|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Flash3200
Guest
|
 Posted: Tue Jun 26, 2007 6:01 am Post subject: Run a Virus Scan on DCs? |
 |
|
Should I run a dedicated Virus Scan on my Domain Controllers? We have
McAfee Enterprise ViruScan loaded on them and they are enabled to pick
up something as it runs live on the server, but I run a dedicated scan
once a week on all my other servers and I've heard both ways when it
comes to DCs... "no you shouldn't run a scan cause it slows them down
too much (regardless of memory???)" and also "Sure why not.. whats it
going to hurt". So I'd like to get everyone else's opinions!!!!
Thanks |
|
| Back to top |
|
 |
|
|
Florian Frommherz
Guest
|
| Posted: Tue Jun 26, 2007 6:01 am Post subject: Re: Run a Virus Scan on DCs? |
|
|
Howdie Flash!
Flash3200 wrote:
| Quote: | Should I run a dedicated Virus Scan on my Domain Controllers? We have
McAfee Enterprise ViruScan loaded on them and they are enabled to pick
up something as it runs live on the server, but I run a dedicated scan
once a week on all my other servers and I've heard both ways when it
comes to DCs... "no you shouldn't run a scan cause it slows them down
too much (regardless of memory???)" and also "Sure why not.. whats it
going to hurt". So I'd like to get everyone else's opinions!!!!
|
I'll tell you my opinion on this - maybe you're interested in that as
well ;-)
I'm no big fan of antivir applications Domain Controllers. The reason
is: why should I scan? See, the Domain Controller is THE part of your
domain. I really mean THE part. What will happen if those controllers
break? Your business is pretty much like to go down - all the way with
your productivity and the big bucks. Not more, not less. I have the
philosophy that I lock them down as much as possible - physically as
well as technically.
I also think that there shouldn't run any services other than Active
Directory and the DNS service. The question then is: how can you nest
there any virses or malware, if there are no users logging in to that
machine (other than you and your admin-buddies), no services/shares with
write-access for people.
From the "what's it going to hurt"-perspective, I've seen environments
where the antivoir did block access to the SYSVOL share and broke Group
Policy application down. People needed to exclude the SYSVOL folder from
scanning in order to have those services run again. This can actually be
a time-consuming search if you're not immediately thinking of your
antivir while troubleshooting.
If you really consider using an antivir on your domain controllers, be
careful when installing and ask the vendor if there are any issues with
Active Directory. A loss of a domain controller (a loss may also mean a
downtime of a few minutes/hours) can cause your whole network to be
unstable (it shouldn't if you have multiple domain controllers - but how
frequent do you try that out?).
- Be careful, that's what I'm sayin' ;-)
cheers,
Florian
--
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog. |
|
| Back to top |
|
|
Ryan Hanisco
Guest
|
| Posted: Tue Jun 26, 2007 6:01 am Post subject: RE: Run a Virus Scan on DCs? |
|
|
Flash,
There are generally few problems with this. Depending on the AV program and
the size of your domain, some people will exclude parts of the sysvol so that
the DC doesn't take a penalty hit from frequent directory updates.
In a small domain, the "what's it gonna hurt" take on it is often used. In
something truly large, it can be more of a big deal, but the AV vendors do
publish their own guidelines for this -- Symantec does as does McAfee ePO.
(I have had very bad experiences with TrendMicro in the last 2 years, so its
not something I would be comfortable sunning in an enterprise at this point
though they ebb and flow as to which are good every few years.)
Hope this helps.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL
Remember: Marking helpful answers helps everyone find the info they need
quickly.
"Flash3200" wrote:
| Quote: | Should I run a dedicated Virus Scan on my Domain Controllers? We have
McAfee Enterprise ViruScan loaded on them and they are enabled to pick
up something as it runs live on the server, but I run a dedicated scan
once a week on all my other servers and I've heard both ways when it
comes to DCs... "no you shouldn't run a scan cause it slows them down
too much (regardless of memory???)" and also "Sure why not.. whats it
going to hurt". So I'd like to get everyone else's opinions!!!!
Thanks
|
|
|
| Back to top |
|
|
|
|
