Related Forums