• RSS
  • Twitter
  • FaceBook

Deb Shinder Blog RSS

All Blogs  »  Deb Shinder Blog  »  ISA Central  »  Blog article: Do Not Install a Host AV Program on the ISA Firewall!

Do Not Install a Host AV Program on the ISA Firewall!

Someone posted on the ISAserver.org Web boards today about some troubles he was having with his ISA Firewall’s stability. One of the issues was that the ISA Firewall had an Antivirus program installed on it. This AV program was not designed to protect from downloading viruses to ISA Firewall protected computers. Instead, this was a typical host based AV program designed for AV protection for “servers”.

I strongly recommend against installing this kind of host based AV scanning program on the ISA Firewall. There are three primary reasons for this:

  1. There are no host-based AV programs designed to work with the ISA Firewall. They are designed to work with “servers”, but the ISA Firewall is not actually a server. It does not participate in any client/server transactions and therefore is not liable to compromise in the same way that servers may be compromised
  2. Since there are no host-based AV programs designed to be installed on the ISA Firewall, the AV program actually increases the attack surface on the ISA Firewall. We’ve seen plenty of examples of how AV programs can actually be used to launch an attack against the system. One thing you don’t want to do is help attackers by increasing the attack surface.
  3. If you operate your ISA Firewall correctly, there are no vectors of attack. What is a proper configuration? First, never allow connections to the ISA Firewall itself. Check the System Policy to make sure of this, and never create rules that allow connections to the Local Host Network (except for RDP for management). Second, never make the ISA Firewall a workstation; do not run the browser, email clients, or Bitorrent on your ISA Firewall. Third, never install server applications on the ISA Firewall, such as IIS WWW service or the FTP service (the DNS and SMTP services are exceptions). Last, if you need to install files on the ISA Firewall, make sure you scan them at a management station and then use an out of band method to install them on the ISA Firewall.

Conclusion: The only reasons to run host-based AV on the ISA Firewall is if you want to reduce the stability and security of the ISA Firewall. And who wants that?

HTH,

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)

This entry was posted on Monday, March 19th, 2007 at 8:58 am and is filed under ISA Central. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “Do Not Install a Host AV Program on the ISA Firewall!”

  1. Jeremy Says:

    October 27th, 2008 at 6:56 pm

    Thanks for the information and suggestions. I’ll definitely keep this in mind.

  2. Top Troubleshooting Tips to Try Before Calling Support for ISA/TMG - keithab - Site Home - TechNet Blogs Says:

    February 15th, 2012 at 2:47 pm

    […] 1.) Antivirus. Disable (and preferably remove) any Antivirus from your ISA/TMG server machines.  I can’t begin to count how many times that one of our products was blamed for something and it actually turned out to be the 3rd party antivirus software on the machine. Whether it was memory leaks that lead to performance issues or some other bizarre behavior being exhibited.  It’s my personal opinion that if you take the proper steps to insure that no one is using ISA/TMG as their personal workstation, then you do not need antivirus on the server.  My colleague Tom Shinder is of the same opinion and has an excellent blog about this very subject here. […]

  3. Top Troubleshooting Tips to Try Before Calling Support for ISA/TMG–Bye Keith Abluton Keith Abluton Microsoft MSFT | ıllııll Julio Vaz ıllııll Says:

    February 17th, 2012 at 7:38 pm

    […] 1.) Antivirus. Disable (and preferably remove) any Antivirus from your ISA/TMG server machines. I can’t begin to count how many times that one of our products was blamed for something and it actually turned out to be the 3rd party antivirus software on the machine. Whether it was memory leaks that lead to performance issues or some other bizarre behavior being exhibited. It’s my personal opinion that if you take the proper steps to insure that no one is using ISA/TMG as their personal workstation, then you do not need antivirus on the server. My colleague Tom Shinder is of the same opinion and has an excellent blog about this very subject here. […]

  4. Hank Bustad Says:

    March 5th, 2012 at 3:34 am

    Thanks Man, you are great. I was searching for this from last week.

  5. Franchesca Egle Says:

    May 14th, 2012 at 9:46 pm

    Outstanding guide. Numerous thanks! GZIP truly is crucial.

Leave a Reply


Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!