How many of you run anti-virus on your sole-purpose Windows IIS Webserver (no Web surfing from the machine, does handle some file uploads)? Why or why not?
For purpose of discussion, let's say a small .NET forms/database application with a SQL Express backend running on the same box; moderate load, say a couple hundred concurrent users at any time. The Web application does process image uploads for user galleries.
Few things that come to mind… if you do run AV:
- do you exclude all directories with the exception of the directory into which the uploads are placed?
- Do you have real-time scanning enabled or just a scheduled scan?
- How do you have the AV set to respond to threats, automatic or require user-input?
- what about the performance penalty?
Best Answer
We run real-time AV on all Windows boxes, no matter their function. Just another layer of defense-in-depth, and I've always regarded it as part of the cost of running on Windows. I wouldn't only limit to the upload directory, either -- if something malicious did get through or your box was otherwise compromised, often the first thing that happens immediately is that more malware is downloaded, and probably to somewhere that isn't the upload directory. There's definitely a performance penalty, and while it's worth it to us, we don't have a huge number of users/visitors to scale for, so take that for what it's worth.