Antivirus software should always be the first piece of software that is to be installed on all computers. It acts a the policeman at the gate of the system overseeing all operations and stopping any harm from coming to your machine as you are using it. It may seem crazy to advise against installing antivirus on any particular machine, but when it comes to servers you may not actually need it. When you think about it, if one of your servers does not connect to the outside world directly and doesn’t have any direct user interaction, there may be no reason that you install AV software on servers.
In many cases installing AV software on servers may actually hurt the performance and stability of your server. Antivirus software’s main role is to scan incoming and outgoing files from a system. This extra overhead caused by real-time scanning, or the risk that AV software may quarantine files critical for line-of-business operations can result in performance issues. If AV is installed on a selected server, these AV disk scans should always be scheduled out-of-hours to make sure there is no impact on performance. Antivirus can sometimes make you more vulnerable because hackers can exploit the vulnerabilities of the antivirus as well as the vulnerabilities of the operating system in order to access your server. More vulnerabilities equals more opportunities for hackers. If you set up the server properly, patch it regularly to close any possible Microsoft vulnerabilities, and maintain good security practices you usually don’t need antivirus.
Now, please note, there are some instances when you will need antivirus. So which servers should have antivirus and which servers shouldn’t? Here’s a simple breakdown:
Types of Servers:
- Exchange: YES – Use Exchange-specific antivirus solution.
- SharePoint: If you trust that the downloader and uploader workstations are secure, you don’t really need AV at the SharePoint level. If you aren’t sure or you just want to be extra careful, we recommend (and so does Microsoft) that you use a SharePoint VS API-based solution.
- AD/DC: No -Antivirus not necessary unless users interact with the server (if there are multiple roles on same server).
- DHCP/DNS: No – Antivirus not necessary unless users interact with the servers (if there are multiple roles on the same server).
- File Server: Yes – Set antivirus to scan on write only. This server is only getting a virus is if a user accidentally uploads a file they shouldn’t.
- Utility Servers: These servers connect to file stores or other web stores so scanning on write is advised.
- SQL/Database: Don’t worry about antivirus unless non-admin users are interacting with the server (they shouldn’t be, btw).
- Web Server: Web servers always need antivirus because users are going to be uploading files and/or linking to other sites.
If you’re setting up a new server make sure to wait until you’ve done all your configuration and have installed all the software or server roles before adding any antivirus so that it doesn’t block any registry or system file changes (and trust me, it will block stuff).
If you need an AV Solution it is important that you don’t use a generic one-size-fits-all antivirus solution on your servers. If there’s antivirus made specifically for the software on your server, use that. It may cost more, but it’s worth it because that generic stuff isn’t going to offer you much protection. For some of the servers above, it’s actually better to have no antivirus at all than to have a generic solution.
If you are unsure then I would always recommend that you play it safe and install AV on everything if possible, but sometimes it is not the case due to performance. I highly recommend at the very least running AV on servers that touch the net and ones clients touch like RDS and Citrix app servers. I also recommend splitting out the AV policies to be separate for client machines, and groups for servers to be flexible. This is just one layer of the security model as well.