Should I install an AV product on my domain controllers?

active-directory anti-virus symantec
21,327

Solution 1

Anti-virus software should definitely be running on all machines in a properly-managed network, even if other threat prevention measures are in place. It should run on servers too, for two reasons: 1) they're the most critical computers in your environment, much more than client systems, and 2) they're no less at risk only because nobody actively uses (or at least should not being actively using) them for surfing the web: there's plenty of malware which can automatically spread across your network if it can get hold even of a single host.

That said, your problem is more related to properly configuring your anti-virus software.

The product you're using comes with built-in firewalling: that's something that should be taken into account when running it on server systems, and configured accordingly (or turned off at all).

Some years ago, anti-virus software was (in)famous for randomly deleting Exchange databases if by chance it came across a viral signature inside some e-mail message stored in the physical data file; every anti-virus vendor warned about this in the product manual, but some people still failed to grasp it and got their stores nuked.

There's no software you can "just install and run" without thinking twice about what you're doing.

Solution 2

All of our servers (including file/sql/exchange) run Symantec Antivirus with realtime scanning and weekly scheduled scans. The software increases the load on the machines by ~2% for average workloads (average 10% cpu usage during the day w/o realtime scanning, 11.5-12.5% with realtime scanning with on our file server).

Those cores weren't doing anything anyways.

YMMV.

Solution 3

I'm going to offer a counter point to the prevailing answers to this thread.

I don't think you should be running anti-virus software on most of your servers, with file servers being the exception. All it takes is one bad definition update and your anti-virus software could easily break an important application or stop authentication in your domain entirely. And, while AV software has made substantial progress in its performance impact over the years, certain types of scans can have a negative effect on I/O or memory sensitive applications.

I think there are pretty well documented downsides to running anti-virus software on servers, so what's the upside? Ostensibly, you have protected your servers from whatever nasty-ness that filters in through your edge firewalls or is introduced into your network. But really are you protected? It's not entirely clear and here's why.

It seems like most successful malware has attack vectors that fall into three categories: a) relying on an ignorant end user to accidentally download it, b) relying a vulnerability that exists in the operating system, application or service or c) it's a zero day exploit. None of these should be realistic or relevant attack vectors for servers in a well run organization.

a) Thou Shalt Not Surf the Internet on Thy Server. Done and done. Seriously, just don't do it.

b) Remember NIMDA? Code Red? Most of their propagation strategies relied on either social engineering (the end user clicking yes) or on known vulnerabilities that patches were already released for. You can significantly mitigate this attack vector by making sure you stay current with security updates.

c) Zero day exploits are hard to deal with. If it's zero day, by definition your anti-virus vendor will not have definitions out for it yet. Exercising defense in depth, the principle of least privilege and having the smallest attack surface possible really helps. In short, there's not much AV can do for these types of vulnerabilities.

You have to do the risk analysis yourself, but in my environment I think the benefits of AV are not significant enough to make up for the risk.

Solution 4

I have always had AV software with on-access scanning enabled on all Windows servers and have been grateful for it more than once. You need software that is both effective and well behaved. While I know there are a few who will disagree I have to tell you that Symantec is about as bad a choice as you could make.

"All in one" type packages are rarely as effective as well chosen individual components (as in, I've never seen a decent example yet). Select what you need for protection and then choose each component separately for best protection and performance.

One thing to be aware of is that there's probably no AV product that has decent default settings. Most these days go for scanning both read and write. While that would be nice it often leads to performance problems. Bad enough at ay time but very bad when your DC has problems because a file it needs to access has been locked while the AV scanner is checking it. Most scanners also scan a very large number of file types that can't even be infected because they cannot contain active code. Check your settings and adjust with discretion.

Share:
21,327

Related videos on Youtube

mhud
Author by

mhud

Updated on September 17, 2022

Comments

  • mhud
    mhud almost 2 years

    Should I run a server-specific antivirus, regular antivirus, or no antivirus at all on my servers, particularly my Domain Controllers?

    Here's some background about why I'm asking this question:

    I've never questioned that antivirus software should be running on all windows machines, period. Lately I've had some obscure Active Directory related issues that I have tracked down to antivirus software running on our domain controllers.

    The specific issue was that Symantec Endpoint Protection was running on all domain controllers. Occasionally, our Exchange server triggered a false-positive in Symantec's "Network Threat Protection" on each DC in sequence. After exhausting access to all DCs, Exchange began refusing requests, presumably because it could not communicate with any Global Catalog servers or perform any authentication.

    Outages would last about ten minutes at a time, and would occur once every few days. It took a long time to isolate the problem because it was not easily reproducible and generally investigation was done after the issue resolved itself.

    • Spence
      Spence almost 15 years
      Sounds like a nasty Symantec Endpoint Protection infection to me. I'd get that removed ASAP. Seriously, though, the product caused us major problems with Customers losing access to their servers, etc. It was horrible when it was released and the "maintenance releases" have only made it incrementally better. We're ditching them for Trend Micro everywhere it's feasible.
    • Massimo
      Massimo almost 15 years
      Agreed, Symantec products really make you WISH you caught some nasty virus instead of them.
    • mhud
      mhud almost 15 years
      That's funny, we went from Trend Micro to Symantec. I guess it's all various shades of crap.
    • John Gardeniers
      John Gardeniers almost 12 years
      "Symantec" and "antivirus" should never be used in the same sentence, as there is no discernible relationship between them.
  • mhud
    mhud almost 15 years
    Great point about taking the time to properly configure any AV software. AV software is probably the most important class of software to not "rush out." I have seen cases where Exchange has had its data files 'repaired' from underneath it, to much fanfare from people trying to use their e-mail.
  • Michael Hampton
    Michael Hampton almost 12 years
    One does not simply put up an edge firewall and AV on the user workstations. There are other threats. There is evil out there that does not sleep. It will find some way through your edge firewall and have the run of your network. Or a disgruntled employee will bring it in. Not having defense in depth is folly.
  • Channard
    Channard almost 12 years
    One does not simply comment without reading the entire post. =) I suggest far more than what you have interpreted. I suggest AV on clients and a hardware based solution for Spam and in particular Virus Blocking. I do not mention Firewalls as the question was not about firewalls, but AV's. My smallish section of the network uses: IronPort C670 for our email servers, IronPort S670 for our webservers and an IronPort M670 for most everything else related to taking care of managing the whole mess, in addition to those, we have security routers and.. firewalls and client side av's as you suggested.
  • Channard
    Channard almost 12 years
    Also, in my original post, I talk about users bringing in viruses (virii). item: #4
  • HopelessN00b
    HopelessN00b almost 12 years
    No, @MichaelHampton is right, this is an awful answer.
  • Channard
    Channard over 11 years
    @HopelessNoob: Have you even looked at the Cisco IronPorts offering and Security Operations Center Controls? So many DataCenters rely on this integrated set of Anti-Virus, Spam, Intrusion Detection, etc, etc, etc. Please recommend something else, I am eager to hear your response and possible replacements you may suggest.
  • Channard
    Channard over 11 years
    @HopelessNoob: You probably already know, but IronPorts was bought by Cisco and is now called Cisco Email Security and Cisco Web Security. A CCIE Security will configure this correctly. A simple All in One IronPorts answers the original question about putting an AV on the DC controllers which was triggering a false positive. There are many ways to go around the problem, but the IronPorts aka Cisco Email Security and Cisco Web Security stacks will certainly do the trick.
  • MrGigu
    MrGigu about 8 years
    I'd argue this is essentially the same as KCE's answer, as this is actually unrelated to the domain controller being a domain controller, and more to do with it being a file server. If you choose to combine your file server and DC roles, then you are going to have to treat the server as both.
  • Rostol
    Rostol about 8 years
    DC should never ever run together with databases, or mail servers or file servers ... one of the first things that happens when a server is a DC is that file caching on that server is TURNED OFF.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Norton Antivirus Contstant Reboot Requests
Group policy logon script copies files to client PC but does not execute exe
How to disable Symantec Endpoint Protection antivirus?
What are the other alternative to test a LDAP connection on linux machine
Make sssd respect Acctive Directory nested groups
Joining an Active Directory domain using netdom
How to import a groups members using 'ldifde'?
How do I configure a SQL Server datasource in JBoss to connect using a specific Active Directory user?
How to get UPN for authenticated user in .NET web application, without querying Active Directory
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."