10 Replies Latest reply on Aug 25, 2008 5:00 AM by Texiwill

    Antivirus for ESX 3.5

    vmkillies Enthusiast

       

      Do we have any kind of antivirus available for the ESX server. Do we have any kind of security checklist for the ESX servers.

       

       

       

       

       

        • 1. Re: Antivirus for ESX 3.5
          kjb007 Guru

          If you are referring to the ESX host service console, then you can use antivirus, but most viruses don't apply to Linux/UNIX systems, which the service console is. 

           

          If you are referring to a host-based virus scanner for the vm's, then there are some things coming from the VMSafe APIs that are open to the antivirus/security vendors.

           

           

          -KjB

          1 person found this helpful
          • 2. Re: Antivirus for ESX 3.5
            vmkillies Enthusiast

             

            Thanks ! but my concerns are more with the ESX hosts. Do we need to scan the ESX hosts periodically using any product like sophos / clamav / nessus etc ?

             

             

            Do we need to think about some console logging ? from the security point of view

             

             

            • 3. Re: Antivirus for ESX 3.5
              kjb007 Guru

              I would definitely look into the console logging.  Lock down the service console to only those that require direct access to it.  Don't allow root logins, and use sudo instead, and integrate the logins into an LDAP or AD infrastructure.  Other than that, the antivirus is one thing I really don't worry about on an ESX host.  There are very few viruses that will affect a Linux system, and they require specialized privileges to infect, and then run on a *nix system.  Plus you want to minimize the agents running on an ESX host, even though it has a service console that is Linux, you want to minimize any additional software that may interfere with the running of the vmkernel.

               

               

              -KjB

              1 person found this helpful
              • 4. Re: Antivirus for ESX 3.5
                azn2kew Champion

                 

                Installing Antivirus software on the service console its like choosing between security and performance for ESX host. It will impact your performance dramatically since it uses RAM/CPU alot and potentially causes performance degration. ESX is very secure platform and if you can lockdown your SC than you're pretty safe. I've seen people tried clamav freebies and it works but very resource intensive and wouldn't recommend deploying any antivirus to ESX service console at all.  To maximize security on ESX/SC, you can apply tripwire checkconfig tool, CIS security guide or even DoD UNIX SRR scripts that scan and remediate in depth with security world.

                 

                If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

                 

                Regards,

                 

                Stefan Nguyen

                iGeek Systems Inc.

                VMware, Citrix, Microsoft Consultant

                • 5. Re: Antivirus for ESX 3.5
                  Texiwill Guru
                  User ModeratorsvExpert

                  Hello,

                   

                  Moved to Security and Complaince forum

                   

                  If your security policy requires virus scanning, then you have two options.... get an exception or make sure that the virus scanner does not touch /vmfs at all. That also may require an exception.

                   

                  The DISA STIG says not to run a virus scanner due to the scanner they have chosen not being able to run from the SC, not because they should not. That is a different issue altogether. If the virus scanner touches /vmfs you will have SEVERE performance problems as well as hundreds of false positives.

                   

                  There are virus and worms for Linux however few they are. But you need to setup such tools very carefully or not at all.

                   

                  This will be as azn2kew states a choice between performance and security and locking down ESX will provide the security and allow you not to need to run virus scanners within the SC.

                   

                  Note this is NOT possible with ESXi yet, so you need to fall back on good security policies and implementations. With the way things appear to be going the future could be similar.

                   


                  Best regards,

                  Edward L. Haletky

                  VMware Communities User Moderator

                  ====

                  Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                  CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                  As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                  • 6. Re: Antivirus for ESX 3.5
                    Andy_Imm Enthusiast

                     

                    I installed McAfee VirusScan for unix on my box. Version 5.20.0.

                     

                     

                    The install was very painless, doesn't do any real time scanning (something you have to run from cron).  The problem that I have is trying to get the dat updates.  The only "automated" way that I know of getting the updates is thru ftp.  The ESX hosts don't play very well with ftp.  I opened the ftpClient on the internal firewall and still can't get out.   I can download the dat files from my workstation than scp them over to the host, but I don't want to get in the habit of doing that.

                     

                     

                     

                     

                     

                    Andy

                     

                     

                    • 7. Re: Antivirus for ESX 3.5
                      vmkillies Enthusiast

                       

                      Thanks for the sharing your efforts with us .

                       

                       

                      Do you see any performace dip of the Server as mentioned by Edward and Stefan ?

                       

                       

                      • 8. Re: Antivirus for ESX 3.5
                        Texiwill Guru
                        vExpertUser Moderators

                        Hello,

                         

                        Performance will be affected if you scan the /vmfs, if that is left out then there should be some impact but nothing major unless you are constantly scanning the system for virus'.

                         


                        Best regards,

                        Edward L. Haletky

                        VMware Communities User Moderator

                        ====

                        Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                        CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                        As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                        • 9. Re: Antivirus for ESX 3.5
                          malaysiavm Expert

                           

                          I would said use Antivirus for ESX is useless for the time being.

                           

                           

                          Yes, I agreed we need Antivirus for ESX in future.

                           

                           

                           

                           

                          Malaysia VMware Communities - http://www.malaysiavm.com

                           

                           

                          • 10. Re: Antivirus for ESX 3.5
                            Texiwill Guru
                            User ModeratorsvExpert

                            Hello,

                             

                            It depends on what you consider ESX. If you consider it an appliance, then do you run AntiVirus on your other appliances, namely firewalls? Since most firewalls use some form of OS, sometimes freebsd, sometimes linux, sometimes something else instead, should they not also use antivirus? But they are not storing user files, so I would hope not.

                             

                            ESX should not store userfiles outside the confines of a VMDK. If you scan a VMDK you will directly affect the performance of VMs and receive many false positives.

                             

                            ESX/ESXi are special purpose systems that are part appliance (switches, storage) and compute resources. Since it is not a general purpose device putting antivirus on the management consoles should be avoided. However, if you do store general purpose files and your ESX server acts as a file server as well, which should be avoided, then I would run AntiVirus....

                             

                            It all depends on the use.

                             


                            Best regards,

                            Edward L. Haletky

                            VMware Communities User Moderator

                            ====

                            Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                            CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                            As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization