If I close all my ports and open only those which are required will this restrict virus problem only to mails?

why whould you need an anti virus on your server?

1) to protect against momentary stupidity

2) to protect against new viruses which target using means other than email such as welchia and blaster. These viruses simply find vulnerable machines ... no one needs to even be logged in or on the desktop or anything. REMEMBER TODAY MANY VIRUSES HAVE NOTHING TO DO WITH EMAIL OR BROWSING. Code red and nimbda did not require any user initiation of the virus.

Anyone on a windows machine who does not have an up-to-date anti-virus product on every single machine is having the equivelent of anonymous unprotected sex at the local neighborhood gas station. In other words, he or she deserves whatever happens to them. The "it has never happened to me" mindset will lead to disaster.

doesn't mean software firewalls should be discounted as a 'marketing ploy'

Software firewalls are worse than useless as they give people a false sense of security. They increase the instability of machines, harrass users with too much data (often leading to them being disabled entirely) and don't to a particularly good job in the first place.

rich and tx, I respectfully disagree.

Code red and nimbda did not require any user initiation of the virus.

This is a half-truth; you're leading people in the wrong direction.

If you had anti-virus installed, you'd still get hit with Code Red or nimda. These (and welchia, and blaster) result from not having patched machines. Anti-Virus is the wrong solution here.

Running anti-virus to protect a machine is like running a car with an engine on fire, and having a fire extinguisher always spraying your engine. The engine shouldn't be on fire in the first place!

This is a half-truth; you're leading people in the wrong direction.

It is not a half-truth and I am not leading people in the wrong direction. These viruses are worms and did not require intervention by users. Anti-virus software is one layer in a multi-layered security system which includes patching, firewalls, honeypots, intelligent management and so forth. Anti-virus software WILL protect a system which is not up-to-patch from Welchia and similar viruses. Not well but it does provide some level of protection.

I will reiterate. Not running anti-virus software
on ALL windows machines is asking for trouble. It does not matter how many fancy analogies you use, it is still asking for trouble. It doesn't matter how "cool" you think it is to say you don't have it and have never been infected, it's still not intelligent to be without.

I just happened across this from M$ [microsoft.com], may be useful, haven't read it.

Anti-virus software WILL protect a system which is not up-to-patch

Your server should never be in this state. Period. And your statement is still incorrect. Aberdeen Research just did a piece on this:
[aberdeen.com...]

The Internet worms of 2003 - W32/Blaster, MS/SQL, and Sobig (Welchia) - took advantage of common network channels and system vulnerabilities to deposit executable payloads on unprotected PCs and PC servers. These worms were able to gain access to resources on the local corporate network to subsequently infect other PCs and PC servers throughout the network. None of these worms were initially stopped with antivirus software.

I agree with you that a well balanced plan includes mutliple levels of security, including network security (i'm 100% with you on this).

But I can't agree with you about anti-virus on a production-class machine. Let's agree to disagree. This topic's been beaten to death.