It's possible to install a Antivirus (F-Secure Server) into a ESX 3.5.0 ?
It's efficient if i extract /vmfs folder ?
You can install AV agent on service console but is not recommended. There are open source AV antivirus works for ESX you can google it and find out a lot of it. AV tends to be very intensive resource use and service console is a small appliance just use to do command lines administration only. ESX itself very secure and stripped down version of Linux unless their is a known issues with deployed packages but that can be patched.
Regards,
"The Power of Knowledge"
There are no known ESX viruses. There are a few for Linux, but I don't know of any in the wild right now.
And most important, most virus scanner for Linux are scanning for Windows viruses. So if this was a gateway host, email server, etc. it would catch them before they got to the intended Windows host. In this case, since you are not using ESX as a gateway, or running an email server in the console, AV will be an extreme tax on resources, speed, and stability.
Even excluding the /vmfs will still cause host to be inefficient. If you do decide to use it anyway, make sure to up SC RAM to 800MB, and increase the MHz to as high as you can make it.
my 2 cents
ken harbin
Hello,
The only reason to install AV on the SC is due to Corporate requirements in my mind. A/V in the SC has to be setup to ignore everything in /vmfs, and timed to run when there is the least impact to the VMs. But yes it can be done, just be careful about your setup. If your Security Policy does not require AV on ESX Servers, I would hesitate to do this. Note if yo do let it run over /vmfs you will degrade the performance of your VMs and false positives will show up.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Hello,
The only reason to install AV on the SC is due to Corporate requirements in my mind. A/V in the SC has to be setup to ignore everything in /vmfs, and timed to run when there is the least impact to the VMs. But yes it can be done, just be careful about your setup. If your Security Policy does not require AV on ESX Servers, I would hesitate to do this. Note if yo do let it run over /vmfs you will degrade the performance of your VMs and false positives will show up.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at
I completely agree, this is definately one of those occasions that just because you can, does not neccessarily mean you should.
Tom Howarth
VMware Communities User Moderator
Don't most organizations that require such strict security measures have an acceptable risk form or documentation that can be completed? If it can be proven that ESX is as safe as mentioned here throughout several threads, most companies should accept that instead of risking the degredation of VM performance. Makes sense to me?
Doesn't matter if it makes sense or not. ESX isn't running anything, it's a host server, nothing more. If you want even more security, 3i is what you want, there isn't anything that can run on 3i, since there isn't even a console to run in.
ALL the culprits are guests, there isn't any single program or service that ESX runs that would cause a problem.
Hello,
However this truly depends on the Security Policy of the corporation/company, etc. If it says YOU WILL run A/V, there is generally no recourse. However, read the policy carefully, talk to the security experts, etc. Or work to get an exception to the policy worked out but until that excpetion is in place you may have to run the A/V. Again read the policy carefully, etc. I know many a Policy that says YOU WILL RUN A/V on all servers, workstations, etc. and the corporate security folks will not budge on this.
As for 3i, that has its own issues from a Security perspective. I would not consider it more secure just different. But that is a discussion for another time.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Hello,
SInce this is a discussion on Security/AntiVirus, etc. I have moved it to the Security and Compliance forum for others interested in these things to respond to.
Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
I'm working for a big corp, the internal security recommends a AV on all physical server...
I will try a AV onto a VMware ESX and will give you my experience later...
Thanks for all response.