RE: Why NOT to disable Real Time Antivirus on Servers

["Kirk Brady" <Kirk.Brady () TeachersHealth com au>]

Hi george

We exclude drives (eg m:), directories and list low risk processes from the a/v loaded ON the server - we then use a 
specific mail a/v scanner for mail virus scanning. this means the server can run almost unhindered as the server 
specific a/v doesnt actually interfere with the mail server software - we let the mail a/v do that.

i hope this makes sense
kirk

-----Original Message-----
From: george.peek () gmx net [mailto:george.peek () gmx net]
Sent: Thursday, 3 November 2005 4:34 AM
To: security-basics () securityfocus com
Subject: Why NOT to disable Real Time Antivirus on Servers


Greetings,

An Engineer and I are having an argument about keeping Real Time Antivirus disabled on servers.

His point is keeping Real Time Antivirus Enabled on servers such as the Exchange Server takes a huge performance hit on 
the server.

My argument is that keeping real time antivirus software disabled defeats the purpose of PREVENTING a server from being 
infected in the first place. Once it is infected, it is all too late already. The antivirus software is enabled on the 
workstations.

He argues that since all of the workstations have the antivirus enabled, then there is no way for the virus to get in.

Mine argument that a virus can still get in through other means. I need examples and case studies to refer to.

I would like to find different case studies or scenarios where the real time antivirus was disabled on the servers, 
enabled on the PCs, and the company still got infected. Also, would like to find solutions to enabling real time scan 
and stream lining it so it does not affect the Exchange Server as bad.

Would someone point me in the right direction or post potential case studies.

Please post or email me.

George.peek () gmx net

Thank You