Admins: AV on Mail server. Yes or No?

T

typhoon43

2[H]4U
Joined
Apr 5, 2001
Messages
3,930
I'm starting to see more and more posts on lists about Antivirus solutions. More and more people are saying they DO NOT run AV packages on the actual Exchange server, just the External Relay Box, since in their mind if it gets past the relay then it will get past the Exchange box with teh same AV definitions.

Our Exchange box uses a lot of CPU running McAffeee Groupshield (constant on-access scans), and I was wondering what are the pros/cons?

All I can think of is that if an INTERNAL employee somehow got a virus and sent it to another internal address, the realy box wouldn't see it. Am I correct in thinking this?

I need more speed, but at the expense of security.
 
Yes. Definately run it on the internal server. What if someone hits Hotmail and gets one that way that doesn't go through your mail relay? Also, block all outbound port 25 except the mail server. Most new viruses have their own internal SMTP server for sending out.
 
Personally I would do both. It is a really good idea, to have an external mail server that sits in your DMZ scanning your messages for spam and viruses, then passing it along to the Exchange server. Also don't let anything other than that external mail server talk to your internal one. This is just good security.

Have an AV program on the exchange server, also scanning for Viri. Also have it scan all outgoing mail for Viri too. We're using NAV Corp Ed. So each client desktop also scans outgoing mail, plus the Exchange server does too.

This takes some load off the Exchange server.

Our solution looks something like:

spamassassin/greylist/clamAV -----------> Exchange2K/NAV Exchange ------> Client.

It works really well. The Exchage server is very quick, and we generally don't have any problems.
 
Well we already have this setup implemented, and our security is NUTS (finanical institiution)
We have
Relay Box with Surfcontrol/McAffee AV---> EXCH2K Server w/ Mcaffee GroupShield--> Clients with McAffee AV

II just know how bogged the poor box gets when we do statements at the end of the month to mail to our members.
 
typhoon43 said:
Well we already have this setup implemented, and our security is NUTS (finanical institiution)
We have
Relay Box with Surfcontrol/McAffee AV---> EXCH2K Server w/ Mcaffee GroupShield--> Clients with McAffee AV

II just know how bogged the poor box gets when we do statements at the end of the month to mail to our members.
Click to expand...

In that type of setup I probably would remove the AV fromt he exchange server. If it gets past your relay, it'll get past your exchange scanner as well. What I would do is setup a relay with a different AV program so that you have 2 engines with 2 sets of definitions scanning all your e-mail.
 
Party2go9820 said:
In that type of setup I probably would remove the AV fromt he exchange server. If it gets past your relay, it'll get past your exchange scanner as well. What I would do is setup a relay with a different AV program so that you have 2 engines with 2 sets of definitions scanning all your e-mail.
Click to expand...

this is the right idea. you should have a relay scanning with one engine and the exchange server scanning with another. running the same scanner on both boxes is pointless. with this premise i'd go with 2 scanners on the 2 different systems. as i understand it, those barracuda spam firewall systems actually utilize 2 different scan engines in series to filter out viruses. even with that in front of your email server i'd still keep something on your exchange box.
 
2 different engines in the mail path is a good idea. Always one on the Exchange server. Don't forget about the OS level scanning of the Exchange box as well. Build and size your hardware to user ratio with those requirements in mind.
 
I always recommend Sybari for these reasons you guys mentioned. You can run up to 5 different AV engines in one package. We run 3. We've had things get by one that the others caught and sometimes people release definitions late.
 
typhoon43 said:
Our Exchange box uses a lot of CPU running McAffeee Groupshield (constant on-access scans), and I was wondering what are the pros/cons?

All I can think of is that if an INTERNAL employee somehow got a virus and sent it to another internal address, the realy box wouldn't see it. Am I correct in thinking this?

I need more speed, but at the expense of security.
Click to expand...

Don't forget that if an internal employee somehow contracts an email worm, then the worm could starting sending infected messages to all other internal employees which in turn spew out their own barrage of messages. Imagine the resultant email DOS if you didn't have AV on the server. IMHO AV is a necessity on both the relay box and internal systems.

If your current system is already heavily utilized on a regular basis, then it's time to start either upgrading hardware or determine exactly what seems to be causing the monthly "bottleneck".
 
I run AV on my exchange server. I currently use:
My relay box runs xwall/norton corp/mcaffee---->exchange 2003/panda--->client/panda
3 different AV's running to check as much as possible. Once you've been burned by one, you won't let it happen again. xwall pretty muchs blocks the majority of it but the rest pick up a few each. mcaffee I feel has the worst def's and panda the best.
 
Yes it should be on the mail server as well, if for no other reason than to protect internal communications.

Some speed can usually be sacrificed for security. However, if speed starts to effect useability then you're going to have problems. If it just takes an email 5 more seconds to get from point A to point B, then that probably isnt that big of a deal. That's just my opinion.
 
Thanks for all the great replies fellas. As for keeping the box from bogging down, I just got my boss to let have one of the Dell 2650's we just ordered for a new 2003 box.
Current EXCH2K box: Dual PIII-500's, 1.5GB RAM, 36G RAID-5
New EXCH2K3 box: Dual 2.8Xeons, 4Gigs DDR, (5) 72Gig Cheetah XL's in RAID-5

So I guess I don't need to worry about the bog anymore :D I'll forward your ideas to my CIO and see if we can get another engine running on the relay box.

Thanks!
 
How do you guys setup your machines when you are running multiple AV applications on one machine so that they dont both try to delete or quarantine files and then freak out on each other?

Back in the day, I tried using norton and Mcafee on one machine, and not only did it rape the hell out of the machine, whenever a virus was found, the machine would crash because both wanted to delete or quarantine the files and it wasnt good :eek:

Anyways, I guess I have always just stuck with one AV app (usually mcafee) on the mail server, and usually Clam Antivirus on the mail frontend....and I have never had a problem yet :confused:
 
typhoon43 said:
Thanks for all the great replies fellas. As for keeping the box from bogging down, I just got my boss to let have one of the Dell 2650's we just ordered for a new 2003 box.
Current EXCH2K box: Dual PIII-500's, 1.5GB RAM, 36G RAID-5
New EXCH2K3 box: Dual 2.8Xeons, 4Gigs DDR, (5) 72Gig Cheetah XL's in RAID-5

So I guess I don't need to worry about the bog anymore :D I'll forward your ideas to my CIO and see if we can get another engine running on the relay box.

Thanks!
Click to expand...

Sounds almost like the box I built back in September for our Exchange 2k3 box, minus the Dell part. Hand built ours. :D

I would highly recommend moving the OS to a RAID 1 array if at all possible. I'm running the OS on two 36GB Raptors (in an Enlight hotswap cage with 3 WDJB2500's) and it purrs like a kitten. The Exchange database has enough to do so you might as well dedicate a 4-disk array to the RAID5 and leave one for the hotspare.

Just some friendly tips. :) Oh, and make sure your exclusions are absolutely correct when setting up the box, or just get an Exchange aware version of whatever you're using. We have Sophos PureMessage (MailMonitor up until a few months ago) and it works great!
 
[Thread Crap]

If any of you email gurus have a spare moment, PM me!! I need some guidance regarding getting a small email server up and running. Thanks!

[/Thread Crap]
 
draconius said:
How do you guys setup your machines when you are running multiple AV applications on one machine so that they dont both try to delete or quarantine files and then freak out on each other?
Click to expand...

Products like GFI MailSecurity incorporate the AV scanners into their software and take care of ensuring the email is scanned by each engine appropriately.
 
You must log in or register to reply here.
Back
Top