I have never been a proponent of AV on servers because like others have mentioned it causes way more problems than it fixes. That said, can recent AV detect ransomware encrypted files? I would think not because it isn't really an infected file per se, just encrypted. But if it had logic to determine huge amounts of file renames/changes to encrypted formats that could definitely be very useful in stopping an infected workstation from doing too much damage to its shared files.
2016-11-09 19:09 GMT-06:00 Michael B. Smith <[email protected]>: > Yes, Windows Defender is part of Server 2016. Yes, you can (effectively) > disable it (by creating a global exemption for all files and all processes > and disabling real-time scanning). > > Can't speak to your Tivoli experience. Probably should complain on twitter > for more attention. > > -----Original Message----- > From: [email protected] [mailto:listsadmin@lists. > myitforum.com] On Behalf Of Klaus Hartnegg > Sent: Wednesday, November 9, 2016 4:35 PM > To: [email protected] > Subject: Re: [NTSysADM] Managed Anti-Malware for Servers > > Am 09.11.2016 um 07:29 schrieb Kish N Kepi: > > I'm looking for recommendations for Anti-Malware software to install > > specifically on Windows Servers (2008R2, 2012R2, 2016) > > NONE. > > On a normal workstation with dumb users one may hope that the pros > outweight the cons, but how should they manage to do this on a server with > only admin users, with no web surfing and no email? > > All anti-virus/malware products have pros an cons. One of the cons is that > they create false positives, which sometimes break windows. You don't want > this to happen on your servers. On all at once. > > Another con is that they (and their updaters) have serveral times been > shown to be very buggy, they could be tricked into running arbitrary code > with system rights. Consider how many different file formats such software > must be able to interpret, and that code often can only be judged by > letting parts of it actually run (in a sandbox, but still). > Antivirus software is maybe the easiest way how an attacker can trick an > otherwise secure server into running his code. Just by coping a crafted > file to a shared directory. > > On most servers nobody should be surfing the web or reading emails. > Except on terminal servers. And maybe except in Server 2016, if it acts > like Win10, where many links in the UI trigger Edge, eventhough they do not > look any different than the other options around them. Bad design. > But if you disable Explorer and Edge, and do not install any other browser > or email software, the server should be pretty safe. Probably safer without > anti-something software, than with it. > > Btw does anybody know if Defender is part of Server 2016? If so can it be > disabled? > > We just get lots of false positives from Defender in Win10. On my own PC > such a false positive recently killed the backup process (Tivoli) several > days in sequence, eventhough the affected file was already in the > whitelist. The data on this machine machine would definitely have been > safer without Defender than with it. Finally had to delete that file to > make backup work again. > > How can it be that we have 2016, and there is still backup software > around, that aborts when one file is blocked by antivirus software? > Please somebody wake up IBM, and make them fix this. > > > > >
