When Best Practice Really Isn’t: No AV on Mail Servers
A conversation with a McAfee engineer last week reminded me of something I have occasionally encountered over the years: Windows mail server admins who insist that file system AV isn’t necessary on their server. The logic for this has always escaped me and no mail server admin I have discussed this with can provide me with a reasonably sound argument of why AV shouldn’t be installed.
The arguments usually are something along the lines of “performance,” “it conflicts with x MTA” or “the vendor won’t support it.” Let’s look at each of these:
- Performance: There’s no question that having AV running on your system can affect performance. It can affect performance on any system if the proper exclusions aren’t made. To use the argument that it shouldn’t be installed at all because of performance reasons is to argue that it shouldn”t be installed on any system. After all, everybody is concerned about performance.
- It conflicts with my MTA: That’s what vendor-recommended exclusions are for. Of course, you don’t want your AV scanning your 500GB mail data file. Exclude it. But don’t go crazy and exclude entire partitions. Have justifications for your exclusions and use a scalpel, not a sledgehammer.
- The vendor won’t support it: If the MTA vendor says that file system AV cannot be installed, find a different vendor. Seriously. They are taking the easy way out and putting your users at risk. Kick them to the curb and let them know why. Bad security choices by vendors need to have consequences for them to realize that they need to do better.
A worm spreading through administrative shares will be just as happy to devour your mail server as it will any other vulnerable Windows system. Mail servers generally need both file system and MTA-level AV for full protection. Anything less on a Windows system is risky behavior and may lead to very unhappy users.