Defender, Windows Servers and ISA

[Raybo58]

When you read the documentation for Small Buisness Server, or anything
running with Exchange or ISA, there is always a warning that the admin should
make sure that certain folders should be excluded from real-time virus
monitoring.

Since Defender is an MS product, is it clever enough to follow MS's own
guidelines? Or do I have to go and exclude all these folders manually?

Another question that doesn't seem to be answered in the WD docs is: when
you exclude a folder, are all of the sub-folders excluded as well? Some AV
programs will only exclude the root of any folder you specify, such as Avira.

In Particular, I'm using Small Business Server 2003 with Exchange and ISA
running.

Some articles I've read suggest that you not run real-time virus gards at
all on your servers. Opinions?

 

[Stu]

I think MS Forefront might be a better option for your business needs. Try
taking a look here:

http://www.microsoft.com/forefront/en/us/product-information.aspx

Hope this helps

Stu

 

[Bill Sanderson]

I don’t know the answer as to the scan exclusion, but I have run Defender on
the same software set you have there with no observed issues, fwiw.
I have also run servers without antivirus. Currently, I have antivirus
running on my SBS 2003 server, and what it catches is always email
attachments. It caught those during full-text indexing overnight, mostly,
and I've now turned off full-text indexing...

I wouldn't say that antivirus on the server is redundant--if you get a
network infection that touches the server, you'll be very glad that the
server was looking at it.

In general, I like packages that include antivirus for the server, the
clients, and an admin monitoring app to track what's caught and whether
everybody is up to date. So far, Microsoft has not produced a package that
does this cost effectively for SBS customers.

Anyway--I've run Defender on SBS 2003 premium servers without issues, but
I'm not at all sure that it does those exclusions. Maybe it just works
well, or maybe I was lucky!

 

[Stu]

I think you were lucky. When are these guys going to really reveal those
parts of our systems they scan other than a fleeting glimpse (of a registry
entry or folder) as it whizzes by in real time? They call me ` Noddy` at
work as I try to comprehend the scan. We hear, essential areas but to the
average user means nothing! Igorance is bliss? Seems to me the AU and
developers are not talking to one another. On the one hand you have `whizz
kids` totally engrossed in developing and AS/AV application designed to
combat the latest threats. On the other, an end user (most of which are not
IT literate) trying to interpret the scan while playing `catch up`. That
would seem to imply. No need to know about these things. Just be aware and do
as we tell you. How condescending? Call in a professional?

Stu

 

[Bill Sanderson]

http://blogs.technet.com/mmpc/archive/2009/02/17/we-read-their-forums-too.aspx

To an extent, what is scanned probably comes under the heading of
"proprietary information" as mentioned in the article above. If you make it
crystal clear exactly where you look, the bad guys will figure out how to
keep that area looking innocent, and hide the real payload elsewhere.

 

[Raybo58]

Well, since all it requires is a simple process monitor to see what's going
on then persistance will defeat any obtuse interface. And we all know
they've got persistance in spades.

Since this server is mission critical, I'm more afraid of Microsoft
oversight than I am of getting thugged by one of the clients.

So I think I'm going I think I'm going to run her unfettered for awhile and
just keep a close eye.

Thanks for the input.

Raymond.

 

[Bill Sanderson]

I was going to see if I could say that Microsoft's own server-oriented
malware protection apps use the same "engine" as Windows Defender, but I'm
not quite certain that I can--mostly out of lack of experience with their
server-oriented apps.

Defender is built in to Server 2008 in a similar way as it is to Vista.

And, Windows Server 2003 is an explicitly supported OS platform for Windows
Defender:

http://www.microsoft.com/windows/products/winfamily/defender/sysreq.mspx

That's different from saying that it is safe to run on an Exchange 2003
server, however.

There's always a risk of a false positive with anti-malware of any kind,
Windows Defender included.

Well, since all it requires is a simple process monitor to see what's
going
on then persistance will defeat any obtuse interface. And we all know
they've got persistance in spades.

Since this server is mission critical, I'm more afraid of Microsoft
oversight than I am of getting thugged by one of the clients.

So I think I'm going I think I'm going to run her unfettered for awhile
and
just keep a close eye.

Thanks for the input.

Raymond.

--