This is an interesting concept that has been bugging me recently. In doing work for our clients we frequently notice that certain anti-virus products cause problems with server performance. The clients can sometimes suffer from 1-2 minute delays just to open a file as the AV is grinding away wasting 50%+ CPU time.
The real question here is, if there is a file server, which serves files to local network clients, why does it even need AV? I can’t think of any particularly good reasons why it is worth the performance sacrifice of a perfectly good server to make it thrash about scanning documents for viruses. Particularly when all of the clients have their own AV.
So does a file server, which only allows access by clients to certain shared folders, and no access to any of its system files, never executes any programs interactively and cannot be made to execute a program or change system files remotely, really need to AV scan every file that is opened by the system, to send over the network to a client who is also going to scan it (usually with the same engine and same definitions)? I would be very interested in a general discussion of this.
Consider also the fact that the vast majority of data files cannot contain malware as they are not executable. The only exceptions to this are Office documents which could contain macros. However, the server probably doesn’t even have Office installed and wouldn’t be trying to execute anything from its shared folders of its own accord. The clients do need AV and would be scanning all files opened themselves anyway.
Extend this idea to servers that have multiple roles. For example, in many small businesses a single server provides all services for network users. It might be a domain controller, file server, Exchange server, proxy server, host a couple of databases. Provided that incoming email is sanitised somehow to protect user mailboxes, does the server in this scenario really need to scan its files for viruses? There is still no real threat of the server operating system itself becoming infected.
Even if a hacker were able to gain access to a theoretical limited user account with permission to log on to the server it would still not be possible for them to infect any sensitive part of the system with any sort of malware.
If a hacker gains access to your admin account, you’ve had it anyway- no amount of AV will help you then. But viruses, generally, come in executable files. If a server doesn’t ever execute any files from the outside world, why is it a good idea for them to have AV? Is it just a gimmick so that vendors make more money through scare tactics?
Please do express your thoughts and opinions on this. If I am missing something glaring in this area I would be pleased to be able to set my mind at rest!
Thanks
Ed