Do Transient, Volatile Servers Require Antivirus Scanners?

You are asking yourselves the right questions but asking us the wrong one.

Security controls, like AV, are meant to address threats in order to reduce the impact to an acceptable level. You have identified the threats and the likely impact of those threats. Great! Now you need to see if signature-based AV addresses those threats and reduces impact to an acceptable level (or if the impact levels are already acceptable).

Can you address the propagation issue by changing the firewall/networking to block connections initiating from the front-facing servers? If so, then AV might not be necessary.

Could you gain the threat intel ("allowing staff to know about the presence of malware") by logging the non-transient servers? What does the data from the transient servers give you that your permanent servers do not? What's the likelihood that the transient servers will get infected uniquely? If you can get the data from other sources, then you might not need AV.

How do you update the AV database? Will you have to launch the server, update the database, then run a scheduled scan? Is this delay acceptable for the level of service you require? If the delay does not make sense for you, then you might want to use other mitigations.

But the underlying question is about the type of AV that you are assuming. You are assuming locally installed, signature-based AV, but there are other, more dynamic types that do not require database updates and only scans new or incoming data. Network-based, in-line, AV is possible, as well as IDS.

So the question you need to ask is if this one implementation meets your needs or if the risks can be met by other means.


I would not run antivirus on my servers, for a couple reasons:

  1. They are massive pieces of software

    The whole idea of a server is to execute one task, and only one, in the fastest way possible. There are some accessory tasks that you need to run, but the idea is the same. AV engines slows down your service.

  2. They usually run with root permissions

    Your webserver probably does not run as root. Neither do your email server, or database, or whatever else. But the antivirus runs as root.

  3. The attack surface of an AV is huge

    They have countless decoders, interpreters, decompressors, parsers, emulators... The list of moving parts is endless. One buggy decoder and you have code execution as root. Allow the AV to scan incoming packets, and you have remote code execution as root.

There are exceptions: file servers. I would install AV on a file server, because users will upload bad things. The ingress point is a good place to put an AV too, though it would be a better place to put an IDS/IPS.

Other than that, server hardening and compartmentalization will be much better for security than to install a resource hungry, hole-filled antivirus engine.