Is this whitelist maintained via GPO? Dave
From: James Rankin [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2008 5:22 AM To: NT System Admin Issues Subject: Re: AV on *all* servers...or no? My users can't execute any files that aren't on a whitelist, they can't run executables from their home drives or FAPs, so I have noticed a drastic drop in virus detection. However I still install the Symantec (AV and ASW only option) on all the servers. I feel better with a belt and braces option, in case anything slips under my radar. You can never be totally sure of anything... 2008/8/29 Jon Harris <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> What about DC's should there or should there not be AV on them? They are only DC's no shares other than those associated with their base job. Jon On Thu, Aug 28, 2008 at 3:42 PM, Sherry Abercrombie <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: Hmmm, well, no concrete decisions, but some options to present to the manager. We will be almost certainly be removing the internet access on almost all servers most likely using ISA rules to block or allow access. This will give the DBA's the ability when needed to do web-ex support calls with Oracle, Siebel, etc, but not have the servers carte blanche internet access. We're also looking at using ClamAV along with McAfee, letting McAfee handle on access/write scanning but have ClamAV do the full on-demand scans, and making on-demand scans a weekly event rather than a daily event on most servers, (file servers would stay daily because users save files to them, it would be foolish to open that hole). This seems to be a reasonable solution in my opinion but of course, final decision rests with our manager. On 8/28/08, David Lum <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: "True, but, how did that virus get inside the domain in the first place? " They had no clue. One conceivable method would be a compromised laptop that was outside the LAN for a while and not updated until hitting the LAN again - DOH! Hit the LAN, infect some servers, then find out the laptop was infected.... We have plenty of laptops that float around (and yes I know with SCCM I can adopt a desired config to keep things off my LAN until they meet x requirements, but we are nowhere near that yet). Good points and yes, I for one am interested in what you guys decide. Dave PS I agree ePO is a major pain in the arse.... From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Thursday, August 28, 2008 10:12 AM To: NT System Admin Issues Subject: Re: AV on *all* servers...or no? True, but, how did that virus get inside the domain in the first place? We scan email in multiple places (gateway, Exchange) with mutliple virus scanning engines, workstations have virus scan that scan's on access, on read, on write etc, then it shouldn't ever get in. I'm not necessarily advocating removing virus scan from all servers all the time, I just think that this idea (I'm talking about my local setup) of every server having the same setup/configuration needs to be re-evaluated. I'll let ya'll know what we decide in our meeting this afternoon. On 8/28/08, David Lum <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: What about viruses (viruii?) that spread via network share? Taking the gateway out won't stop those kind (W32/Sircam, etc). Textron had an issue when as soon as they'd bring up a new server it would get infected as soon as it joined the domain because some other had the virus... Dave From: Sherry Abercrombie [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] Sent: Thursday, August 28, 2008 9:27 AM To: NT System Admin Issues Subject: Re: AV on *all* servers...or no? Ok, this is something that I've been dealing with/battling the powers that be for the last several weeks. Unfortunately, I'm stuck with McAfee Virus Scan Enterprise using EPO to manage it. Over the last several weeks I've had a problem with my backups to various servers failing (Backup Exec v11d) with an error that it cannot connect to the remote agent on the specified server. Then the next day or a day or so later, it's fine for several days, so I KNOW it's not a failure of Backup Exec or the remote agent. In researching the problem, I can pinpoint when it is failing in the BE job log, and pinpoint that McAfee on-demand scan is happening at the same time on the server. Problem goes away when I finally manage to get EPO to stop the on demand scan on the server (don't get me started on EPO, it's a royal pain in the ocola). My argument is that not all servers need to have virus scan on them, and that they can be further secured by removing their gateway. I firmly believe that servers such as file and print that users can write data to absolutely must have a virus scan application on them, regardless of performance hit. Users just can't be trusted. But most servers that are not directly touched by users saving files to it, not surfing the internet (IMNSHO, no servers should ever be used to surf the internet from), have their gateway removed and no or minimal virus scanning on them should be a reasonable approach. BTW, we are having a group meeting this afternoon at 1PM to discuss this subject. I guess I've been a squeaky wheel ;) On 8/28/08, [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: IMHO, it isn't needed on all servers, or even the majority of them, *IF* your clients are up to date with AV software. I sometimes don't want the extra overhead on my servers of having AV installed, management of the software, patching of software, the all-too-often conflict of AV with other software, etc. But, OTOH, I don't necessarily think it's a bad thing to have AV installed on all servers in certain circumstances when done right. Just not NEEDED.... (IMHO). JR Original Message: ----------------- From: David Lum [EMAIL PROTECTED] Date: Thu, 28 Aug 2008 08:53:12 -0700 To: [email protected]<mailto:[email protected]> Subject: AV on *all* servers...or no? [Cross posted here and on the Vipre Enterprise list] There is some debate among my fellow IS staff here weather AV should be on all 200+ of our servers. From my standpoint my question would be "Why not?" - put it on all servers and exclude what's necessary We are "SQL heavy" and I'm sure performance is the primary concern , but is there any compelling reason to completely leave it off of some servers? Dave Lum - Systems Engineer 971-222-1025 Northwest Evaluation Association - www.nwea.org<http://www.nwea.org/> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -------------------------------------------------------------------- mail2web LIVE - Free email based on Microsoft(r) Exchange technology - http://link.mail2web.com/LIVE ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
