Re: Why NOT to disable Real Time Antivirus on Servers

["THAVEEWAT VASAVAKUL" <THAVEEWAT () mail kvsinter com>]

Dear GP,
 
There are two parts of AVs on the server (let say exchange)
 
1. AV to protect the WINOS itself (even if your server is behind a good
firewall with all ports closed except 25/110/or imap, please do not
trust the roaming users with notebooks. ie, sales department. This is
the backdoor that may (may- sorry no attitude problem) bring in the
viruses. If you do not have roaming users, that would be another
scenario.
 
2. AV to protect inbound and outbound emails
 
On an exchange server, at least, you need #2. At my site, we do both #1
and #2 (different AV software manufacturers). However, we have enabled
realtime scan on #1 for some specific winnt or windows folders only. #2
is the must to keep your email fully protected.
 
This format can be applied to some Servers with DB engines running on
them or Shared files servers.
 
Some other ways to take the load off the server (mail server only) is
that 
 
1. to have a gateway with AV engine installed. For example, Linux box
with AV engine installed on it. All incoming and outgoing mails are
scanned on the Linux box. (Not just Linux, it can be any other SMTP
gateway virus scanners)
 
2. Proper AV engine settings on the mail server. (For example,  Level
of attachment scanning). This helps but not much. It is like lowering
your intensity of scanning.
 
It is unavoidable regarding the performance degrade, but you gain some
and lose some. 
 
 
I hope this helps.
 
 
Best regards,
 
 
Thaveewat Vasavakul
CNE, MCNE, MCP, RHCT, RHCE
Compaq Service Engineer
AMP Netconnect Installation Contractor

 
 


> > > <george.peek () gmx net> 11/3/05 12:34:12 >>>

Greetings,

An Engineer and I are having an argument about keeping Real Time
Antivirus disabled on servers.

His point is keeping Real Time Antivirus Enabled on servers such as the
Exchange Server takes a huge performance hit on the server.

My argument is that keeping real time antivirus software disabled
defeats the purpose of PREVENTING a server from being infected in the
first place. Once it is infected, it is all too late already. The
antivirus software is enabled on the workstations.

He argues that since all of the workstations have the antivirus
enabled, then there is no way for the virus to get in.

Mine argument that a virus can still get in through other means. I need
examples and case studies to refer to.

I would like to find different case studies or scenarios where the real
time antivirus was disabled on the servers, enabled on the PCs, and the
company still got infected. Also, would like to find solutions to
enabling real time scan and stream lining it so it does not affect the
Exchange Server as bad.

Would someone point me in the right direction or post potential case
studies.

Please post or email me.

George.peek () gmx net 

Thank You