RE: [ActiveDir] Anti-Virus Software and AD

[Joe]

Title: Message

We don't run any unnecessary services on our DC's. The software is there, just disabled so if we for some reason think we need to scan a DC, we can. Also our chosen AV vendor for our company is McAfee and, in my opinion, that software is often many times worse than the virii running around. Additionally the folks who manage the AV update server can make mistakes and knock down machines pulling the updates. We had one spectacular morning where a good portion of the servers in our primary data center and actually around the world all blew up because of an unexpected mod on the AV update server.   Again, if we let normal people or even a large number of admins have access to the file system to write things, we would tackle it differently. Fortunately there are only 4 people in the world capable of getting any level of real access to our machines and I think a lot of our admin methods help reduce chances of infections from those three even further such as not logging on interactively to our workstations with our admin ID's, etc.     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh Sent: Tuesday, September 02, 2003 9:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anti-Virus Software and AD Any particular reason, Joe?   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Tuesday, September 02, 2003 7:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Anti-Virus Software and AD   Good info Todd. Actually I avoid AV on DC's but then we don't do file and print from them. If we did it would be a different story.     joe   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Tuesday, September 02, 2003 2:47 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Anti-Virus Software and AD A few months back I started a thread about installing AV software on Domain Controllers.  There were a lot of good comments generated as part of the discussion with the recommendation to avoid software that triggered FRS replication, and recommendations to also exclude certain file types.  Another trend that was reported was that some people were getting recommendations from Microsoft that they don't run AV software on DC's because their Firewalls and such protect them.    Recently I have discovered two new KB's that seem to offer some definitive recommendations from Microsoft.     Virus Scanning Recommendations on a Windows 2000 Domain Controller  http://support.microsoft.com/default.aspx?scid=kb;en-us;822158   Antivirus, Backup, and Disk Optimization Programs That Are Compatible with the File Replication Service http://support.microsoft.com/default.aspx?scid=kb;EN-US;815263     Below is a summary of the MS recommendations Programs That Do Not Trigger FRS Replication The following programs do not modify files in a way that triggers FRS replication. Antivirus eTrust Antivirus build 96 or later with the "NTFS incremental scan" feature disabled McAfee/NAI NetShield 4.50 with the NetShield Hotfix Rollup Norton AntiVirus 7.6 or later File and System State Backup Legato Octopus/Replistor 5.2.1 Disk Optimization None currently reported   Toddler