Hello,

The only reason to install AV on the SC is due to Corporate requirements in my mind. A/V in the SC has to be setup to ignore everything in /vmfs, and timed to run when there is the least impact to the VMs. But yes it can be done, just be careful about your setup. If your Security Policy does not require AV on ESX Servers, I would hesitate to do this. Note if yo do let it run over /vmfs you will degrade the performance of your VMs and false positives will show up.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

The only reason to install AV on the SC is due to Corporate requirements in my mind. A/V in the SC has to be setup to ignore everything in /vmfs, and timed to run when there is the least impact to the VMs. But yes it can be done, just be careful about your setup. If your Security Policy does not require AV on ESX Servers, I would hesitate to do this. Note if yo do let it run over /vmfs you will degrade the performance of your VMs and false positives will show up.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at

I completely agree, this is definately one of those occasions that just because you can, does not neccessarily mean you should.

Tom Howarth

VMware Communities User Moderator

Don't most organizations that require such strict security measures have an acceptable risk form or documentation that can be completed? If it can be proven that ESX is as safe as mentioned here throughout several threads, most companies should accept that instead of risking the degredation of VM performance. Makes sense to me?

Doesn't matter if it makes sense or not. ESX isn't running anything, it's a host server, nothing more. If you want even more security, 3i is what you want, there isn't anything that can run on 3i, since there isn't even a console to run in.

ALL the culprits are guests, there isn't any single program or service that ESX runs that would cause a problem.

Hello,

However this truly depends on the Security Policy of the corporation/company, etc. If it says YOU WILL run A/V, there is generally no recourse. However, read the policy carefully, talk to the security experts, etc. Or work to get an exception to the policy worked out but until that excpetion is in place you may have to run the A/V. Again read the policy carefully, etc. I know many a Policy that says YOU WILL RUN A/V on all servers, workstations, etc. and the corporate security folks will not budge on this.

As for 3i, that has its own issues from a Security perspective. I would not consider it more secure just different. But that is a discussion for another time.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

Hello,

SInce this is a discussion on Security/AntiVirus, etc. I have moved it to the Security and Compliance forum for others interested in these things to respond to.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization