The CloudAccess.net Server Admin Team is always looking for new and innovative ways to improve every aspect of our servers. We perform continual monitoring and routine maintenance to ensure our linux servers are optimized for the best performance possible. Part of this routine maintenance includes antivirus scanning. This blog describes three different types of antivirus scanning approaches: on-access scanning, on-demand scanning and gateway scanning. We've also included a list of pros and cons to consider and our team's conclusion about the best antivirus scanning option.

On-access Antivirus Scanning

An on-access antivirus scanner scans a file when it's read from a disk or written to a disk. This requires a kernel driver to intercept IO from the file system layer. The kernel driver then passes the requested file(s) to an antivirus daemon for the scan. When an infection is detected. IO to that file is refused. This is an automated process that can take additional actions like deleting, healing or alerting the server administrator about the issue.

On-demand Antivirus Scanning

An on-demand antivirus scanner is a program you can run to scan specific files or entire folders. The scan is usually initiated by a server admin, but a cron scheduler can be used to automate the process. When used on it's own, an on-demand scan will yield immediate information about the files or folders that were scanned. Or, if a cron job is implemented, reports can be received via email.

Gateway Antivirus Scanning

A gateway antivirus scanning solution is a standalone appliance that scans traffic coming through a network. It typically works on a protocol basis (ie. FTP, HTTP, SMTP, POP3, etc.) Some solutions support HTTPS and other encrypted protocols. An antivirus gateway is a proxy for those services - it catches malicious data when it's uploaded or downloaded to and from a network. Gateways can block access to infected content and send automated messages to admins via email.

Pros & Cons

There are pros and cons to each antivirus scanning option. Every antivirus scanning vendor usually couples some of these options together. For instance, the on-access scanner is usually coupled with the on-demand scanner, but the user may have to purchase two licenses to use them both. Gateway scanning may not be the best choice depending on the application it's protecting. Some web or mail applications may not work as expected because of the proxy settings needed for Gateway scanning. Also, you must beware of on-access scanners at times because they can block access to important files because of false positive detections, something that could result in the application crashing. When you choose a hosting company, ask about the types of antivirus scanning methods they use and ask about additional steps they take to ensure their servers are safe.

Our Team's Conclusion

For a while we were using one vendor that was supplying us with an on-access and on-demand scanner, but we had to purchase separate licenses for them and we weren't exactly happy with the results. Over time we discovered that the on-access scanner from this particular vendor was locking up easily resulting in the server to hang.

On-access scanners are generally discouraged for Linux servers. In our case, use of an on-access scanner became complicated because we use advanced backup systems with a block layer plugin to intercept changes to the disk, so it didn't always work with the scanner.

Most of the major vendors like Sophos, Esset, Norton, Kaspersky, and F-Secure provide on-demand scanners for Linux servers. These on-demand scanners must be initiated manually or by a process like a cron job or through an FTP server, HTTP server, or SMTP server. For instance, antivirus scanning on Apache servers can be triggered with mod_ext_filter for files requested by browsers and by mod_security for files uploaded with POST request.

If you want to disable access to infected content hosted on a servers. an Apache module and an on-demand antivirus scanner is the way to go. This type of scanner definitely won't prevent PHP scripts from downloading and saving malicious content - it can only block HTTP access to the files. On-demand scanners can be used to perform periodic scans of all user files. When picking the right type of antivirus scanner for your computer, it really comes down to what type of application you're wanting to protect and how automatic or manual you'd like the process to be.

We wish you the best of luck in your search for the best server solution. We are experts in the cloud hosting industry and if you're in search of advanced hosting environments, we'll gladly help you build the server that suits your needs. Contact our sales team today to learn about application hosting, development and dedicated servers.