For a long time, it's been a truism that you need to run antivirus software on all tiers of your network. Countless dollars and hours have been spent on deploying antivirus solutions on user desktops, various file and application servers, and the network perimeter. Of course, as brokerage-firm commercials everywhere love to remind us, past performance is no guarantee of future results. Do we still need multi-tiered antivirus? In particular, is it still important to have antivirus protection on your Microsoft Exchange servers?
Of course, antivirus vendors would answer that question with an emphatic yes. They'd point out that the level of sophistication found in malware is increasing rapidly. Attackers are getting better at finding and exploiting vulnerabilities in both operating systems and applications, and they have the advantage: If you're attacked 1,000 times, you have to block all 1,000 attacks, but the attacker has to get lucky only once. Multi-tiered protection, the vendors claim, is an important part of any reasonable security strategy.
The contrary view, though, is that many Exchange antivirus products have a somewhat checkered reliability record. As Microsoft has improved the APIs used to allow antivirus products to access and scan messages, the negative impact of these products on store reliability and performance has lessened, but some products still have a bit of trouble (not to name names!). In addition, it's still common to see customers who run file-level antivirus products on Exchange servers and then wonder why their transaction logs and stores are occasionally corrupted.
It's one thing to suffer these problems if the products are providing needed protection, but the terms of the argument have shifted focus toward better detection and prevention at the network edge so that malware doesn't make it to the server in the first place. Of course, the antivirus industry will counterargue that a properly written and configured antivirus program won't suffer any of these negatives, and that it's still important to have scanning on Exchange servers to ensure that infected messages that originate within the network (say, from a compromised corporate laptop) are caught in a timely manner.
The counterargument to that argument is that antivirus vendors have released a steady stream of increasingly complex products that do all sorts of things, including spam filtering, phishing protection, and integration with other security and management tools. If you examine the complexity of any vendor's Exchange antivirus product and compare it to the same product from a couple of years ago, you'll see an explosion in its complexity and feature set. Whether this situation is good or bad is a topic for a separate debate, but the added complexity puts a higher burden both on the developers who need to build a stable product and the administrators who deploy and manage it.
These are all reasonable arguments, but arguments without resolution aren't particularly interesting. My position is that antimalware protection is mandatory at the perimeter and on the desktop, desirable on Hub Transport servers, and optional on the Mailbox server. This combination gives the best mix of protection, ease of administration, and stability. However, I'm open to argument—drop me a note to tell me if you think you should be doing something different.