Servers that are not used interactively are at less risk of being infected with malware, but that doesn’t mean that they should be left unprotected.
While servers are less likely to be infected with malware than end user systems, the ability to detect malicious files on File and Print Servers, or infected attachments on Exchange Servers, can limit the damage or even stop an outbreak before a malicious file reaches users’ PCs.
Most malware requires some kind of interaction for a successful attack, often relying on social engineering to trick users into taking actions that could infect their PC. But depending on the vulnerability being exploited, servers can also become infected without any human interaction, so it’s worth making sure that servers are also protected by AV.
Antivirus is sometimes left off servers because of performance issues caused by real-time scanning, or the risk that AV software may quarantine files critical for line-of-business operations. To improve performance, servers should have sufficient memory so that they are able to serve commonly used files from memory, rather than having access hard disks. AV disk scans can be scheduled out-of-hours to make sure there is no impact on performance.
OS and application updates can be complicated by the presence of antivirus. Anybody who has worked in desktop support will likely be familiar with antivirus occasionally blocking genuine application or system files after an update, or preventing an upgrade from installing. As with any server application, changes to critical systems or applications must be tested in a lab environment to ensure there are no conflicts with antivirus.
Nevertheless, AV definition updates can still cause problems on production servers, and they usually can’t be tested before being applied. You can reduce the risk of potential problems by excluding some carefully chosen folders from AV scans. Microsoft provides some information about exclusions that should be made for different versions of Windows Server. You might also consider excluding some application directories, with advice from vendors.
If you are using a traditional AV solution, it should be installed in the virtualization host partition and in each virtual machine (VM). However, you might consider a specialist product, such as McAfee Management for Optimized Virtual Environments (MOVE) AntiVirus, that can be installed on the host server and provide real-time scanning without installing individual agents installed on each VM. MOVE also provides considerably reduced disk I/O over traditional AV, which can be crucial for virtualized workloads.