RE: Why NOT to disable Real Time Antivirus on Servers

["Dunigan, Michael" <mdunigan () umich edu>]

        The flaw in your friend's argument is the assumption that the
workstation connections are "the only way a virus can get in".  It may
be true, but it is easy to overlook attack vectors for malware.  

- Maybe you become a victim of a "Zero-day attack" because you can not
get a patch, test it, and apply it to all of your servers before malware
makes your machines toast.
- Maybe you get a patch and find a problem with the patch, so you
intentionally don't apply it at first.
- Are you running an SMTP service on the server that could allow malware
on the server?
- SFTP/FTP/WebDAV?
- Open file shares that are accessible to partners/vendors/other
departments/etc.?

        The list can go on and on, but you have to make sure that there
is NO way to get a file/virus/malware on the server that is not
protected.   And once your server is compromised, the only way to ensure
you have it clean is to rebuild it.

        I used to run with the mode that your friend supports, but we
found that it was just too much risk, so we took a small performance hit
and loaded up McAfee on the servers.  The performance hit was
noticeable, but not a show stopper.  "Defense in Depth" is the mantra
and loading anti-virus on the servers is a part of that.

                        Mike


> -----Original Message-----
> From: george.peek () gmx net [mailto:george.peek () gmx net]
> Sent: Wednesday, November 02, 2005 12:34 PM
> To: security-basics () securityfocus com
> Subject: Why NOT to disable Real Time Antivirus on Servers
>
> Greetings,
>
> An Engineer and I are having an argument about keeping Real Time
Antivirus
> disabled on servers.
>
> His point is keeping Real Time Antivirus Enabled on servers such as
the
> Exchange Server takes a huge performance hit on the server.
>
> My argument is that keeping real time antivirus software disabled
defeats
> the purpose of PREVENTING a server from being infected in the first
place.
> Once it is infected, it is all too late already. The antivirus
software is
> enabled on the workstations.
>
> He argues that since all of the workstations have the antivirus
enabled,
> then there is no way for the virus to get in.
>
> Mine argument that a virus can still get in through other means. I
need
> examples and case studies to refer to.
>
> I would like to find different case studies or scenarios where the
real
> time antivirus was disabled on the servers, enabled on the PCs, and
the
> company still got infected. Also, would like to find solutions to
enabling
> real time scan and stream lining it so it does not affect the Exchange
> Server as bad.
>
> Would someone point me in the right direction or post potential case
> studies.
>
> Please post or email me.
>
> George.peek () gmx net
>
> Thank You