Server Antivirus

[UseLess]

Hi Neowinians!

I have run into a bit of a situation - i am a semi-admin for a small family business (of about 5 people or so). We have recently gotten someone in to design some software for us, and for "security reasons" he suggests installing an Antivirus on the server (specifically SBS 2008).

Currently the server is used as a file server (network shares) and will be used with exchange (2007). It hosts no externally visible web pages (only the local intranet page) and its only externally visible is a (fully updated) RDP server for admin tasks only (that is, its not running RDP for general use). I perform no tasks on it, and someone would log onto it every few months - tops. Only people who are 'tech savvy' have access to the server - and it has UAC on it. As i said, we're a small company, so we're not going to get any directed 'hate attacks', we have no published IP/DNS record. Windows firewall is configured, a hardware firewall (NAT/SPI) is in place, and all clients connecting (via VPN) have AV.

General consensus on the net seems to be to install an AV for the server - however it all seems to be knee-jerk justifications "install AV for securitieeez", without providing an actual reason. I mean i understand it WILL be more secure as it can't make it worse...but i mean, what is the actual attack vector for a virus to a server? It seems like a big overhead for our server, which will already struggle with Exchange (8GB of DDR2 RAM and a 2.66Ghz Core 2 Quad).

What do people think?

Thanks for any advice =)

Regards,

UL

[SledgeNZ]

Definitely a knee jerk reaction. If you're happy with how it is keep it that way.

I imagine you're behind a firewall so the only way a virus will make it onto your server is by someone using remote desktop and going to dodgy sites \ using warez.

The main thing is to keep the box up to date with all windows \ exchange updates.

[Xahid]

if your server is not directly open for Internet or Internet use, & any USB Vaccination, then you're safe, or you can use any light weight Antivirus (for safe side) like Panda.

[Mando]

if users cannot save to any network shares on the SBS box (including home drives & inc admin$ shares), that reduces the localised risk.

id recc something filtering your exchange services for malware/spam though.

Av serves two purposes in the "admin" role, not only gives realtime protection, it also mitigates risk.

TBH Id run av on the server regardless you could always only have on access scanning on writing to the server and most SBS packages will have an smtp or exchange plugin/agent.

You could do a file scan every night.

[Aergan]

I can understand the concern if you are using it as a file server for your business.

If the desktop experience role is added, it should bring Microsoft Windows Defender with it which better than nothing and is non-intrusive and shouldn't cause any noticable performance issues. The only drawback will be if you are monitoring Windows Updates as you will regularly get definition updates.

[C:Amie]

The main issue with the server has to be how exposed it is to the user network. If it is in its own subnet/broadcast domain and is well firewalled with only specific and explicit ports being allowed in to it (and better yet IPSec for file share access) then the attack vector is lower.

If however you have a user network where all of your users insist in living in administrator accounts on the same LAN segment with the same AD user account that has full access to the server, then you have identified the weak point and are wholly reliant on the AV solution on workstations to protect the server. The next time Sophos, McAfee or Symantec (etc) put out a bad DAT and wreck the AV scanning enging on the workstation, you may be left with nothing between it and the next Java exploit.

The real answer is to cost benefit of it to YOUR business (not mine or anyone else?s)

Worst Case: What is the cost of AV + more RAM + may be (if possible) second CPU + potentially reduced response time

vs.

Worst Case: That server going down for x hours, requiring a reinstall / restore from backup and potentially data loss

If the answer is "this server cannot be down, period" then I think you've come to your own answer. If you can afford the server to be out for 4 - 24 hours to do a repair with no tangible damage to the viability of the business (apart from your time) then equally so.

If you have an answer to that question that works for your business, then anyone else?s "gut feeling" doesn't matter. As the IT manager YOU have to make the call, not people on a web forum; simply because you are the one whose neck is on the line. You do however have to justify it at the point where it all goes wrong i.e. "why didn't we have anti-virus, the expensive recovery consultant just told me we didn't have any?" vs. "why did we just spend all that money on anti-virus and the server was down to 16 hours due to a security breach?" :p

Good luck!

[UseLess]

Thanks for the quick replies people =)

That's was my thought - a can have, but not a must have. If no one actually DOES anything on the server, there is no need for it (i don't think i have actually opened an external website on the server before lol)

Regards,

UL

Edit:

Sorry, didn't see the replies from Mando, Aergen and C:Amie.

None of the users have admin rights to the server, and i don't believe we actually have AD set up (default SBS install, basically). There aren't any domain computers on the network. Even if someone dumps an infected file onto a server share...that won't actually DO anything to the server, will it? i mean yes, it will be on the server...but it cant spontaneously insert itself into any processes.

With regard to exploits, the server doesn't actually run java as a side note, but all software is up to date...and an AV wont actually protect from exploits, will it? In my experience i rarely see an AV actually DO anything - UAC is what really saves. (On a desktop computer i would say turn on UAC and go no AV, rather than have an AV with UAC off)

If i could throw in more RAM, i would...but the server only has 4 slots, and i can't find any 4GB DDR2 sticks =(

I won't "do what im told", but it would be naive not to seek advice from people (likely) more experienced - I am far from an experienced network admin =P

Thanks again! =)

[sc302 Veteran]

actually yes it can do something to the server if you are not signed on to it. There are ways for the server to get infected even if you are not logged onto it.

The morto worm is just one that would do so using a exploit in rdp.

http://www.infosecur...com/view/27277/

There was a SQL worm virus in 2003 that exploited holes in SQL (again don't have to be logged on into the server to get the virus).

While most viruses and malware you have to be logged onto the server to be able to get infected, there are quite a few that just having a server on the network could get the server infected. I have only listed examples of malware that have previously infected servers in the past without logging into them, this could happen again and if your system is not protected it could happen to you. It is better to have something on the server than not to protect it, esp if opening it up to the internet...the only way to be 100% and not get it infected is if you unplug the network cable and do not have it attached to any wireless network, but then what is the point of central storage when you can't attach to it some way?

[goretsky Supervisor]

[First of all, a disclaimer: I happen to work for a company that develop anti-malware software, so please keep that bias in mind when reading my reply. AG]

Hello,

It's not clear to me from reading the message thread as to whether the network containing the server has Internet access or not. If this is an isolated (non-Internet connected) network, than installing and updating security software on it is probably going to be more for compliance or insurance reasons, than anything else (e.g., install the virus signature database at the same time OS and application patches are brought in on disc).

If the server is connected to the Internet, or other devices attached to the same network it's on are connected to the Internet, than one needs to start thinking about the way in which those systems could be compromised, and what that might lead to for the business if those hosts?or the server?were compromised. Securing a network is about managing risk, and as C:Amie noted, that is a cost measurement you have to make.

For the most part, how a server is used at a business is not that relevant to the attacker: There may be data of value on it (financial or customer records, business plans and so forth), but targeted attacks like that are rare. Usually they serve as a springboard from which to attack other hosts, either on that network or other Internet-connected hosts. For that matter, an infection could occur from something like the Conficker worm, which is still spreading, even though it seems the operators of that particular piece of malware gave up on it years ago.

Does that mean that your network is bound to be infected? No, it does not. But, perhaps it does mean that some basic level of protection isn't a bad idea. While most anti-malware products for servers are commercial products, there's Clam AV, which is free. It does not have a real-time component, but you could schedule it to run at times when it won't impact the business.

Regards,

Aryeh Goretsky