Author Topic: Performance, risk vs reward choices for servers  (Read 2169 times)

0 Members and 1 Guest are viewing this topic.

Offline dmahalko

  • Newbie
  • *
  • Posts: 5
Performance, risk vs reward choices for servers
« on: February 20, 2015, 05:48:59 AM »
I am in the process of a new free for education Avast deployment.

There are several sections of the Avast client which appear to be either "Not Applicable" or "Not a Good Idea to Use" on Windows servers.


The servers I run are mainly Server 2008 R2 with Windows Update automatically installing daily, and that right there is the biggest issue for system protection.

Is it a best practice to turn off functions in the package configuration if I'm not going to use them, to reduce server CPU load for unnecessary components that won't do anything?


Probably the most important function for servers is ONLY the File System shield on file servers, to scan user home directories and protect the network users from themselves.

What exactly is the specific advantage of the Avast firewall vs the Windows Server firewall? The Windows firewall seems to work fine, and on a server I have to worry about Avast's firewall possibly blocking some critical role by default that could bring down a "production" school network. I do not have a "test server environment". So it seems better to just avoid Avast's firewall and stay with the default Windows server firewall.

The Behavior shield is another that has me worried for a server. Don't make random guesses about what the server is doing and get your nose in there and potentially screw things up. This seems a function more suited for the desktop clients, than a domain controller, database server, or main file server.

That is similarly a concern for the Script Shield and the Network Shield when running extremely complex district administration database software. Imagine Avast getting its nose in a payroll script or student grading function and saying "nope, that looks suspicious" and corrupting transactions. Such induced errors might never be discoverable.

We don't use Sharepoint or Exchange or any other local mail server, and it is simply dumb for an administrator to be using IM or P2P software on a server.

Disabled Components:
 - Sandbox
 - SafeZone
 - Cisco NAC
Disabled client shields:
 - Mail Shield
 - IM Shield
 - P2P Shield
 - Network Shield
 - Script Shield
 - Antispam Shield
 - Firewall Shield
Disabled server shields:
 - Sharepoint Shield (32 bit) 
 - Sharepoint Shield (64 bit)
 - Exchange Shield (32 bit)
 - Exchange Shield (64 bit)
 - Antispam Shield for Exchange
Boot time scan:
 - No

Enabled components:
 - Browser protection
Client Shields:
 - File System Shield
 - Web Shield

I will probably go further and exclude any database folders from protection scanning, as it is typically impossible to scan inside enterprise databases files for viruses or do anything about them, and which just drags down the server.


What have other people been doing with district server protection with Avast, and what have your experiences with it been like?
« Last Edit: February 20, 2015, 06:34:22 AM by dmahalko »

Offline Chad-bisd

  • Hopeful, yet discontent
  • Jr. Member
  • **
  • Posts: 49
    • Beckville ISD
Re: Performance, risk vs reward choices for servers
« Reply #1 on: March 02, 2015, 04:37:17 PM »
I think your question is a bit too in-depth for this forum right now. Not a lot of people come here and even fewer actually respond.  You may have better luck asking your question in a server admin type forum rather than specific to this AV.  Maybe on spiceworks or similar forums.

Offline HAtech

  • Newbie
  • *
  • Posts: 3
Re: Performance, risk vs reward choices for servers
« Reply #2 on: March 04, 2015, 05:41:33 PM »
I think your decisions are exactly right. On a typical server the File System shield would be the only thing I'd install. I try very hard to not browse the web on any server and then only to known good sites (MS, Dell, etc.), so I probably wouldn't even install Web Shield or Browser Protection.

Che Johnson wrote in the Installation Guide https://forum.avast.com/index.php?topic=110470.0
Quote
For servers, I will recommend to modify the components of the deployment package (create a light installation package for servers OS’s) which consists of the File System Shield only. This is usually the only real protection required for file servers and this is an industry standard best practice. This assumes that the File Server not being used as a workstation. NOTE: DO NOT use the Network Shield on servers.   SharePoint servers should add the SharePoint shield in addition to the File System Shield.  If servers are to be managed (see below), then each server type will require its own group, separate from the managed client group. If servers are NOT to be managed, then use the custom install feature to select the correct shield/shields for that server type.
That sounds like good advice to me!
I don't know if the File System shield automatically excludes any files/directories, but it would be good practice to exclude things like exchange mail stores, SQL database locations, etc. and it could help performance.