/
Anti-Virus Policies for Servers

Anti-Virus Policies for Servers

Owned by Dennis H. Wiedeman
Last updated: Mar 02, 2011Version comment

As with desktop computers, policies can be established for servers, which may or may not match the policies for workstations:

The policies that are established for servers fall into two main categories:

  1. Anti-Virus Scan Time Policies -- You can determine what time and what actually gets scanned when you choose the Full Anti-Virus Management model for servers.  At this time, servers are scanned one to three times a week at the following times (assuming the system is left at the time the anti-virus scan is initiated).  It is not to say there can't be more polices to accommodate other times or days.  It's just that to this point in time, no one has requested scans at any other times or days than those listed below:
    • 12:00 AM midnight (Tues., Thurs., Sat.)
    • 1:00 AM (Tues., Thurs., Sat.) 
    • 2:00 AM (Tues., Thurs., Sat.)
    • 3:00 AM (Tues., Thurs., Sat.)
    • 4:00 AM (Tues., Thurs., Sat.)
    • 5:00 AM (Tues., Thurs., Sat.)
    • 6:00 AM (Tues., Thurs., Sat.)
    • 7:00 PM (Fridays)
    • 7:00 PM (Thursdays)
    • 9:00 PM (Mon., Wed., Fri.)
    • 10:00 PM (Mon., Wed., Fri.)
    • 11:00 PM (Mon., Wed., Fri.)
    • 11:00 PM (Tues., Thurs.)
  2. Anti-Virus and Host Intrusion Prevention System Policies -- These characteristics for the Sophos product help to form the "policy" by which the anti-virus scanning, management and malware remediation take place.  By adjusting these components for groups of computers or servers, variations in how the product performs for that particular group can be achieved.  For example, you might want "On-access scanning" for workstations and laptops, but you wouldn't want it for servers as it may dramatically reduce the performance of a server.
    • Authorization -- Authorization or denial of applications to run on a system are based upon a number of criteria
    • Messaging -- Messages to Sophos administrators can be set to go out (or not) through email. 
      • Desktop Messaging -- In order to minimize the need for user involvement, desktop messaging has been turned off
      • Email Alerting -- This has been enabled, so Desktop Support personnel and Sophos Administrators can be notified of virus problems early in the detection process
      • SNMP Messaging -- Not in use at this time
      • Event Log -- We make extensive use of virus event logs so that follow-up can occur as to what happens during a virus outbreak on campus
    • Sophos Live Protection -- "Live Protection" provides the most up-to-date threat protection through an online lookup service at Sophos.com in real time. We have this enabled and automatically send sample files to Sophos for further forensic analysis.
    • Suspicious Behavior (HIPS) -- The "Host Intrusion Proection System" is set-up on the Enterprise Console to detect suspicious behavior and buffer overflows.  There is an option to "Alert Only" if it finds a file that is acting in a suspicious manner, but this has been turned off, so the system will try to deal with the suspicious file.
    • On-Access Scanning -- On-access scanning is disabled for servers for performance reasons
    • Web Protection -- When users inadvertently or intentionally attempt to go to specific websites, we choose to block access to any malicious websites and provide on-access scanning in a similar fashion on content downloaded from a website.  Usually, websites are not accessed on servers, but if they are, protection has been turned on in order to protect the system
    • Scanning Schedule -- The Scanning Schedule allows us to choose what to scan (and what not to scan), and schedule the scan to occur on specific days and at specific times
    • Extensions and Exclusions -- Just like "On-Acces Scanning", scheduled scans can be set to exclude or include specific file extensions and file types