Server security software: A shopper's guide

Computerworld - Thinking about malware lately? If you are, consider the fact that your servers may be part of the problem. Search giant Google Inc.'s anti-malware team in June discovered that servers running Microsoft's Internet Information Services (IIS) represented 49% of all machines hosting or distributing malware or other types of "bad code."

Whether you run IIS, Apache or another Web server system, its important to know that even if you have deployed anti-malware protection on the desktop, your job is not complete.

On the contrary. Googles data and other evidence points to the importance of having an anti-malware system on your servers -- particularly as Web-based software becomes more popular and more data is stored "in the cloud."

If youre shopping for an anti-malware product for your servers, consider the following advice:

Choose a product specifically designed for the services running on your machine. If you take a few moments to run a search on the words antivirus and Exchange Server, youll be rewarded with many horror stories of unaware mail administrators installing a generic antivirus product on their Exchange Servers and then discovering that such products simply break Exchange with their real-time analysis and heuristic discovery techniques. Similarly, if you're running a set of database servers that often have heavy disk access, you need products that are specially constructed to work within the constraints and activities that normally happen on your servers. General anti-malware products should be deployed only on the simplest of file and print servers. Decisions about running such tools on your other server applications should be made on a case-by-case basis. Ask your key software vendors what anti-malware tools other customers of theirs are running; that gets you a start in your research.

Examine the type of protection the product offers. Is the product you are selecting based on real-time scans of disk activity? Does it reside in the background, eating up resources, or does it awaken itself at preset times (which you determine) to perform scans? What is the method of detection, or is there more than one? Are there virus-detection signatures that require an update and, if so, how often? (Signatures are bits of sample code that are used by the antivirus software to match against potentially malicious code, like a DNA virus check.) Is there a heuristics-based analysis of items on the server to determine if the items are suspicious? How does the product quarantine items it suspects to be malware, particularly if those items are in use by other users? Is there scanning of inbound and outbound traffic to the server, or just one or the other? If so, what sort of overhead does that require? Can the product be tuned with performance considerations in mind?