I strongly dislike antivirus software. In my opinion, the av software behaves much like a virus. The recent Symantec incident of actually causing server crashes, resource use, software interference, and user safety bias are each very problematic.
If I have locked down servers behind a firewall, with admins following security protocol (no surfing, no downloads, etc.). What benefit would I have from installing antivirus software on these machines? I must install something for insurance purposes...
When i researched AV products a few years ago, the coverage was 95% at best - and these are of known security issues. That means that the best AV protection is vulnerable to thousands of known viruses and worms.
Every single infection I have encountered has been on a machine with AV software on it. The user always says - but I have antivirus software...
Can anyone provide metrics on the utility of av software on servers that will make me feel better about having to do it?
-
Plenty of data provided by the companies selling their anti virus software.
Best practices and regulatory practices in certain industries require its installation. For example, the PCI DSS requires it.
If you have a workstation that gets compromised by a self propagating worm, it's likely that any Windows servers on the same subnet will be compromised as well. Unless the servers are storing restricted data, the only risk is to availability.
If you are able to justify the potential risk, go for it. I believe the argument you provide is technically legitimate. You also risk the perception of those who can influence your success within your career, as most people believe it to be absolutely necessary for Windows.
Of course, if you want to make this risk, you should enforce certain practices including but not limited to:
- Outbound traffic filtering to limit potential exposure in case of compromise.
- Policies preventing accessing the Internet from servers.
- Strictly enforced update policies.
- Strictly enforced workstation policies, which prevent the potential installation of malware.
Ultimately, good anti virus software will potentially reduce the technical risk. However, it's unlikely to be much if you have good security policies. Usually the most risk will be introduced with unrestricted users who are not very technical.
Servers on more restricted subnets with specialized purpose and software will often not have anti virus software installed. At one point, it was recommended not to install on certain server roles. I believe this is less common these days.
joeqwerty : In my opinion, running any computer (At least those running Windows operating systems) without any type of AV or anti-malware software is like running across a busy highway. You may get away with it a hundred times but eventually you're going to get hit by a bus.Warner : You know, it's funny you say that-- I've never personally had an issue when not running AV software, which I typically won't on my personal workstations. In contrast, I had an issue with some newer type of malware a few weeks ago on a work laptop running Symantec corporate. Go figure.Miles Erickson : Symantec AV is a cruel joke: cruel because it uses server resources excessively even when exceptions *are* defined, and a joke because it offers very little protection even when exceptions *aren't* defined. If you have been led to believe that all enterprise AV software is this bad, you may be pleasantly surprised when you [explore the alternatives](http://serverfault.com/questions/73023/enterprise-level-anti-virus-software-with-these-requirements).Warner : I've used to like AVG before it turned into adware. When we assessed multiple enterprise grade AV software recently, my colleagues picked Symantec and I trust their judgment. I argued against it but when they tested it, my arguments were proven false. If I recall correctly, NOD32 could not meet our central management and auditing requirements but I have heard good things about it.Miles Erickson : Just one example: we had a busy quad-core server that went from 100% CPU usage with Symantec AV (25% directly attributable to realtime scanning) to 50% CPU usage with our current AV product. Symantec had exclusions defined for entire drives and directory trees that had frequent reads/writes; service process names also were excluded from scanning. The replacement AV product uses very little CPU on the same server, and it didn't require anything to be excluded from protection. Don't know your specific requirements, but the ESET management console is very powerful.From Warner
0 comments:
Post a Comment