General discussion

Locked

Anti-virus on file servers?

By EdLockett ·
This is an interesting concept that has been bugging me recently. In doing work for our clients we frequently notice that certain anti-virus products cause problems with server performance. The clients can sometimes suffer from 1-2 minute delays just to open a file as the AV is grinding away wasting 50%+ CPU time.

The real question here is, if there is a file server, which serves files to local network clients, why does it even need AV? I can't think of any particularly good reasons why it is worth the performance sacrifice of a perfectly good server to make it thrash about scanning documents for viruses. Particularly when all of the clients have their own AV.

So does a file server, which only allows access by clients to certain shared folders, and no access to any of its system files, never executes any programs interactively and cannot be made to execute a program or change system files remotely, really need to AV scan every file that is opened by the system, to send over the network to a client who is also going to scan it (usually with the same engine and same definitions)? I would be very interested in a general discussion of this.

Consider also the fact that the vast majority of data files cannot contain malware as they are not executable. The only exceptions to this are Office documents which could contain macros. However, the server probably doesn't even have Office installed and wouldn't be trying to execute anything from its shared folders of its own accord. The clients do need AV and would be scanning all files opened themselves anyway.

Extend this idea to servers that have multiple roles. For example, in many small businesses a single server provides all services for network users. It might be a domain controller, file server, Exchange server, proxy server, host a couple of databases. Provided that incoming email is sanitised somehow to protect user mailboxes, does the server in this scenario really need to scan its files for viruses? There is still no real threat of the server operating system itself becoming infected.
Even if a hacker were able to gain access to a theoretical limited user account with permission to log on to the server it would still not be possible for them to infect any sensitive part of the system with any sort of malware.

If a hacker gains access to your admin account, you've had it anyway- no amount of AV will help you then. But viruses, generally, come in executable files. If a server doesn't ever execute any files from the outside world, why is it a good idea for them to have AV? Is it just a gimmick so that vendors make more money through scare tactics?

Please do express your thoughts and opinions on this. If I am missing something glaring in this area I would be pleased to be able to set my mind at rest!

Thanks
Ed

This conversation is currently closed to new comments.

26 total posts (Page 3 of 3)   Prev   01 | 02 | 03
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Oh dear.

by EdLockett In reply to You missed the EDIT
Collapse -

Risk

by alexisgarcia72 In reply to More ideas, please...

There is a risk. If the server have shares, you have a risk. I see servers infected even with lot of permission restrictions(and AV installed).

Collapse -

post

by alexisgarcia72 In reply to More ideas, please...

This is a real good post. In the past lot of IT admins refuse to use AV in servers. Performance hits are big when your files are scanned all the time by the AV software.

I see very powerfull file servers (and running other roles) with real performance problems because the AV. I'm even now troubleshooting a real deal when users complains and complais because opening files take some time in powerfull equipment because the AV.

So, I'm investigating if I really need AV in this server and how I can remove the AV and lock the server to avoid infections.

Security in MS OSs are a big problem. You need to keep in mind lot of steps: windows updates, service packs, critical updtes, remove unnecesary services, limit permissions and some people add AV and Antimalware/Antispyware software.

I see some companies who do not use AV software in file servers, instead, they use CSA locking systems.

You need to understand one single thing (important). A windows file server with a single share without AV, is at riks of infections. Lot of virus outhere looks for shares in the network and replicates. I see lot of servers and infrastructures infected in such way.

Collapse -

Did you remove AV software from server?

by wes In reply to Anti-virus on file server ...

I am new to IT, and I read the threads because I have the same question. My office has only 5 users that have the same AV protection, and the file server had a PC AV software that expired soon after I arrived. I installed a 30-day trial, which expires soon. I'm leaning toward purchasing an AV software for the server and 5-PCs just for peace of mind.

Collapse -

thoughts on an old topic

by cwheeler33 In reply to Anti-virus on file server ...

What happens if we run nightly AV scan, and use a white list app instead? As an example product BIT9... Would that sufficiently reduce the risk to the file server while saving on performance?

Although this is an old thread, I think it's still a valid discussion.

I do believe in Defence in Depth (provided we can aford it)
I do believe File Servers are at risk
Part of the solution is best practice before you even go shopping. As such I like to follow NSA guidelines to locking down...
The name of the game is risk management... I don't believe anyone can protect themselves 100% of the time. We can only do our best to get as close as possible.

Collapse -

The weak point in the original poster's position

by CharlieSpencer In reply to thoughts on an old topic

"2. The clients can't put infected items on the server, nor become infected if there are such items that they access - because they all have their own anti-virus."

That's a lot of trust in both the local AV app and in the inability of unprotected systems to connect to the network. All it takes is one well-intentioned employee connecting a vendor or customer's contaminated laptop, or a 'drive-by' wireless poacher, or a flash drive full of cooties stuck in the server's USB port.

For small shops, I agree with those who say run one app on the clients and a different one on the servers. Larger outfits should invest in the appropriate corporate-grade products designed to minimize the performance penalty on servers.

Back to Networks Forum
26 total posts (Page 3 of 3)   Prev   01 | 02 | 03

Related Discussions

Related Forums