Re: Why NOT to disable Real Time Antivirus on Servers

From: Abe Getchell (mailing.list.spooler_at_gmail.com)
Date: 11/07/05

  • Next message: Daniel Cid: "Re: HIDS" 
    Date: Mon, 07 Nov 2005 11:13:39 -0500
To: security-basics@securityfocus.com

    I'll chime in - five days late! In my experience, it doesn't matter what
    AV software you're using or on what kind of hardware you're running your
    mail server. You're going to experience an immediately noticeable
    performance hit when enabling "real time protection" (or whatever your
    AV software chooses to call it). Focus, instead, on scanning all mail
    entering and leaving the mail server (regardless of transport) and
    providing adequate client-side protection. Since most virus infections
    I've run across (besides the major worm outbreaks) have generally come
    from a user downloading a piece of code from somewhere and executing it
    on their workstation, you should be pretty safe. You're not downloading
    and executing stuff from the Internet on your mail server, are you? 

    --
Abe Getchell
abegetchell@gmail.com
http://abegetchell.com/
Micheal Espinola Jr wrote:
> Based on real-world testing and application - I agree with your
> colleague.  The performance hit is not worth it.  Even on powerful
> servers on high-speed networks, myself and my users (when testing got
> to that point) noticed a significant performance difference.
> 
> Sorry, no case study.  Just undocumented testing with Symantec
> products.  I'd be interested to hear about anyone's testing with other
> AV apps.
  • Next message: Daniel Cid: "Re: HIDS"