Awesome Conferences

Yes, malware scanners on your servers too!

I recently posted my "6-point list of security minimums" for the enterprise. That is, 6 things that may have been "would be nice" in the past but are now absolutely required as far as I'm concerned. Most sites do not do all 6, and I think it is time that such sites got with the program 'cause you are making the rest of us look bad.

I got a number of comments asking if I was serious about malware scanners on all computers.... did I really mean servers too?

Yes.

If the machine is a file server then the files being stored should be scanned. It prevents this server from being the unintentional transmitter of infected files. [As a bonus it is an interesting way to detect which users are not protecting themselves. Notice that a large fraction of the infected files are in a certain person's network home directory? Yeah, better check to see if they've disabled their malware detector.]

Web servers, email servers, and "shell servers" all have the same issue. One of my personal servers is a FreeBSD box that I permit friends to have shell accounts. I recently ran a popular commercial virus scanner on all the files. I found 3 files with viruses: One in my home directory (I had done a backup of a laptop to the server ages ago). Two in the home directory of users that were just as shocked as me. Fixing those infected files prevented those users from passing the malware along.

Server performance won't suffer very much. Modern malware scanners are much better behaved. Operating systems have more efficient hooks to let them do their work. Plus, the better vendors are trying to be the lightest burden on system resources. Competition will help that.

I also run a malware scanner on my personal Mac even though Macs are known to not have a lot of virus problems... at this time. Most of the infected files it has detected are Windows virii which wouldn't harm me but this is worth it because it means I haven't propagated the file to my Windows-using friends.

The problem, however, is that in this era of APT it has become very common to find malware written specifically to seek out a particular person or company. The anti-malware vendors are less likely to discover such junk, and if they do there isn't as much financial incentive for them to publish signatures for such things. However, doing this kind of scanning is still important just like people with strong teeth should still brush their teeth. It is good hygiene.

There are still threats from XSS, weak passwords, social engineering and so on and so on. However not doing these 6 basic things is irresponsible bordering on professional negligence.

Posted by Tom Limoncelli in Security

3 Comments

Having recently spent a lot of time removing a virus that propagated through a windows network drive, I'm all for running anti-virus on servers! (I just wish our IT department felt the same way)

Which malware scanner do you run on your Mac?

You say I should scan my file server, because a client may leave infected files on it.

If my client's AV doesn't pick up the virus, what are the odds of the AV on the server picking it up?

The virus will propagate to all the clients until your AV is updated; at that point its stopped at the clients and the server.

Unless you're running multiple AV solutions, or have poor update policies (so the server would update, but not the client), I don't see very much advantage.

Now if you're public (giving shell to friends; have no control over clients; etc), then I might agree.

I'm not saying its a bad idea, but I'm certainly saying its not "are now absolutely required".

That said, at the moment I run AV on all my windows servers, but none of my linux servers (except for mail servers).

Credits