With the recent Panda Antivirus signature problem still fresh in my mind, and as a fair few of our support calls continue to be antivirus related, I thought you might find it useful if I share some of the antivirus issues we see regularly tripping customers up.
Of course every software vendor professes their product incorporates the latest and greatest protection technology. When you’re working out what to use as a Systems Administrator however, it’s also important to think beyond that and specifically about how your proposed solution will interact with other applications in your network environment.
These are a handful of the areas we find usually end up resulting in a support call.
1. Businesses using home products
All of the software products we’re distributors for (BackupAssist, MDaemon, MailStore and SecurityGateway) will quite happily work on desktop operating systems – so now that’s Windows 7 upwards really.
Handy for our small business customers who don’t need a server platform, but it does mean we frequently come across low cost, and often free, antivirus software that’s been designed to work with your average home PC.
The problem here is the lack of flexibility. They tend to be quite basic, with minimal configuration options. That’s fine if you’re web browsing or using Outlook linked to a Gmail account for example, but they were never designed to run alongside Windows services reading and writing a lot to a disk in the background.
So, if you’re using Windows 7 or 8 as your server operating system, we strongly recommend you either opt for a business product or find a solution that’s flexible enough to cater for excluding those components you know you can trust.
2. Conflicts with real-time scanning
Real time scanning is fairly standard in antivirus solutions these days, and is something that can trip a lot of customers up.
It usually works by monitoring disk access – looking for downloaded files, USB pen drives and incoming email that ‘could’ contain a threat. When the software suspects an issue, users are displayed a pop-up alert to take action. However, if you use something like MDaemon Messaging Server, there’s a lot more activity than if it was your typical desktop machine.
MDaemon by design will be reading and writing a large number of .msg text messages files to the disk continually as email is arriving and being sent and received. When message files are being created, we’ll often find the antivirus software jumping in trying to decide if it is safe.
This slows the disk access but on an unmanned ‘server’ there’s also nobody there to see those pop-up alerts which means files can simply vanish without anyone being aware. Not ideal!
In the case of MDaemon, we suggest you leave the security to it’s own antivirus plugin, because it’ll scan the files at the right point in the message flow. Should a threat be detected it will simply alert who it needs to via email.
3. Excessive scheduled scans
A scheduled scan works in a similar way to real time scanning but instead of looking for new files being written to the disk at key times of the day it will simply scan a range of files (often whole drives) looking for threats.
Again, this too adds load on the disk I/O during the scan so these really should be kept to a minimum. They make sense in a desktop environment but for servers where you can hopefully be reasonably confident you have adequate protection on the traditional threat entry points, it’s overkill in my opinion.
4. Antivirus add-ins for Outlook
So far I’ve been talking about server protection but a lot of the issues we encounter are with desktop machines too, particularly with Outlook add-ins.
Just like lots of other business applications, MailStore and MDaemon have their own Outlook add-ins which integrate certain features. The issues we see tend to arise when the antivirus software installed also has a plug-in of some kind and the two are butting heads.
Generally speaking, we recommend not using Outlook antivirus plug-ins unless you really need to, instead I suggest scanning the email for viruses at the server.
5. Email scanning on client machines
As well as providing an Outlook Add-in, some antivirus software also tries to scans email traffic travelling either over SMTP, IMAP or POP3 sessions. This low level scanning can happen on both servers and clients.
MDaemon’s Outlook Connector is one example of a product that uses IMAP for both standard email traffic, as well as for calendar entries, contacts and other stuff. This extended use of the IMAP protocol and message structure can cause some antivirus software to get confused, and even when not detecting threats, these sessions can get disrupted, causing data loss, blank emails etc.
For this reason you should be aware of email scanning and whether it might cause you problems. Because we deal with MDaemon a lot, we always recommend disabling this feature.
6. Applications being blocked on servers
If you’re anything like me, it’s quite possible at some point you’ve found yourself staring vacantly at the screen, scratching your head as to why an application’s not working as it should be, only to find out Windows firewall been blocking it all along.
Well, some antivirus solutions also include a firewall of their own which means there’s double the likelihood of that happening!
Again, in a desktop environment, the chances are that you’d spot the alert indicating a ‘new’ application wants access the Internet so it’s less of an issue. For servers however, not only is there is more activity in terms of the services running, but there’s less chance of seeing the alert too. Services also tend to update frequently too and when they restart, this is enough to cause a firewall prompt.
Consider whether you need a secondary firewall and if you do, always keep an eye on those exclusions. Also make it your first port of call in the even of an issue!
7. Competing antivirus tools
Antivirus software often will pick up on valid components as threats simply because they contain signature files. In effect, what you can end up with is one antivirus tool seeing another as a threat.
For this reason you almost always have to exclude particular folders from antivirus scanning, or you can find that the engine itself will get corrupted and be more prone to crashes.
8. Settings changing with updates
Finally, even when you have everything set up as you’d like it, you’ve excluded and disabled all the features you don’t need, the problems may still yet return.
We’ve seen on more than one occasion the antivirus solution auto update and reset some feature settings back to a default, re-blocking components and causing both new issues and the return of old ones.
Yes, the classic user comment ‘I haven’t changed anything’ may be true in this occasion, actually ‘everything has changed’ but it’s happened automatically!
I hope you’ve found that useful – it’s not an exhaustive list and limited by virtue of the fact its only indicative of the problems we see here at Zen. Hopefully though, it’ll give you some food for thought and highlight the need to consider and understand how the software services work and communicate.
My general rule of thumb is to keep things simple! If you have any suspicions that it’s antivirus causing an issue, remove it temporally reboot and see if that resolves the issue. if it does, re-install and then run through the above to help you pinpoint which component is being over sensitive.