Antivirus software for virtual desktops
In a traditional desktop model, an antivirus agent is installed, runs on every desktop, and is responsible for the performance of antivirus detection scans, while maintaining and updating the definition files containing information about the latest malware.
This model works well in the physical desktop world, but presents some challenges when running in a virtual desktop environment. When a detection scan starts, every virtual desktop's resource usage will increase significantly. This will result in end user performance degradation, and the desktop host server will become resource-bound. That's fine on a physical desktop, but now, in VDI, it's the servers hosting the desktops that are going to become resource-bound. When recomposing desktops or building them on demand, the desktops will have to download the definitions file each time, taking up network bandwidth and storage capacity. One last thing you need to take into consideration is the memory footprint of the typical desktop AV software that gets installed on each virtual desktop. You will need to allocate more memory to run the agents and scanning process.
Let's say you have a vSphere host server running maybe 100 virtual desktops or so; what if, at 12:00 on Thursday, they all kick off a virus scan? That host is likely to become 100% utilized very quickly, both for CPU and storage I/Os, with the result being unresponsive desktops. Instead of affecting one user's desktop, you have now affected 100 users, desktops. You could schedule the scans so that they don't all happen at once, but, ideally, you need to look at alternative methods that are designed to work more specifically with a virtual desktop infrastructure.
Secondly, if we are recomposing desktops or building them on demand, we must download the definitions file every time, which not only takes up network bandwidth, but also unnecessary storage capacity.
So, what is required is a new approach to antivirus protection, specifically designed for virtual desktop infrastructure. With VMware vSphere 5.5, VMware introduced a product called vShield Endpoint, which has now been superceded by VMware NSX that addresses the problems inherent in antivirus scanning in large-scale virtual desktop implementations. It does this by offloading all antivirus operations into one centralized appliance. The scanning is then done at the hypervisor level and not on each of the virtual desktop machines.
Although VMware provide the engine to help deliver the scanning process, they have also worked alongside and partnered with some of the leading antivirus software vendors to deliver the knowledge around how to identify and protect against viruses, malware, and other threats. They work with partners including the following:
- Bitdefender
- Kaspersky
- McAfee
- Sourcefire
- Symantec
- Trend Micro