Do we have any kind of antivirus available for the ESX server. Do we have any kind of security checklist for the ESX servers.
Installing Antivirus software on the service console its like choosing between security and performance for ESX host. It will impact your performance dramatically since it uses RAM/CPU alot and potentially causes performance degration. ESX is very secure platform and if you can lockdown your SC than you're pretty safe. I've seen people tried clamav freebies and it works but very resource intensive and wouldn't recommend deploying any antivirus to ESX service console at all. To maximize security on ESX/SC, you can apply tripwire checkconfig tool, CIS security guide or even DoD UNIX SRR scripts that scan and remediate in depth with security world.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
If you are referring to the ESX host service console, then you can use antivirus, but most viruses don't apply to Linux/UNIX systems, which the service console is.
If you are referring to a host-based virus scanner for the vm's, then there are some things coming from the VMSafe APIs that are open to the antivirus/security vendors.
-KjB
Thanks ! but my concerns are more with the ESX hosts. Do we need to scan the ESX hosts periodically using any product like sophos / clamav / nessus etc ?
Do we need to think about some console logging ? from the security point of view
I would definitely look into the console logging. Lock down the service console to only those that require direct access to it. Don't allow root logins, and use sudo instead, and integrate the logins into an LDAP or AD infrastructure. Other than that, the antivirus is one thing I really don't worry about on an ESX host. There are very few viruses that will affect a Linux system, and they require specialized privileges to infect, and then run on a *nix system. Plus you want to minimize the agents running on an ESX host, even though it has a service console that is Linux, you want to minimize any additional software that may interfere with the running of the vmkernel.
-KjB
Installing Antivirus software on the service console its like choosing between security and performance for ESX host. It will impact your performance dramatically since it uses RAM/CPU alot and potentially causes performance degration. ESX is very secure platform and if you can lockdown your SC than you're pretty safe. I've seen people tried clamav freebies and it works but very resource intensive and wouldn't recommend deploying any antivirus to ESX service console at all. To maximize security on ESX/SC, you can apply tripwire checkconfig tool, CIS security guide or even DoD UNIX SRR scripts that scan and remediate in depth with security world.
If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!
Regards,
Stefan Nguyen
iGeek Systems Inc.
VMware, Citrix, Microsoft Consultant
Hello,
Moved to Security and Complaince forum
If your security policy requires virus scanning, then you have two options.... get an exception or make sure that the virus scanner does not touch /vmfs at all. That also may require an exception.
The DISA STIG says not to run a virus scanner due to the scanner they have chosen not being able to run from the SC, not because they should not. That is a different issue altogether. If the virus scanner touches /vmfs you will have SEVERE performance problems as well as hundreds of false positives.
There are virus and worms for Linux however few they are. But you need to setup such tools very carefully or not at all.
This will be as azn2kew states a choice between performance and security and locking down ESX will provide the security and allow you not to need to run virus scanners within the SC.
Note this is NOT possible with ESXi yet, so you need to fall back on good security policies and implementations. With the way things appear to be going the future could be similar.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
I installed McAfee VirusScan for unix on my box. Version 5.20.0.
The install was very painless, doesn't do any real time scanning (something you have to run from cron). The problem that I have is trying to get the dat updates. The only "automated" way that I know of getting the updates is thru ftp. The ESX hosts don't play very well with ftp. I opened the ftpClient on the internal firewall and still can't get out. I can download the dat files from my workstation than scp them over to the host, but I don't want to get in the habit of doing that.
Andy
Thanks for the sharing your efforts with us .
Do you see any performace dip of the Server as mentioned by Edward and Stefan ?
Hello,
Performance will be affected if you scan the /vmfs, if that is left out then there should be some impact but nothing major unless you are constantly scanning the system for virus'.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Hello,
It depends on what you consider ESX. If you consider it an appliance, then do you run AntiVirus on your other appliances, namely firewalls? Since most firewalls use some form of OS, sometimes freebsd, sometimes linux, sometimes something else instead, should they not also use antivirus? But they are not storing user files, so I would hope not.
ESX should not store userfiles outside the confines of a VMDK. If you scan a VMDK you will directly affect the performance of VMs and receive many false positives.
ESX/ESXi are special purpose systems that are part appliance (switches, storage) and compute resources. Since it is not a general purpose device putting antivirus on the management consoles should be avoided. However, if you do store general purpose files and your ESX server acts as a file server as well, which should be avoided, then I would run AntiVirus....
It all depends on the use.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization