Should I install an AV product on my domain controllers?

anti-virus active-directory symantec

Solution 1:

Anti-virus software should definitely be running on all machines in a properly-managed network, even if other threat prevention measures are in place. It should run on servers too, for two reasons: 1) they're the most critical computers in your environment, much more than client systems, and 2) they're no less at risk only because nobody actively uses (or at least should not being actively using) them for surfing the web: there's plenty of malware which can automatically spread across your network if it can get hold even of a single host.

That said, your problem is more related to properly configuring your anti-virus software.

The product you're using comes with built-in firewalling: that's something that should be taken into account when running it on server systems, and configured accordingly (or turned off at all).

Some years ago, anti-virus software was (in)famous for randomly deleting Exchange databases if by chance it came across a viral signature inside some e-mail message stored in the physical data file; every anti-virus vendor warned about this in the product manual, but some people still failed to grasp it and got their stores nuked.

There's no software you can "just install and run" without thinking twice about what you're doing.

Solution 2:

All of our servers (including file/sql/exchange) run Symantec Antivirus with realtime scanning and weekly scheduled scans. The software increases the load on the machines by ~2% for average workloads (average 10% cpu usage during the day w/o realtime scanning, 11.5-12.5% with realtime scanning with on our file server).

Those cores weren't doing anything anyways.

YMMV.

Solution 3:

I have always had AV software with on-access scanning enabled on all Windows servers and have been grateful for it more than once. You need software that is both effective and well behaved. While I know there are a few who will disagree I have to tell you that Symantec is about as bad a choice as you could make.

"All in one" type packages are rarely as effective as well chosen individual components (as in, I've never seen a decent example yet). Select what you need for protection and then choose each component separately for best protection and performance.

One thing to be aware of is that there's probably no AV product that has decent default settings. Most these days go for scanning both read and write. While that would be nice it often leads to performance problems. Bad enough at ay time but very bad when your DC has problems because a file it needs to access has been locked while the AV scanner is checking it. Most scanners also scan a very large number of file types that can't even be infected because they cannot contain active code. Check your settings and adjust with discretion.

Solution 4:

I'm going to offer a counter point to the prevailing answers to this thread.

I don't think you should be running anti-virus software on most of your servers, with file servers being the exception. All it takes is one bad definition update and your anti-virus software could easily break an important application or stop authentication in your domain entirely. And, while AV software has made substantial progress in its performance impact over the years, certain types of scans can have a negative effect on I/O or memory sensitive applications.

I think there are pretty well documented downsides to running anti-virus software on servers, so what's the upside? Ostensibly, you have protected your servers from whatever nasty-ness that filters in through your edge firewalls or is introduced into your network. But really are you protected? It's not entirely clear and here's why.

It seems like most successful malware has attack vectors that fall into three categories: a) relying on an ignorant end user to accidentally download it, b) relying a vulnerability that exists in the operating system, application or service or c) it's a zero day exploit. None of these should be realistic or relevant attack vectors for servers in a well run organization.

a) Thou Shalt Not Surf the Internet on Thy Server. Done and done. Seriously, just don't do it.

b) Remember NIMDA? Code Red? Most of their propagation strategies relied on either social engineering (the end user clicking yes) or on known vulnerabilities that patches were already released for. You can significantly mitigate this attack vector by making sure you stay current with security updates.

c) Zero day exploits are hard to deal with. If it's zero day, by definition your anti-virus vendor will not have definitions out for it yet. Exercising defense in depth, the principle of least privilege and having the smallest attack surface possible really helps. In short, there's not much AV can do for these types of vulnerabilities.

You have to do the risk analysis yourself, but in my environment I think the benefits of AV are not significant enough to make up for the risk.

Related

Can I generate a CSR file for mod_ssl on a different machine to the production box?
Linode Distro (How to Choose?) 64bit? [closed]
What's the difference between 301 and 302 in HTTP?
Apache ProxyPass or ProxyPassMatch to exclude a file from proxying
Putting Oracle redo logs on DRAM SSD for a heavy write database?
Count SSH sessions?
iptables: what does "--src-type LOCAL" mean exactly?
Web Server Security Overkill?
Redundant OpenVPN connections with advanced Linux routing over an unreliable network
dnsmasq reading /etc/hosts, but not using it
How to send a message to a specific pts?
MySQL: Fatal error: Can't open and lock privilege tables: Table 'mysql.host' doesn't exist [closed]