Do Not Install a Host AV Program on the ISA Firewall!
Someone posted on the ISAserver.org Web boards today about some troubles he was having with his ISA Firewall's stability. One of the issues was that the ISA Firewall had an Antivirus program installed on it. This AV program was not designed to protect from downloading viruses to ISA Firewall protected computers. Instead, this was a typical host based AV program designed for AV protection for "servers".
I strongly recommend against installing this kind of host based AV scanning program on the ISA Firewall. There are three primary reasons for this:
- There are no host-based AV programs designed to work with the ISA Firewall. They are designed to work with "servers", but the ISA Firewall is not actually a server. It does not participate in any client/server transactions and therefore is not liable to compromise in the same way that servers may be compromised
- Since there are no host-based AV programs designed to be installed on the ISA Firewall, the AV program actually increases the attack surface on the ISA Firewall. We've seen plenty of examples of how AV programs can actually be used to launch an attack against the system. One thing you don't want to do is help attackers by increasing the attack surface.
- If you operate your ISA Firewall correctly, there are no vectors of attack. What is a proper configuration? First, never allow connections to the ISA Firewall itself. Check the System Policy to make sure of this, and never create rules that allow connections to the Local Host Network (except for RDP for management). Second, never make the ISA Firewall a workstation; do not run the browser, email clients, or Bitorrent on your ISA Firewall. Third, never install server applications on the ISA Firewall, such as IIS WWW service or the FTP service (the DNS and SMTP services are exceptions). Last, if you need to install files on the ISA Firewall, make sure you scan them at a management station and then use an out of band method to install them on the ISA Firewall.
Conclusion: The only reasons to run host-based AV on the ISA Firewall is if you want to reduce the stability and security of the ISA Firewall. And who wants that?