Cloud Client and Domain Controllers

Question

Lot of questions today. :)

Interaction of Sophos AV and Domain Controllers. How safe is it to run the cloud endpoint on an Active Directory DC that also hosts file shares?

Didn't have a choice to keep the DC seperate from the fileserver as it's a branch office and licensing predates Microsoft's dual VM license scheme they now offer. Microsoft best practices suggests that running AV on a DC is certainly doable but with certain caveats around how scanning can cause excess replication traffic if certain API's are not used because the AV scanner makes windows think the files were recently updated and triggers constant replication attempts.

This thread was automatically locked due to age.

jak · Accepted Answer

HI,

Should be totally fine. MS do provide guidance on exclusions for various server roles:

http://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list.aspx

I'm not convinced all of them are required but a few could be considered at least.

One thing to bare in mind is that Sophos Cloud is currently using a user based policy model so in order to maintain exclusions set in policy, you would either hav to:

1. Assign a policy to the user account you always use to manage the server.

2. Assign the exclusions to the base policy bearing in mind all computers will get the exclusions. Not really an issue if the paths don't exist but you may end up excluding more than you expected so I'd perhaps favour 1 if that's not too much of a burden when managing the server.

I gather device based exclusions are coming in the not too distant future to make it easier to enforce device based policies.

Regards,

Jak