Should I install AntiVirus software on a Windows web server?

Question

Possible Duplicate:
Do you run antivirus on your Windows servers?

I see a couple of existing questions on this with apposing viewpoints:

• Do you run antivirus on your Windows servers?
• Should I install antivirus into windows server 2008?

For a virtualized Windows 2008 Server R2 running as a public web server with IIS, should AV be installed?

The site does not allow file uploads at this time, but I can see in the future I may let select users upload documents, pdfs, maybe word and excel. If I cannot scale out to a second server for file serving, should the main web server get AV at that point?

If I should install AV, what products have you had success with and why? Things like performance and footprint as compared to cost.

Thank you.

Answer 1

Yes.

Yes yes.

Yes yes yes.

Yes yes yes yes.

Yes yes yes yes yes.

Yes

We use Microsoft Forefront for our 1000+ Windows servers.

You should ALWAYS have AV installed on a Windows server, for ALL roles (yes, including SQL and Web). There are very few exceptions, one being isolated (physically or logically) labs.

The fools people that say you don't need AV usually cite performance issues. Then get a faster machine, but you better have AV on it. It's as simple as that.

Answer 2

NO, you should not install antivirus software on a web server, at least not as your first choice. You should install a Host Intrusion Detection System (HIDS) like Samhain, Tripwire or the like.

The question is a duplicate of this older question, please see my answer there. The gist of it is that HIDS has a better detection rate against hacks than antivirus (AV) software.

If you enable uploads of Office types of documents, i.e. PDFs, Word docs and other documents that can embed active content, then a normal antivirus package would make sense IMHO, to scan for macro viruses in the uploaded content.

This answer assumes that your web server is completely separated from your internal office network -- which should be a obvious security practice under all circumstances.

Edit: To clarify, AV follows a 'blacklist' approach, i.e. it has signatures for a known list of 'bad' programs, and alerts you (and optionally takes action itself) when it sees one of these 'bad' programs on your server.

HIDS follows a 'whitelist' approach, i.e. it has a list of all the programs on your server that should be there, and alerts you whenever executable code is added or changed without your approval. This approach will have a better detection rate against one-of-a-kind hacks and zero-day exploits, at the expense of (many) more alerts being given, especially if you don't take the time to configure the HIDS optimally.

Answer 3

If you have any Windows machine online, you need a firewall, and (I think) a good non-invasive antivirus. I prefer ESET's range of products - they have a low memory footprint, and are very reasonably priced for personal and business use.

Answer 4

to quote my answer from here from another duplicate of this question, which was also asked on superuser..

---

Yes, always. Quoting my answer from superuser:

If it's connected to any machines that may be connected to the Internet, then absolutely yes.

There're many options available. While I personally don't like McAfee or Norton, they are out there. There's also AVG, F-Secure, ClamAV (though the win32 port is no longer active), and I'm sure hundreds more :)

Microsoft has even been working on one - I don't know if it's available yet outside of beta, but it does exist.

ClamWin, mentioned by @J Pablo.

Answer 5

It depends on if it's connected to other systems directly. If your server connects to a hardware-based firewall (e.g. a separate router) and no other (Windows) systems can access it, then you can take a risk and not install a virus scanner. The firewall should block all traffic to this server except port 80, thus your system would be reasonable safe from any work attacks. And even though users can upload files to your server, as long as you don't execute their contents, your system will be reasonable safe.

However, it's very likely that you will connect this server with other computers in a local network, thus this server can be attacked by worms. Of course, if all other computers in your network are Linux or Apple computers, risks will be very small again. If those other computers are using good virus scanners then the chance of your server being infected by them would be very limited. If another system would still be infected then that virus scanner wouldn't protect your server either...

But in the end, my answer is still "YES" simply because there is a risk. I would even install a virusscanner on a stand-alone computer with no network access, simply because I can't predict what will happen to it in the future. Sooner or later, someone might infect it by a virus on an USB stick or because someone did connect it to the network and then Hell will break loose...

I am a fan of the McAfee scanner, and scanner only, since it keeps itself up-to-date very well, it doesn't give too many false positives and it doesn't slow down your system too much. It is a bit memory-hungry compared to other scanners but we're talking about tens of megabytes in memory footprint differences.

Answer 6

Maybe only need AV to scan writes in this case, so 99% of time you are not incurring the performance suckage i.e. on reads.

Answer 7

No You should not need Antivirus software on a web server to protect the webserver. File uploads will not give your web server viruses, howwever you might want to protect users that download those files, in which case you might want to protect them from other users. That being said you shouldn't be opening theses files on your web server, and it should be configured so that you cannot execute things from that directory