Free Antivirus For Server 2012 R2

[Margit Szermer]

ExchangeI'd advise installing a proper exchange product (Sybari AntiGen was the original; that's now MS ForeFront for Exchange but there's lots of competition now) that will scan the content of the emails; there's little point scanning the file system on an exchange server.

Basically, I don't think there's a one-size-fits-all answer to that question; you need to work out where the risks are. Generally, apart from a file server, I wouldn't suggest generic file AV on servers; you want something more specific to the role of the server.

We run AV on everything that has Windows. With basic configuration (excluding databases, scan on write only, etc) the overhead is so minimal that the cost is virtually zero. The one exception in my organization is Hyper-V Servers; which are very carefully isolated from the rest of the network.

First of all, Anti-Virus products can have a very significant impact on performance, especially with certain workloads. Make sure you are selecting the correct AV product for the machine, and make sure it's configured correctly.

Special note, be really careful with Exchange, and never install client-type AV software on it. We had a guy who brought our Exchange server to its knees at my previous job after he installed an AV client (intended for desktops) on it that was trying to scan every e-mail going in or out and operated very slowly.

Many times it's not up to you. If you're bound by certain policies, it may be required. I'm not current on PCI standards, but back when they first came out, it required us to put AV software on all our servers.

I think the real argument for having AV on windows servers is Worms or other viruses that can spread without the need for a incompetent (or unlucky) admin. It has been a long time since I have seen a good worm that exploited a MS bug and could freely move from computer to computer. This requires no user or admin intervention to spread. Servers are especially dangerous as they are usually on 24x7 and many of them don't get logged onto on a regular basis (i.e. you may not see the problem(s) right away.

My policy is that ALL windows boxes get AV installed on them (linux is different story). Tweaked to offer protection with minimal performance impact. Also boxes that run functions such as email will need AV that is specifically tailored to that environment. Nothing is worse than AV trying to dig into mail databases and grab viruses...

The Real Time will hopefully not be needed very often, but the sweeps I select for weekly or daily, after hours, can find things that might have been missed previously (i.e. virus was not part of the previous definitions).

Antivirus is necessary only if "dumb" clients have execution/administrator rights on computers.So if your server admin is "dumb" then you DO need antivirus.If you have a REAL server admin - then he will never run any file on the server that does not come from trusted source. Admin can always scan a file on his own machine.

If a server is set up correctly - then it can NOT be affected by virus, even if there is a virus on it's fileshare.So for me it does not make any sense having antivirus on the server. For exchange - executable files should be forbiden. Have not seen virus in my email for last 6 years.

Was wondering, is it a good idea to install an antivirus on the web server? In the app, users can't upload any files except images (and they checked for being images in the app code before being saved on the the server). I'm encouraged to not install an antivirus in order not to affect performance or cause any troubles with the app, will I miss anything by doing this?

A well run webserver should IMHO not have a commercial anti-virus (AV) package installed. The kind of Office macro viruses and mass-market trojans that AV packages are optimized for are a poor match to the problems of a web server.

A host intrusion detection system takes some configuration, since it can give a lot of false errors if not set up properly. But once it's up and running, it will catch more intrusions than AV packages. Especially H-IDS should detect a one-of-a-kind hacker backdoor, which a commercial AV package probably will not detect.

If it's Windows based, which you said it is, I would. I would also try finding some form of host intrusion detection (a program that monitors/audits files that are changing on the server and alerts you to the changes).

When there's a vulnerability the fact that there's an exploit is usually known within a window of time between discovery and fix distributed, then there's a window of time until you get the fix and apply it. In that time there's usually some form of automated exploit available and script kiddies are running it to expand their bot networks.

Note that this also affect AV's since: new malware created, malware distributed, sample goes to your AV company, AV company analyzes, AV company releases new signature, you update signature, you're supposedly "safe", repeat cycle. There's still a window where it's spreading automatically before you're "innoculated".

Ideally you could just run something that checks for file changes and alerts you, like TripWire or similar functionality, and keep logs on another machine that is kind of isolated from use so if the system is compromised the logs aren't altered. The trouble is that once the file is detected as new or altered you are already infected and once you're infected or an intruder is in it's too late to trust that the machine hasn't had other changes. If someone has cracked the system they could have altered other binaries.

Then it becomes a question of do you trust the checksums and host intrusion logs and your own skills that you cleaned up everything, including rootkits and Alternate Data Stream files that are possibly in there? Or do you do the "best practices" and wipe and restore from backup, since the intrusion logs should at least tell you when it happened?

Any system connected to the Internet running a service can be exploited potentially. If you have a system connected to the Internet but not actually running with any services I'd say you're most likely safe. Web servers do not fall under this category :-)

A slight variation is upload of files. They are harmless for your server - if I upload a manipulated image or trojan-infested .exe, nothing will happen (unless you execute it). However, if other people then download those infected files (or if the manipulated image is used on the page), then their PCs might become infected.

If your site allows users to upload anything that is shown or downloadable for other users, then you might want to either install a Virus Scanner on the Web Server or have some sort of "Virus Scanning Server" in your Network that scans every file.

And to completely turn this answer 180 around: It's usually better to be safe than sorry. If you work on the web server, it's easy to accidentially click a bad file and wreck havoc. Sure, you can connect to it a thousand times to do something over RDP without touching any file, but the 1001st time you will accidentially execute that exe and regret it, because you cannot even know for sure what a virus does (nowadays they download new code from the internet as well) and would have to perform some intensive forensics on your whole network.

There're many options available. While I personally don't like McAfee or Norton, they are out there. There's also AVG, F-Secure, ClamAV (though the win32 port is no longer active), and I'm sure hundreds more :)

I'm implementing a server side event client in JavaScript, using EventSource. Messages sent by the backend never reached the frontend until I realized that my antivirus blocks them. As soon as I turned it off, the events started to work as expected and the messages arrived.

While of course I can disable this obnoxious busybody of a bugware on own my computer, but I can't ask my users to do the same. Also, it seems that Windows Security is blocking EventSource traffic too.

Can someone tell me the difference between the 2? Is it like server based antivirus updates itself on the server so other clients connected to it and just download the update locally.Whereas in client based each would have to update via the web?

That is one of the differences. The other is that some anti-virus programs (I know that Trend can do this) can offload the actual scanning of the files to the server so that the client doesn't have to do the work. This is good is you have a really high powered anti-virus server and a lot of older slow workstations so that they aren't effected by the CPU resources needed to scan the files.

Servers that download updates on behalf of clients which connect to it are usually called management servers. They let an administrator use a single central point of control for all the connected clients, configuring scanning and exception policies, running reports, and checking client status in one place. All the popular "enterprise" AV vendors offer something like this, often called endpoint suites. It's usually cost effective if you have more than 20 clients.

If your environment is as stated in the quote above, it might not be necessary to run AV on your servers. But even then, it is recommendable to run AV software in the context of a global security approach. You might want to configure an AV solution on your servers differently of those on your endpoints though, depending on your security concept. And even if your servers are seperated of Internet via serverless proxies, this will not protect them against a ransomware attack or some kind of worm attack which infected an endpoint within your organisation. But as my questions above raised, there are doubts that you assessed your situation correctly. It seems to be an unusual configuration if none of the servers have Internet connections in SME.

3a8082e126