My users can't execute any files that aren't on a whitelist, they can't run executables from their home drives or FAPs, so I have noticed a drastic drop in virus detection. However I still install the Symantec (AV and ASW only option) on all the servers. I feel better with a belt and braces option, in case anything slips under my radar. You can never be totally sure of anything...
2008/8/29 Jon Harris <[EMAIL PROTECTED]> > What about DC's should there or should there not be AV on them? They are > only DC's no shares other than those associated with their base job. > > Jon > > On Thu, Aug 28, 2008 at 3:42 PM, Sherry Abercrombie <[EMAIL PROTECTED]>wrote: > >> Hmmm, well, no concrete decisions, but some options to present to the >> manager. We will be almost certainly be removing the internet access on >> almost all servers most likely using ISA rules to block or allow access. >> This will give the DBA's the ability when needed to do web-ex support calls >> with Oracle, Siebel, etc, but not have the servers carte blanche internet >> access. We're also looking at using ClamAV along with McAfee, letting >> McAfee handle on access/write scanning but have ClamAV do the full on-demand >> scans, and making on-demand scans a weekly event rather than a daily event >> on most servers, (file servers would stay daily because users save files to >> them, it would be foolish to open that hole). >> >> This seems to be a reasonable solution in my opinion but of course, final >> decision rests with our manager. >> >> On 8/28/08, David Lum <[EMAIL PROTECTED]> wrote: >>> >>> "True, but, how did that virus get inside the domain in the first >>> place? " They had no clue. One conceivable method would be a compromised >>> laptop that was outside the LAN for a while and not updated until hitting >>> the LAN again – DOH! Hit the LAN, infect some servers, then find out the >>> laptop was infected…. We have plenty of laptops that float around (and yes I >>> know with SCCM I can adopt a desired config to keep things off my LAN until >>> they meet x requirements, but we are nowhere near that yet). >>> >>> >>> >>> Good points and yes, I for one am interested in what you guys decide. >>> >>> >>> >>> Dave >>> >>> PS I agree ePO is a major pain in the arse…. >>> >>> >>> >>> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >>> *Sent:* Thursday, August 28, 2008 10:12 AM >>> *To:* NT System Admin Issues >>> *Subject:* Re: AV on *all* servers...or no? >>> >>> >>> >>> True, but, how did that virus get inside the domain in the first place? >>> We scan email in multiple places (gateway, Exchange) with mutliple virus >>> scanning engines, workstations have virus scan that scan's on access, on >>> read, on write etc, then it shouldn't ever get in. >>> >>> I'm not necessarily advocating removing virus scan from all servers all >>> the time, I just think that this idea (I'm talking about my local setup) of >>> every server having the same setup/configuration needs to be re-evaluated. >>> >>> I'll let ya'll know what we decide in our meeting this afternoon. >>> >>> On 8/28/08, *David Lum* <[EMAIL PROTECTED]> wrote: >>> >>> What about viruses (viruii?) that spread via network share? Taking the >>> gateway out won't stop those kind (W32/Sircam, etc). Textron had an issue >>> when as soon as they'd bring up a new server it would get infected as soon >>> as it joined the domain because some other had the virus… >>> >>> >>> >>> Dave >>> >>> >>> >>> *From:* Sherry Abercrombie [mailto:[EMAIL PROTECTED] >>> *Sent:* Thursday, August 28, 2008 9:27 AM >>> *To:* NT System Admin Issues >>> *Subject:* Re: AV on *all* servers...or no? >>> >>> >>> >>> Ok, this is something that I've been dealing with/battling the powers >>> that be for the last several weeks. Unfortunately, I'm stuck with McAfee >>> Virus Scan Enterprise using EPO to manage it. Over the last several weeks >>> I've had a problem with my backups to various servers failing (Backup Exec >>> v11d) with an error that it cannot connect to the remote agent on the >>> specified server. Then the next day or a day or so later, it's fine for >>> several days, so I KNOW it's not a failure of Backup Exec or the remote >>> agent. In researching the problem, I can pinpoint when it is failing in the >>> BE job log, and pinpoint that McAfee on-demand scan is happening at the same >>> time on the server. Problem goes away when I finally manage to get EPO to >>> stop the on demand scan on the server (don't get me started on EPO, it's a >>> royal pain in the ocola). My argument is that not all servers need to have >>> virus scan on them, and that they can be further secured by removing their >>> gateway. I firmly believe that servers such as file and print that users >>> can write data to absolutely must have a virus scan application on them, >>> regardless of performance hit. Users just can't be trusted. But most >>> servers that are not directly touched by users saving files to it, not >>> surfing the internet (IMNSHO, no servers should ever be used to surf the >>> internet from), have their gateway removed and no or minimal virus scanning >>> on them should be a reasonable approach. BTW, we are having a group meeting >>> this afternoon at 1PM to discuss this subject. I guess I've been a squeaky >>> wheel ;) >>> >>> On 8/28/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >>> >>> IMHO, it isn't needed on all servers, or even the majority of them, *IF* >>> your clients are up to date with AV software. I sometimes don't want the >>> extra overhead on my servers of having AV installed, management of the >>> software, patching of software, the all-too-often conflict of AV with >>> other >>> software, etc. >>> >>> But, OTOH, I don't necessarily think it's a bad thing to have AV >>> installed >>> on all servers in certain circumstances when done right. Just not >>> NEEDED.... (IMHO). >>> >>> JR >>> >>> >>> Original Message: >>> ----------------- >>> From: David Lum [EMAIL PROTECTED] >>> Date: Thu, 28 Aug 2008 08:53:12 -0700 >>> To: [email protected] >>> Subject: AV on *all* servers...or no? >>> >>> >>> >>> [Cross posted here and on the Vipre Enterprise list] >>> >>> There is some debate among my fellow IS staff here weather AV should be >>> on >>> all 200+ of our servers. From my standpoint my question would be "Why >>> not?" >>> - put it on all servers and exclude what's necessary We are "SQL heavy" >>> and >>> I'm sure performance is the primary concern , but is there any compelling >>> reason to completely leave it off of some servers? >>> >>> Dave Lum - Systems Engineer >>> 971-222-1025 >>> Northwest Evaluation Association - www.nwea.org >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> -------------------------------------------------------------------- >>> mail2web LIVE – Free email based on Microsoft(R) Exchange technology - >>> http://link.mail2web.com/LIVE >>> >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >>> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >>> >>> >>> >>> >>> -- >>> Sherry Abercrombie >>> >>> "Any sufficiently advanced technology is indistinguishable from magic." >>> Arthur C. Clarke >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> Sherry Abercrombie >>> >>> "Any sufficiently advanced technology is indistinguishable from magic." >>> Arthur C. Clarke >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> -- >> Sherry Abercrombie >> >> "Any sufficiently advanced technology is indistinguishable from magic." >> Arthur C. Clarke >> >> >> >> >> >> > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
