I’m going naked

On December 2, 2009, in Security, by

…. on my server when it comes to Antivirus.  Yes you read that right.  Why?  Because at this point in time I really feel that my antivirus vendors are putting me more at risk with the software on than off.

Why do I say this? Because I don’t trust antivirus anymore.  At least not on my Servers these days.  Sure the fix for the tdi.sys is now included in SP2, but I am really questioning why we knee jerk install antivirus on the servers these days.  For sure not on hyperV boxes that should only be HyperV and nothing else in that role.

But even for SBS boxes… I’m going naked.

If we have mail hygiene in the front…

If we have antivirus on the workstations….

If we have a firewall that is a business class that is used to block sites appropriately….

If we use Opendns to additionally filter….

If we move our workstations to not have local administrator rights (I mean you have to go out of your way in SBS 2008 to get local admin)

I know you’ll say … but Susan it’s belts and suspenders.

But I don’t TRUST that belt and I sure don’t TRUST that suspender.  I don’t want a firewall driver on my server that ALREADY has a firewall that works.  I don’t want software that doesn’t stop the rogue antivirus.  I’m using other defensive means

So when you build your SBS 2008 boxes, make sure SP2 is on there first and foremost.  It will only MU/WU down when all other “Important” patches are hidden or installed.   Manually download it if you must.  Get it on the box… THEN… sit back and decide if the risk of that antivirus software is really and truly worth it.  Don’t knee jerk install it just because…because it quite frankly doesn’t make as much sense anymore.

 

9 Responses to I’m going naked

  1. Bill V says:

    What AV are you using on the workstations?

  2. Vlad Mazek says:

    Borrowing headline writing style from Vladville.com I see 🙂

    -Vlad

  3. I’ve been bouncing around between AV vendors for a couple years now myself. They all stink.

    If you handle financial information about Massachusetts residents you need to be concerned with 201 CMR 17.00, which covers in-state and out-of-state entities. Fines from $5k to $50k per violation…surprisingly, though, the rules are based on best practices.

    http://www.mass.gov/?pageID=ocaterminal&L=4&L0=Home&L1=Consumer&L2=Privacy&L3=Identity+Theft&sid=Eoca&b=terminalcontent&f=reg201cmr17&csid=Eoca

    From the law, which goes into effect 1 March 2010:
    “shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, shall have the following elements:
    ….
    (7) The most current version of system security agent software which must include antispyware and antivirus software, including up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and which includes security software that is set to receive the most current security updates on a regular basis.”

    I have been told that it can be permissible to do something outside the letter of the law (with appropriate documentation in the WISP that the risks have been considered), but most businesses will find it much easier to comply to a strict interpretation.

    There’s another risk for ya 🙂

    -Greg C

  4. Mike says:

    I have a few SBS2008 that I have gone Naked on, and I do cringe a bit at it. The problem I find comes not with the AV itself, but the proactive defenses in some of the more well known AVs. Symantec’s corporate has gone to the dogs as far as this goes, to the point that you can loose connectivity because of the proactive defense thinking normal connections are attacks.

    I find just installing a bare minimum AV a little safer, although I’ve been slowly switching over to installing MSE on the server thanks to low overhead and it works. Then again I tend to be a bit paranoid about security.

  5. Chris says:

    Thanks for the update, agree completely. In the last post you were considering MS Forefront Client Security running “unmanaged” without the console. What made you decide against that? I’m very impressed with the small footprint of client security, not to mention cheap and am considering it for other SBS clients for basic file system protection.

  6. Joe Raby says:

    “I find just installing a bare minimum AV a little safer, although I’ve been slowly switching over to installing MSE on the server thanks to low overhead and it works.”

    MSE isn’t licensed for business use, unless it’s a home-based business. Definitely NOT OK to be using it with your customers. MSE isn’t to be installed on servers in any case anyway. Use FCS if you want the same quality protection. It’ll cost you $12.72US/system/year though, but that’s chump change compared to some of the other commercial offerings.

    @Chris:

    I use FCS in unmanaged mode on my server as well. I exclude Exchange and Sharepoint stores though. As far as protection goes, I try to restrict it to mostly just network shares where shared files might be placed just in case *something* has managed to get around local workstation security and trying to store a file on a remote network folder, where it can’t easily get access to that systems security software (like on the server). In that event, the server security software will block it before it has a chance to replicate, in the event that the workstation was compromised by a local user privilege escalation workaround (which I’m assuming are going to be prevalent when malware coders figure out how to fake user privileges with Windows 7’s default UAC setting). The server would block such software before it gets copied over the network.

    FCS doesn’t have its own firewall, so it’s friendly with SBS’s built in firewall.

  7. Rosewood says:

    Welcome to the dark side. Soon you will come to the same realization about workstations.

    You scoff? Probably as you scoffed when I said SBS2003 didn’t need AV.

  8. Tony says:

    Well, my webserver hasn’t had an antivirus program on it for years. Windows 2003 Server fully patched. We’re using Windows firewall. No firewall device between it and the Internet. We did change the name of the administrator account. We only use loooong passwords. I RDP into every few days or weeks. Especially on patch Tuesday.

    And we’ve been doing this since 2003. We’ve been attacked according to the event log but never compromised. I do inspect the task list on a regular basis. I never surf the web from it other than for the essentials.

    Tony Toews, Microsoft Access MVP

  9. Joe Raby says:

    All I have to say is, one wrong search result link or website with a malware-linked Google ad that refreshes the browser automatically, and your workstation is toast.

    That happened to me when I went on to ICANHASCHEEZBURGER.COM (typed-in URL in a new window) for my daily LOLcat fix one day and the Google ad refreshed and took me to one of those “you’re infected” pages that looks like Windows Explorer and tried to install one of those WinFixer fake antivirus clones.

    Luckily, Forefront Client Security caught the JavaScript exploit and trojan downloader that tried to install the fake AV dead in its tracks. I didn’t have time to respond. FCS did. Microsoft’s active AV scanners detect fake AV software, while many vendors like Symantec, McAfee, and Grisoft (AVG) don’t.

    And that was a legitimate website. It could’ve happened on any site that uses a third-party ad network that doesn’t block who pays for ad space (Google was the culprit in this case). The site owners weren’t too pleased that Google was spreading banners that used auto-redirects to malware.

    Plus, I was logged in as a local admin account with restrictive network access – on a fully patched Windows Vista box with UAC at the default. This only happened a couple of months ago.

    What is the cost in having to back up local files under quarantine, scan them, flatten the box, and get the user back up and running? I reckon it costs more than the minimal $12.72US/year for that PC’s AV software.

    I’m sure that Sue would say that WHS local system backup would help, but it’s still downtime where the user isn’t working. What happens if that’s at a customer site where they don’t have onsite IT? It’ll certainly cost them more than ~$13 for you to come down and do that work.

    FCS is pretty simple. They don’t update the software unless necessary to avoid compatibility issues. Definitions get updated daily though, and engine updates are updated when necessary to scan for new types of threats. Software updates haven’t been put out for the FCS agent since Windows 7 shipped (the update was for Win7 compatibility), and have rarely rolled out since Vista shipped prior to that. It’s one of those programs where the update cycle is both short and long. The short cycle for definitions is easily managed by WSUS and doesn’t cause compatibility problems. The long cycle for software updates is mostly for OS compatibility – either it works or it doesn’t. I have never run a workstation without FCS since it was released to partners, and I’ve been running a copy of the agent on SBS since Microsoft discontinued OneCare for Server (which was short-lived). I’m glad I didn’t choose to renew my copy of Trend Micro SBS Security from 2003.