AW: Why NOT to disable Real Time Antivirus on Servers

[holger.reichert () holysword de]

Dear George,

I will not supply a hole list of scenarios, but my few thoughts may help you a bit.

First of all Antivirus Produkts are always to late, to protect you against the newest viruses. The Antivirus companies 
have to update their pattern files, have to publish them and you have to deploy them.
Question 1:
How many clients do you have at this moment with patern files older than the newest one?
2-10% ?
Question 2:
How much time do you need to deploy the newest pattern file? (Start point ist date and time of publishing)

Every day we have between 20 and 50 new virus variants. This means 1 Virus every 30 minutes 7*24*365.

One Client in your Network is enough to spread a worm to all your servers within say 10 minutes.

The propagation ways of viruses are getting complexer every day.
So you have to read only some virus descriptions to have the scenarios you need.

e.g. Sasser and Blaster have been carried into Networks via Notebooks.

The best way we have until now is to defend against viruses with a layered security approach. This means to have 
antivirus on every Server, every Client, and as a Gateway Solution at your Internet entrance point.

Last but not least:
An infected Server causes much more damage to your organisation than an infected client, because during the 
disinfection/repair time much more personell is affected. The server is/(should be) offline.

Not having virus protection on servers because of performance issues is a sign of bad performance or server 
architecture planning.
You should upgrade your servers and you must not risk their functionality.

With kind regards
H. Reichert
Owner Manager
Holysword GbR
IT-Security Consulting
Germany

> Greetings,
>
> An Engineer and I are having an argument about keeping Real Time Antivirus 
> disabled on servers.
>
> His point is keeping Real Time Antivirus Enabled on servers such as the 
> Exchange Server takes a huge performance hit on the server.
>
> My argument is that keeping real time antivirus software disabled defeats the 
> purpose of PREVENTING a server from being infected in the first place. Once it 
> is infected, it is all too late already. The antivirus software is enabled on 
> the workstations.
>
> He argues that since all of the workstations have the antivirus enabled, then 
> there is no way for the virus to get in.
>
> Mine argument that a virus can still get in through other means. I need 
> examples and case studies to refer to.
>
> I would like to find different case studies or scenarios where the real time 
> antivirus was disabled on the servers, enabled on the PCs, and the company 
> still got infected. Also, would like to find solutions to enabling real time 
> scan and stream lining it so it does not affect the Exchange Server as bad.
>
> Would someone point me in the right direction or post potential case studies.
>
> Please post or email me.
>
> George.peek () gmx net
>
> Thank You