Symantec/Norton Real-Time Antivirus Considered Harmful on Exchange Servers

From: at (josh_at_securityfocus.com)
Date: 11/04/05

  • Next message: Kelly Martin: "SF new article announcement: Windows rootkits in 2005, part one" 
    Date: 3 Nov 2005 23:22:41 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is) I've had to deal Symantec/Norton antivirus before on Exchange servers. This is a nightmare waiting to happen and certainly more then a simple performance issue.

    I have been through a case where our Exchange Server totally bombed and did not respond to requests for 8 hours because of the Symantec Corporate Agent running on the Exchange Server. I did not originally know what the problem was and finally had to call Microsoft. We managed to figure out and turn off the Symantec AV Agent. Also, the issue did not manifest itself for a month or more and we never found out why it chose to happen then...

    MS recommends against running any filesystem AV on an Exchange Server and it can even corrupt your Information Store. We had lingering permissions issues afterwards that it took a while to clean up. And yes, the appropriate Exchange directories were in the exclusion list. It didn't matter.

    I know that the alternative of not running local filesystem AV is not particularly attractive, but it's better then crashing your Exchange server.

    Regards,

    Josh

  • Next message: Kelly Martin: "SF new article announcement: Windows rootkits in 2005, part one"