Most vendors support randomization of update and scan schedules. As the previous post alluded to...if you had all of your VM's try to execute an scan or update at the same time you will kill your storage sub-system.

Lots of application whitelist vendors now propose to replace antivirus solutions and whitelist approach does not even require a scan. Have you guys considered such a solution?

Lots of application whitelist vendors now propose to replace antivirus solutions and whitelist approach does not even require a scan. Have you guys considered such a solution?

The problem with White list products is that they are notoriously difficult to set up correctly. but they do offer a valid approch to things like zero day attacks

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

I suppose I am not following this suggestion. Is the proposal that there is no need for AV software on a VDI machine and that instead you switch to an application control program?

In other words, you aren't susceptible because it couldn't run in teh first place?

Can you elaborate on this at all?

So the idea is that you dont run antivirus in realtime checking mode and also do not schedule nightly scans. The whitelisting software would prevent execution of any new code unless it is explicitly approved and hence would prevent virus contamination and much better from performance perspective.Then you can run antivirus once a month for cleansing purposes.

Soem companies are going this route for regular servers and desktops....

Interesting but isn't this an incredibly time consuming task? I suppose it depends on the environment. The authority around here is such that short of administrative rights on their PCs the users can play however they want to play.

The issue I face now is that if load Sophos onto a base image then it acts like a new install and requires a reboot after the desktop recompose finishes. If I try to have Sophos install automatically through syncrhonization with the AD then it fails on install with some cryptic error that I still need to discuss with Sophos. GAh!

You must be a vendor! Always the answer is that functionality will be in the next update!

Just joking with you.. I'm not familiar with VMsafe.. I'll have to hunt around for information.. or get me some beta code

If you must have an AV product in your VDI environment, personally I would utilse the AppSense suite of products, then have a look at Trend Micro, their AV can be installed into a Base Image and it will reconfigure after a phone home.

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Blog: www.planetvm.net

Henrik,

I'm of the understanding the that View is currently not supported on vSphere, thus no use of VMSafe.

Cheers

Old thread but wanted to make a point.

We have virus scanning in our VDI environment.  We are currently also using Mcafee and the issue we are seeing is that scans seem to happen at the same time as other host in a cluster and this causes a ton of CPU alerts especially if the machines may have to apply a patch (reboot needed).  Anyways, so what is so great about VMsafe and what it can do?  Also, what others are out there? Surely, there are more companies going about this differently.

Regards,

Chad King

VCP4

I'd second Trend. Their Deep Security product is the first VMsafe approved product on the market (I think), but is very expensive. Their OfficeScan product has a VDI plug in which means you can configure the AV consle t talk to your vSphere. It will then ensure that no more than x updates or scans are done simultaneously per host, and x is configurable. Additionally, you whitelist the golden image prior to deployment (we use inked clones) and all clones come up lovely. We were previously using Sophos which absolutely killed our storage.

I've seen that document, what really scares me is:

"In the event of security outbreak or breach, with proper configuration with refresh on logoff or reboot, a non-persistent desktop can resume its original state after reboot, and thus anti-virus protection is optional"

It's going to take a brave man, to run with no AV, I was looking at the trend product, but am concerned about making changes to the ESX servers Mcafee have a product out called MOVE which ties in with our EPO, but it doesnt use VMSafe like trend.I am trying to get a trial of the Mcaffee product, but this is proving to be more difficult than I would have imagined.

Hi,

I have implemented McAfee MOVE on our setup and can fully recommend it, very easy to setup and works pretty much as it says on the tin.

Trend Micro has two solutions for VMWare.

OfficeScan is VDI aware

http://us.trendmicro.com/us/products/enterprise/officescan/

Deep Security Virtual Appliance has agentless AV and integrates tighly with VMSafe.  Works for both Server and VDI VM's.

http://us.trendmicro.com/us/products/enterprise/datacenter-security/deep-security/

Tolly Group testing.

Trend Micro Deep Security 7.5 vs. McAfee and Symantec Anti-virus Performance in VMware ESX Virtual Environments

http://tolly.com/DocDetail.aspx?DocNumber=211101

I evaluated the Trend product with a largebank and it certainly looks good from a non-security person like me. However having spoken to a lot of the other AV vendors they are holding off on developing a product until vShield 2.0 API is available later this year as they don't believe 1.0 is secure enough. This could be FUD by the AV vendors but interested to hear if anyone has evaluated it fully from a security aspect? Its no good running an AV product which saves load of compute resources, if it isnt finding viruses!!