applications have numerous configuration options that allow granular control of
what data is scanned, and how the data is scanned on a server.
With any antivirus
product, configuration is a balance of scanning versus the performance of the
server. The more you choose to scan, the greater the potential performance
overhead. The role of the system administrator is to determine what the optimal
configuration requirements are for installing an antivirus application within a
particular environment. Refer to your particular antivirus product
documentation for more detailed configuration information.
unpredictable and Cisco cannot assume responsibility for the consequences of
virus attacks on mission-critical applications. Take particular care for
systems that use Microsoft Internet Information Server (IIS).
software scanning engines and definition files regularly, following your
organization's current policies.
Upgrade to the
latest supported version of the third-party antivirus application. Newer
versions improve scanning speed over previous versions, resulting in lower
overhead on servers.
of any files accessed from remote drives (such as network mappings or UNC
connections). Where possible, ensure that each of these remote machines has its
own antivirus software installed, thus keeping all scanning local. With a
multitiered antivirus strategy, scanning across the network and adding to the
network load is not required.
scans of systems by AV software
during scheduled maintenance windows, and when the AV scan cannot interrupt
other Unified ICM maintenance activities.
Do not set AV
software to run in an automatic or background mode for which all incoming data
or modified files are scanned in real time.
Heuristics scanning has
higher overhead over traditional antivirus
scanning. Use this advanced scanning option only at key points of data entry
from untrusted networks (such as email and internet gateways).
on-access scanning can be enabled, but only on incoming files (when writing to
disk). This approach is the default setting for most antivirus applications.
Implementing on-access scanning on file reads yields a higher impact on system
resources than necessary in a high-performance application environment.
and real-time scanning of all files gives optimum protection. However, this
configuration has the overhead of scanning files that cannot
support malicious code (for example, ASCII text files). Exclude files or
directories of files, in all scanning modes, that you know present no risk
to the system.
disk scans only during low-usage times and at times when application activity
email scanner if the server does not use email.
set the AV software to block port 25 to block any outgoing email.
Block IRC ports.
If your AV
software has spyware detection and removal, then enable this feature. Clean
infected files, or delete them (if these files cannot be cleaned).
in your AV application. Limit the log size to 2 MB.
Set your AV
software to scan compressed files.
Set your AV
software to not use more than 20% CPU utilization at any time.
When a virus is
found, the first action is to clean the file, the second to delete or
quarantine the file.
If it is
available in your AV software, enable buffer overflow protection.
Set your AV
software to start on system startup.