Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Forefront Edge Security TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Microsoft Forefront
 Considerations when using antivirus...

  Switch on low bandwidth view
Considerations when using antivirus software on ISA Server

Published: July 2008

Authors

Jim Harrison – Program Manager, ISA SE

Yuri Diogenes – Security Support Engineer

Contributors and Tech Reviewers

Mohit Saxena – Security Tech Lead (ISA & IAG)

Masoud Hoghooghi – Security Escalation Engineer

Vic Singh Shahid – Security Escalation Engineer

On a protected environment protecting your computer against threats is an important security element, and Microsoft Internet Security and Acceleration (ISA) Server is a key component of this chain. Regardless of the ISA Server deployment (as an Edge Firewall or a Web Proxy/Cache Server), the full protection of this server is vital. On the daily operations, Security Administrators are always trying to improve the security of the environment and sometimes questioning whether or not antivirus should be installed on the ISA Server machine.

Before we go further on this discussion, we strongly recommend you read the white paper “The Antivirus Defense-in-Depth Guide” in depth at the Microsoft Download Center. This guide will give you an overview of the antivirus technology, general recommendations, and best practices.

The types of antivirus usually used on ISA Server

There are two main types of antivirus that we see customers using on ISA Server:

  • File scanners: this type of antivirus is responsible for scan files residing on the disk and checks if they are virus-free. In this category we have three main types:

    • Memory-resident file-level scanning refers to a part of file-level antivirus software that is loaded in memory at all times. It checks all the files that are used on the hard disk and in computer memory.

    • Process-level scanning refers to a part of the antivirus software that performs scanning of in-memory processes, such as applications, services, etc.

    • On-demand file-level scanning refers to a part of file-level antivirus software that you can configure to scan files on the hard disk manually or on a schedule. Some versions of antivirus software start the on-demand scan automatically, after virus signatures are updated, to make sure that all files are scanned with the latest signatures.

  • HTTP Aware scanners: since ISA Server Web proxy supports the Web filter extensibility model, the third-party companies can create their antivirus to examine and change the HTTP request-and-response flow by developing their own Web filters.

Cc707727.note(en-us,TechNet.10).gifNote:
The definitions of Memory-resident file-level scanning and On-demand file-level scanning are from the article “File-Level Antivirus Scanning on Exchange 2007” that you can find at Microsoft TechNet.

Besides those main types described above, there are some companies that offer “combo”, which comes with both solutions integrated.

Depending on the type of antivirus that you are using on ISA Server, there will be different recommendations for the daily basis operations and also for troubleshooting situations.

Recommendations

The File Scan Antivirus mentioned on the previous session is a type of antivirus that usually doesn’t have too much in the way of benefits when installed on a computer running ISA Server. The main reason is that we will generally not use ISA Server as a file share or other role that is not purely web proxy/cache and firewall. Therefore, this type of antivirus might not use the full potential since it will not be asked for. However, we understand that there are some companies that need this type of antivirus for compliance reasons, for example, if the companies’ security policy and procedures describes that this is a mandatory requirement.

If you need to have this type of antivirus installed on a computer running ISA Server, make sure that the following folders are excluded from the antivirus scanning job (real-time and scheduled job):

  • Exclude the ISA Server program files directory - The reason behind this is to prevent file access contention when ISA services are starting or when they need to access data files, such as error or logon pages, or when they need to access other components, such as RAS logon mechanisms. By default, this is located in %ProgramFiles%\Microsoft ISA Server.

  • Exclude the MSDE Folder (for ISA Server Advanced Logging) - The reason behind this is that scanning the executable files within the SQL processes may lead to logging failure, and as a result, ISA may go into lockdown mode. By default, this is located in Program Files\Microsoft SQL Server\MSSQL$MSFW

  • Exclude the Active Directory Application Mode (ADAM) folder (for ISA Server Enterprise Edition) - The reason behind this is that running antivirus software against these files can cause problems with the Extensible Storage Engine (ESE), which might require you to restart the ADAM service.

    • By default, ADAM database and log files are installed at %ProgramFiles%\ISA Server\Adam Data\

    • The following files should not be scanned:

      Adamntds.dit

      ADAM .log files

      Temp.edb

      Edb.chk



  • Exclude the ISA Server cache files - Antivirus software can corrupt the log files or the cache files if it locks the file for scanning while ISA Server tries to access the file. For more information on issues that might happen, review KB887311.

  • Exclude the ISA Server log files – Exclude folder where ISA Server writes the logs. By default, this folder is %ProgramFiles%\ISA Server\ISA logs. This is important mainly if you are using MSDE logging. For more information on exclusion list for SQL related files, check KB309422.

    • Make sure to exclude Drive:\urlcache\*.* from the scan job.

  • Exclude the ISA Server processes:

    • dsamain.exe (ADAM service – only for Enterprise Edition)

    • wspsrv.exe (Microsoft Firewall service)

    • mspadmin.exe (Microsoft ISA Server Control service)

    • isastg (Microsoft ISA Server Storage)

    • w3prefch.exe (Microsoft ISA Server Job Scheduler)

    • sqlsvr.exe (MSSQL$MSFW service – only if using MSDE logging)

  • General Windows folders: Review the session Virus Scanning for computers that are running Windows Server 2003, Windows 2000, or Windows XP, on KB822158, and apply those recommendations.

The HTTP Aware antivirus has a big role on the traffic handling as explained in the previous session. Since they work as a web filter and may not scan files in the disk directly, the recommendations above do not apply. However, it is recommended that you check with the vendor if there are any special procedures to configure the filter for best practices on filtering and on performance standpoint. Notice that for integrated solutions (File Scan plus HTTP Filtering), it might be necessary to use the folder exclusion list that was mentioned before.

Additional recommendations

Customers who contact Microsoft Product Support Services may be asked to disable or remove the antivirus program in order to help identify issues, but if the root cause of the issue is not caused by the antivirus application, customers are free to enable the software again after the issue is correctly diagnosed. This position is spread it out among other teams that sometimes needs to disable the antivirus for troubleshooting purpose. Here are some references on that:

XGEN: Microsoft's Position on Antivirus Solutions for Exchange 2000

http://support.microsoft.com/kb/306105

Microsoft's Position on Antivirus Solutions for Microsoft SharePoint Portal Server

http://support.microsoft.com/kb/322941

© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker