[ActiveDir] MS weigh's in on AD and Network Core Services & Anti-Virus

[Myrick, Todd (NIH/CIT)]

Title: Message

First I want to thank all of you for responding to my initial query and say that it has been very helpful.  Now I want to offer MS perspective on the matter and see how it fair's with you all for one final review.   I spoke to a MS Premier Rapid Response Engineer and a Technical account manager.  The account manager says that MS position on infrastructure boxes is not to run AV on them (File servers do have virus scanning, and E-mail servers have scanning dedicated to the data stores and IMS), but to block at the firewalls and the desktops.  The PRRE says that he recommends that if you implement Virus scanning on infrastructure boxes, to block scanning of the directories that hold the associated files for the services, and the SYSVOl.   Many of you already concluded this through the discussion.  So it appears MS believes that if you can block at the entry points, you are better off leaving Infrastructure boxes clean and optimized.  If you can't then take necessary procedures to protect the infrastructure.    Does anyone have anything different to add?   Todd -----Original Message----- From: Lynch, Peter [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 19, 2002 3:52 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD and Network Core Services & Anti-Virus Allan,   How would upgrading to XP help you "push virus updates to the desktop remotely"?   Peter ----- Original Message ----- From: Al Garrett To: '[EMAIL PROTECTED]' Sent: Thursday, November 14, 2002 11:26 PM Subject: RE: [ActiveDir] AD and Network Core Services & Anti-Virus We run McAfee on everything.....Netshield on every server, Virusscan on every workstation and Groupshield on the Exchange 5.5 Servers. We have had zero performance issues and 100% Melissa/Nimda/Code Red/Klez protection. The only time we have virus issues is when some putz (excuse me) some USER goes to their Internet e-mail (Yahoo, Hotmail, etc) and checks their mail and brings in a virus with it. The other issue is when the same USER insists they have to have every screensaver/background/dancing bear/flying flag all running at the same time and one or more of them interferes with McAfee. When we run into this we remove the offending programs at will. These computers are for work, not play. Our next big push will be to get all our workstations up to XP so we can lock out most of this nonsense and push virus updates to the desktop remotely after hours. Never have out of date DAT files again.   Allan Garrett A small SOCAL college -----Original Message----- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 14, 2002 12:54 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD and Network Core Services & Anti-Virus I have a quick question, Our operating procedures for Core Network Service (AD DCs, WINS, DDNS, CA, Exchange (Antigen), DHCP) servers has been not to run with Anti-Virus protection on them. We feel that the potential for scanner code to conflict with the network service is higher if we do, and since we don't execute man applications from the server unless they are scanned we don't feel we are at much risk. What I would like to know is, what does everyone on this list feel an is a good strategy when it comes to these types of services and anti-virus product? Thanks in Advance, Todd