VMware Cloud Community
vmkillies
Contributor
Contributor
‎08-14-2008 02:59 PM
Jump to solution

Antivirus for ESX 3.5

Do we have any kind of antivirus available for the ESX server. Do we have any kind of security checklist for the ESX servers.

0 Kudos
1 Solution

Accepted Solutions
azn2kew
Champion
Champion
‎08-14-2008 04:20 PM
Jump to solution

Installing Antivirus software on the service console its like choosing between security and performance for ESX host. It will impact your performance dramatically since it uses RAM/CPU alot and potentially causes performance degration. ESX is very secure platform and if you can lockdown your SC than you're pretty safe. I've seen people tried clamav freebies and it works but very resource intensive and wouldn't recommend deploying any antivirus to ESX service console at all. To maximize security on ESX/SC, you can apply tripwire checkconfig tool, CIS security guide or even DoD UNIX SRR scripts that scan and remediate in depth with security world.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

View solution in original post

0 Kudos
10 Replies
kjb007
Immortal
Immortal
‎08-14-2008 03:05 PM
Jump to solution

If you are referring to the ESX host service console, then you can use antivirus, but most viruses don't apply to Linux/UNIX systems, which the service console is.

If you are referring to a host-based virus scanner for the vm's, then there are some things coming from the VMSafe APIs that are open to the antivirus/security vendors.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
vmkillies
Contributor
Contributor
‎08-14-2008 03:17 PM
Jump to solution

Thanks ! but my concerns are more with the ESX hosts. Do we need to scan the ESX hosts periodically using any product like sophos / clamav / nessus etc ?

Do we need to think about some console logging ? from the security point of view

0 Kudos
kjb007
Immortal
Immortal
‎08-14-2008 03:23 PM
Jump to solution

I would definitely look into the console logging. Lock down the service console to only those that require direct access to it. Don't allow root logins, and use sudo instead, and integrate the logins into an LDAP or AD infrastructure. Other than that, the antivirus is one thing I really don't worry about on an ESX host. There are very few viruses that will affect a Linux system, and they require specialized privileges to infect, and then run on a *nix system. Plus you want to minimize the agents running on an ESX host, even though it has a service console that is Linux, you want to minimize any additional software that may interfere with the running of the vmkernel.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
azn2kew
Champion
Champion
‎08-14-2008 04:20 PM
Jump to solution

Installing Antivirus software on the service console its like choosing between security and performance for ESX host. It will impact your performance dramatically since it uses RAM/CPU alot and potentially causes performance degration. ESX is very secure platform and if you can lockdown your SC than you're pretty safe. I've seen people tried clamav freebies and it works but very resource intensive and wouldn't recommend deploying any antivirus to ESX service console at all. To maximize security on ESX/SC, you can apply tripwire checkconfig tool, CIS security guide or even DoD UNIX SRR scripts that scan and remediate in depth with security world.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

Regards,

Stefan Nguyen

iGeek Systems Inc.

VMware, Citrix, Microsoft Consultant

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA
0 Kudos
Texiwill
Leadership
Leadership
‎08-15-2008 06:05 AM
Jump to solution

Hello,

Moved to Security and Complaince forum

If your security policy requires virus scanning, then you have two options.... get an exception or make sure that the virus scanner does not touch /vmfs at all. That also may require an exception.

The DISA STIG says not to run a virus scanner due to the scanner they have chosen not being able to run from the SC, not because they should not. That is a different issue altogether. If the virus scanner touches /vmfs you will have SEVERE performance problems as well as hundreds of false positives.

There are virus and worms for Linux however few they are. But you need to setup such tools very carefully or not at all.

This will be as azn2kew states a choice between performance and security and locking down ESX will provide the security and allow you not to need to run virus scanners within the SC.

Note this is NOT possible with ESXi yet, so you need to fall back on good security policies and implementations. With the way things appear to be going the future could be similar.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
Andy_Imm
Contributor
Contributor
‎08-21-2008 04:58 AM
Jump to solution

I installed McAfee VirusScan for unix on my box. Version 5.20.0.

The install was very painless, doesn't do any real time scanning (something you have to run from cron). The problem that I have is trying to get the dat updates. The only "automated" way that I know of getting the updates is thru ftp. The ESX hosts don't play very well with ftp. I opened the ftpClient on the internal firewall and still can't get out. I can download the dat files from my workstation than scp them over to the host, but I don't want to get in the habit of doing that.

Andy

0 Kudos
vmkillies
Contributor
Contributor
‎08-22-2008 02:59 PM
Jump to solution

Thanks for the sharing your efforts with us .

Do you see any performace dip of the Server as mentioned by Edward and Stefan ?

0 Kudos
Texiwill
Leadership
Leadership
‎08-23-2008 05:51 AM
Jump to solution

Hello,

Performance will be affected if you scan the /vmfs, if that is left out then there should be some impact but nothing major unless you are constantly scanning the system for virus'.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
malaysiavm
Expert
Expert
‎08-24-2008 11:07 PM
Jump to solution

I would said use Antivirus for ESX is useless for the time being.

Yes, I agreed we need Antivirus for ESX in future.

Malaysia VMware Communities -

Craig vExpert 2009 & 2010 Netapp NCIE, NCDA 8.0.1 Malaysia VMware Communities - http://www.malaysiavm.com
0 Kudos
Texiwill
Leadership
Leadership
‎08-25-2008 05:00 AM
Jump to solution

Hello,

It depends on what you consider ESX. If you consider it an appliance, then do you run AntiVirus on your other appliances, namely firewalls? Since most firewalls use some form of OS, sometimes freebsd, sometimes linux, sometimes something else instead, should they not also use antivirus? But they are not storing user files, so I would hope not.

ESX should not store userfiles outside the confines of a VMDK. If you scan a VMDK you will directly affect the performance of VMs and receive many false positives.

ESX/ESXi are special purpose systems that are part appliance (switches, storage) and compute resources. Since it is not a general purpose device putting antivirus on the management consoles should be avoided. However, if you do store general purpose files and your ESX server acts as a file server as well, which should be avoided, then I would run AntiVirus....

It all depends on the use.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos