My last UPDATE column, in which I argued against the need for comprehensive antivirus protection on Microsoft Exchange servers, generated quite a bit of reader reaction. I wanted to revisit the topic because I think it's worth discussing further.
Several readers wrote to point out that having file-level antivirus on every server is an important precaution to protect against viruses and worms that spread by exploiting vulnerabilities in Windows itself. That's a good point, one which I failed to consider in my original column. It is very important to ensure that none of your servers, Exchange included, are compromised by fast-spreading malware. Those of you who worked in the IT industry around the time of the Blaster, Nimda, or SQL Slammer worms know exactly what I'm talking about.
Microsoft has made great strides in making Windows more secure against these kinds of infestations; unfortunately, many other companies in the industry (Adobe, Oracle, and Apple: I'm looking at you!) still have a long way to go in terms of embracing the security development lifecycle that Microsoft has adopted. The Adobe Flash Player, in particular, seems to be a fertile ground for attackers. No matter how you try, I suspect you would have a hard time eradicating Flash from every server in your organization. It's too pervasive, so it's better to have protection.
A couple of readers wrote to point out that antivirus software on Mailbox servers is still desirable for a couple of different reasons. The reason I find most convincing is that a zero-day exploit can sneak in and take up residence in your Mailbox servers before you have the ability to filter that particular exploit at the network perimeter or in your transport infrastructure. In that case, having protection on the Mailbox servers in your organization, despite the small additional performance penalty, would be very worthwhile.
Another consideration mentioned by readers is the fact that current antivirus software is typically managed through policies. If you get the policy wrong, or apply it in the wrong place, you can easily screw up multiple servers with the click of a mouse. Imagine accidentally changing a policy so that suddenly transaction logs on all of your database availability group (DAG) servers are subject to antivirus scanning and cleaning. That's the recipe for a major problem! Making this argument stick essentially revolves around a discussion of relative risks: Is the risk of a misconfigured, buggy, or poorly implemented antivirus program greater, or less, than the risk of a malware attack? I suspect that the answer to this question in any given environment depends on how much experience people in that environment have had with different antivirus programs. There's a wide quality gap in antivirus software—not so much in their effectiveness at catching malware, but in their stability, documentation, integration with Exchange, and other nonsecurity-related areas.
Interestingly, I didn't hear anything from security software vendors. I was a little disappointed that none of them wrote to take me to task for suggesting eliminating their products. That's too bad, because I love a good argument.
One reader wrote in with some real-world experience from the medical industry. His organization uses a hosted antispam/antivirus service, a conventional antivirus product with four different scan engines at their network perimeter, and a different multi-engine product on their Exchange servers. The perimeter product typically catches several viruses each week that the cloud-based service misses, and the Exchange-hosted antivirus product catches one or two viruses per month that both other products fail to catch. Now, you could certainly argue that a different combination of products might have better performance. But I suspect you would find that it's equally likely that a different combination would do worse. This is the best argument I've seen in favor of continuing to use multiple tiers of protection: If you're careful to choose different vendors, with different engines, the net catch rate can be a big improvement over a smaller number of tiers.
What I'd really like to see is a comprehensive study, or even an attempt at one, that shows the difference in catch rate for different combinations of antivirus protection at different tiers. It might not be practical to gather that data, especially given that no one vendor is likely to come off as the conqueror in such a study. However, I would like to see some hard data one way or another.
Speaking of data: I should mention that Exchange Connections in Las Vegas runs next week. I will be there, presenting on cloud-based services, Microsoft advanced certifications, and how to make IT decisions that are good for your business without putting yourself out of a job. (This last topic was originally the idea of my friend Jim McBee, with whom I have the honor to co-present.) If you're in Vegas for Connections, please stop by and say hello!