Madcatz
Contributor
Contributor

VM's and Anti-virus software

I'd like to get some feedback about the best practice for using anti-virus software in a vSphere enviroment.

Currently we have 4 physical servers running roughly 35 virtual servers and we have an anti-virus program installed on each VM as long as it does not interfere with other software on the VM. We are looking to switch anti-virus software.

Having 10 or more VM's on a physical server with each one having its own AV software has raised a few questions, first is what would hurt performance more, having 10 VM's with AV software or having one AV software in the hypervisor that can protect the ESX host and all of the VM's (is there anything that will do that currently?)

What about HIDS and HIPS in the hypervisor instead of on each VM?

We are looking for a very secure solution but also need to keep system reliability up also.

Any thoughts would be appreciated.

Thanks!

0 Kudos
9 Replies
pcorrea117
Contributor
Contributor

Theoretically vShield Endpoint is what you would want to use to protect your VMs. Basically all antivirus functionality would be funneled to a hardened VM dedicated to file scanning.

However, there are a couple caveats:

- this only works on windows vms

- a file I/O driver needs to be installed on the vms to be protected

Hopefully those caveats will be relaxed/removed in a future version.

Pat

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Currently you can use McAfee, Symantec, and TrendMicro to do offline disk scans using the vSphere vStorage API, however to do live scans from within the VM you still need to stagger your scans over the day.

TrendMicro will be the first out that supports vShield Endpoint.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
PduPreez
VMware Employee
VMware Employee

Have a Look at this:

The IBM ISS Virtual

Security solution offers best of breed technology, no agent required on the VM,

total solution including virtual IPS etc

IBM Internet Security Solutions was also invited as one of

the key-note speakers on how to address security in the virtual environment at

this year’s VMWare summit that was held.

They have been appointed by VMWare as an

official security provider for VMWare environments with an API plug-in to

VMSafe.

It protects the total virtual environment – hyper-visor,

management stack, virtual switches, vm’s etc.

Regards

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

The IBM solution does not provide AntiVIrus/Anti-Malware solutions at this time. It is just one of many that provide Firewall, IDS/IPS, and NAC functionality.... The one thing it does provide that none of the others due is an Anti-Rootkit functionality for Windows operating systems. But even they have said it is a simplistic approach. I would very much like to see them increase this functionality to use Endpoint, etc.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
MKguy
Virtuoso
Virtuoso

Agreed, actually, there is still not a single vShield Endpoint capable AV product out yet. (Or am I overlooking something here?)

Trendmicro announced Deep Security, 7.5 with vShield Endpoint agentless AV, but it's still in a ``coming soon'' state.

http://us.trendmicro.com/us/products/enterprise/datacenter-security/deep-security/index.html

-- http://alpacapowered.wordpress.com
0 Kudos
scottdsauer
Contributor
Contributor

Trend's endpoint is GA, contact your local TrendMicro rep for more information. Symantec and McAfee are releasing their solution Q1 2011. Happy scanning!

0 Kudos
MKguy
Virtuoso
Virtuoso

I received word from our reseller that Trendmicros Deep Security 7.5 is going to be released next week. Let's hope it will be or otherwise, VMware has been selling a product (vShield Endpoint) that nobody could use for about 3 months.

-- http://alpacapowered.wordpress.com
0 Kudos
MKguy
Virtuoso
Virtuoso

Trendmicros DeepSecurity 7.5 with vShield Endpoint integration is finally out and available for evaluation. I have it installed in a testcluster and it seems to, well, kind of work.

-- http://alpacapowered.wordpress.com
0 Kudos
RParker
Immortal
Immortal

however to do live scans from within the VM you still need to stagger your scans over the day.

30 hosts, 800 VM's. I would really like to know how you can stagger scans, when the VM's do NOT know which host they are on..

That sounds good in THEORY, but not in real world solution. It's IMPOSSIBLE to tell which VM can run at any given time and know EXACTLY which scans can take place where.. especially considering some of these are local to the disk.

So far doing concurrent scans only poses a minor throughput problem, and I scan late night or weekends... But there is no way to identify which LUN, Host, or Datastore any given VM will be using from the Trend/Forefront console.

0 Kudos