7

Considering a normal e-mail volume (I don't know how can I define that) of 10000 users in a mail server does it make sense to scan emails for viruses?

I guess it should affect the server load but in what extend?

Desired answer should include pros/cons of a given approach.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
pl1nk
  • 461
  • 5
  • 22
  • 1
    This is why you can outsource it to organisations like [Postini](http://www.google.com/postini/) – Steve-o Aug 28 '12 at 13:49
  • @Steve-o - oh well another google tm – pl1nk Aug 28 '12 at 14:09
  • @Steve-o NO, you cannot. You can have them scan inbound and outbound emails for malware, but that does no good if the server itself gets infected or wiped by a virus. – HopelessN00b Aug 28 '12 at 14:58
  • @HopelessN00b that is illogical, you have a firewall in front of the mail server that only permits forwarding to your anti-virus SMTP relay. – Steve-o Aug 28 '12 at 16:57
  • @Steve-o because your users can directly connect to Postini through Outlook, and never have to connect to your mailserver (for example)? I think you need to reconsider the threat profile for a mailserver. – HopelessN00b Aug 28 '12 at 17:00
  • @HopelessN00b that's what a firewall is for, limit the source IP to the mail server. – Steve-o Aug 28 '12 at 20:50
  • 1
    @HopelessN00b If your mail server can itself get infected from a message attachment, something is wrong with your mail server. Attachments are just payloads. The server shouldn't be doing anything other than moving bytes from one location to another. – Joel Coel Aug 31 '12 at 13:43

3 Answers3

9

You should be scanning incoming messages before they reach your end users, and you should be scanning outgoing messages before they pass from your control... but you don't necessarily need to do it at the e-mail server.

A lot of companies have a gateway appliance, separate from the e-mail server, that sits at the edge of the network and supports scanning e-mail as they pass through the appliance. Or a company could redirect their MX records through an outside service (cloud-based) such that all mail is scanned for viruses and spam, and possibly archived for compliance purposes.

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
  • I would argue that this practice doesn't make your mail server immune from requiring virus protection. Maybe you could exclude the mail store to reduce load. (Such as suggested below.) But, this seems to be inviting some bonehead SA to use IE on the mailserver to download a patch/update and get caught with a XSS/trojan dropper. – Aaron Copley Aug 31 '12 at 15:07
8

You should certainly have anti-virus protection for your mail server. In fact, you should not be asking if you should get anti-virus software but asking what you need and how you need to configure it.

I am assuming you are using exchange server, given this there are specific solutions out for exchange, which typically are not CPU intensive. It will give you features such as filtering by extension type such as .exe vs. checking all e-mail attachments via signatures; this will be much less CPU intensive. You can then run scans overnight but exclude the datastores. You will not see much of a performance hit and if you choose not to use it then you are only asking for trouble.

You can also use a mail relay server that accepts incoming mail and it will scan for viruses and spam. Larger companies such as yours with a lot of users will sometimes takes this approach

xkcd - Network

(comic via xkcd)

MDMarra
  • 100,734
  • 32
  • 197
  • 329
JMeterX
  • 3,387
  • 16
  • 31
  • I'm not using exchange server, my question is general if using a virus scanner in a mail server is ok favorably along with the prons/cons. – pl1nk Aug 28 '12 at 13:41
  • @pl1nk understood, but the overall aspects remain the same. It is always a good idea to use antivirus software and you will not see much of a performance hit if properly configured. As Joel Coel mentioned as well, many large companies use appliances on the edge of the network. – JMeterX Aug 28 '12 at 13:46
  • You win 10 internets for the inclusion of the XKCD cartoon. – gWaldo Aug 28 '12 at 17:02
1

Yes, you need antivirus on your mail server. You can outsource scanning inbound and outbound mail for viruses and other malware (as well as spam) to a number of other companies, and I recommend this approach, but even if you do, your mail server is still exposed to the threat of becoming infected by all the internal clients that you have connecting to it.

At a minimum, you need AV on your mail server to protect your mail server, and hosted solutions don't protect it from your users and client machines. Whether you use the AV to scan messages, and for what, depends on whether you have a hosted company or appliance at the gateway doing it for you. If you've got something else doing it, you may be able to skip this step, or use a less intensive scan, if you don't, you definitely need to scan emails thoroughly.

And yes, there will be a performance hit, but it's generally pretty minimal, so unless your mail server is already being crushed, adding AV shouldn't cause performance problems. However, this is (one of the reasons) why you'll want to trial different solutions from different vendors before settling on one, and one of the reasons AV vendors offer demos and trial versions for enterprise customers.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209