Do you run antivirus on your Windows servers?

Yes, although for the most part they are configured to scan for viruses overnight with real-time file protection disabled, the exceptions are:

• File servers - Set to scan on write only. Full nightly scan.
• Sharepoint - No current anti-virus, waiting on Sophos for SharePoint to come out of beta.
• Exchange - Exchange specific anti-virus soloution. Overnight scans exclude data stores.
• Application Servers - SQL Data stores excluded from overnight scans.
• AD/DC/DHCP - Overnight scan set to exclude service specific data files and logs

This sums up my opinion.

Definitely yes on file servers; you can then scan the files people store on the server without having to rely on desktop AV (which can fail)

Exchange, I'd advise installing a proper exchange product (Sybari AntiGen was the original; that's now MS ForeFront for Exchange but there's lots of competition now) that will scan the content of the emails; there's little point scanning the file system on an exchange server.

AD, I wouldn't bother

OCS, get the Forefront plug-in if you're connecting to the outside world.

Basically, I don't think there's a one-size-fits-all answer to that question; you need to work out where the risks are. Generally, apart from a file server, I wouldn't suggest generic file AV on servers; you want something more specific to the role of the server.

We run AV on everything that has Windows. With basic configuration (excluding databases, scan on write only, etc) the overhead is so minimal that the cost is virtually zero. The one exception in my organization is Hyper-V Servers; which are very carefully isolated from the rest of the network.

Some would argue that the potential benefit is also almost zero; but seeing as the cost is similar they still balance. Security should be applied in layers, not held up by a single point like Atlas.

Generally I'd say you do want some sort of AV on many servers, yes, but, and this is a big one, you need to be careful with the exceptions.

First of all, Anti-Virus products can have a very significant impact on performance, especially with certain workloads. Make sure you are selecting the correct AV product for the machine, and make sure it's configured correctly.

Special note, be really careful with Exchange, and never install client-type AV software on it. We had a guy who brought our Exchange server to its knees at my previous job after he installed an AV client (intended for desktops) on it that was trying to scan every e-mail going in or out and operated very slowly.

A couple arguments in favor of running AV on Windows servers:

• Not-so-capable users who happen to have access to the system, and may think it's a good idea to surf and install programs there. Adobe Reader, especially ancient Adobe Reader, is always just one malicious PDF download away from a disaster.
• Alerting on the presence of common attack tools. A copy of netcat or pwdump getting dropped on the system is always a good thing to get notified about - this goes for external threats as well as internal ones.

Many times it's not up to you. If you're bound by certain policies, it may be required. I'm not current on PCI standards, but back when they first came out, it required us to put AV software on all our servers.

For SharePoint, I'd add ForeFront Security for SharePoint. You certainly want AV for documents uploaded to SharePoint.

I think the real argument for having AV on windows servers is Worms or other viruses that can spread without the need for a incompetent (or unlucky) admin. It has been a long time since I have seen a good worm that exploited a MS bug and could freely move from computer to computer. This requires no user or admin intervention to spread. Servers are especially dangerous as they are usually on 24x7 and many of them don't get logged onto on a regular basis (i.e. you may not see the problem(s) right away.

You then have to compare that against the risk of having your data stolen, servers potentially damaged, reputation hurt, time spent fixing, paranoia that you didn't clean it all up, etc...

My policy is that ALL windows boxes get AV installed on them (linux is different story). Tweaked to offer protection with minimal performance impact. Also boxes that run functions such as email will need AV that is specifically tailored to that environment. Nothing is worse than AV trying to dig into mail databases and grab viruses...

My two cents. Better be safe than sorry.

I have clamwin and do a weekly scan on my file server which doesn't see much activity. I had Symantec AV previously and the scan on file access was killing performance.