The core issues you need to consider when considering deploying McAfee VirusScan on servers are:
If you have high load file servers (a lot of files being downloaded, uploaded and saved) then it may make more sense not to have VirusScan on the server constantly scanning those files and shares on the server if you have active virus scaning being done by your clients.
VirusScans On-Access Scanner can consume considerable system resources on very busy servers, which in turn will of course affect server performance and user experience. If you have active virus scaning on the client which are also scanning network shares there may be little reason to run an on access scanner for your file shares on the server unless you do not trust the clients. Conversely if you run active scanning on your file servers there may be little need to have your clients check the network shares all the time as well.
Many server based applications and services will require specific configuiration options to be applied. Typically these are to excude certain folders and file types from VirusScan scanning. For example if you want to run Groupshield and VirusScan on your Exchange servers for maximum protection you must apply the folder and file exlusions recomended by McAfee (See reccomendations below). You should also look at the reccomendations for VirusScan on Domain Controllers as well. (See reccomendations below).
Some of the more restrictive settings in VirusScan, particularly the Anti-Virus Protection and the Common Maximum Protection in the Access Protection settings of VirusScan can be so draconian that they will prevent you installing additional Windows componets and applications without disabling VirusScan first. These are not necessarily suitable for a server deployment unless you do not trust someone who has access to the server.
Reccomendations, Specific Application and Server Role Advice
Windows-Support advise that caution should be employed when running VirusScan on servers and that you research compatibility with any applications, services and server roles you are hosting. Clearly one set of recommendations for settings would not cover every server or situation.
Our list of General, Application and Role information:
- Use ePolicy Orchestrator
- For File Servers
- For Domain Controllers
- For Exchange servers
- For SQL server
- General software guidelines
For larger managed environments you should use ePolicy Orchestrator to deploy and manage VirusScan. This gives you the best method of managing and controlling your VirusScan deployment. Once you have created a policy which runs on a server type you simply allocate any servers which need the same policy to the container where the policy is applied. This can greatly reduce your workload.
Windows Support runs a free Managed ePolicy Orchestrator service, email email@example.com for more information.
Dealing With Servers Under Heavy Load
If you have a file server which is struggling resource wise (processor and or memory) and you have active scanning on all clients as well as on the server then one relatively safe and low impact way of lessening the resources used is by configuring VirusScan on the server to exclude file shares from the on access scanner. Instead you can set up a scheduled task to run nightly to check files as well as the clients running active access scanning. You can increase the scanning level on the clients and make them check network access as well. You should definately avoid running scheduled scans at the same time as a backup process where possible.
When a virus is found you have a choice what to do. You should always aim to make files inaccessable and send them to the quarantine rather than delete. The main reason for this is that quite often files which contain macros and other useful functionality can be detected as being malware. If you delete them then recovery is not easy. Also false positives are possible so there is a small chance that a detected virus could be a false positive, again its a lot easier to recover a file from quarantine that to un-delete.
Review Microsoft Knowledge base article 822158 which has general recommendations about files to exclude on enterprise servers (most particularily domain controllers).
This article should be checked carefully. As Microsoft say in this article, "Your system may be safer if you do not exclude any files or folders from scans." But you do of course increase the risk of system performance issues and instability if you do not exclude them.
Currently all email gets scanned by PPSW before it is delivered. If malware is detected users will get a notice of attachment removal. Exchange 2007 and onwards also have comprehensive spam and antimalware filtering available, you may well not need any additional cover on the server.
Groupshield on it's own does not provide system protection, it is for email/exchange only. To fully protect your systems you need to run VirusScan as well. In order to do this successfully you must follow the instructions in the McAfee knowledge base article 51471 or you will have serious problems.
Microsofts guidelines on which directories to exclude when running SQL Server.
Software vendors may offer advice on how to run VirusScan or general antivirus software with their product. You will need to check with any software or services that you run on a server to see if there are any issues. Advice will vary from product to product.
An example is the information CISCO provide for Using McAfee VirusScan Enterprise 8.0i with CISCO Call Manager. The advice is relevant for all versions of VirusScan. In this particular case CISCO believe that running On-Access Scan ("OAS") in the background is the best way to deploy McAfee but you need to disable the script-scan option and exclude the trace files directory.
It is always worth checking the support database or FAQ for the product you wish to run McAfee with for specific instructions or problems, if any. It is also good practice to test your McAfee server settings before you move the server into production.
Specific advice in the case of problems with particular products or configuration can be sought as usual from firstname.lastname@example.org