This is basically the same type of package that you would install on a physical machine. In a non-virtualized environment, the full security software agent and anti-malware database are installed on the machine (server or desktop).
Generally, using these agent-based products within a virtualized environment is not a good idea. Each virtual machine will require the full agent and full anti-malware signature database to be installed on it. Therefore, if you have 100 virtual machines running on one virtual host, you’ll have 100 instances of the security agent and 100 instances of the malware signature database on that virtual host.
Obviously, this high level of duplication of the antivirus database wastes storage capacity. In addition, with multiple instances of the security application running, performance will suffer – especially in cases where the security software is running intensive processes on multiple virtual machines on the host.
If one of the motivations behind undertaking a virtualization project is doing more with less hardware, anything that adversely affects consolidation ratios will severely handicap your virtualization project’s ability to generate a good return on investment.
In addition to wasteful duplication of the security software and databases, agent-based security can also result in phenomena that further degrade performance or lead to potential gaps in security, including:
- Scanning storms.
- Panic attacks.
- Update storms.
- Instant on gaps.
Because there are multiple instances of the security agent installed on each virtual host, if several – or even all – virtual machines simultaneously start to run a routine security scan, the other applications that are running on that host will be affected. In the event of a virus outbreak, the resulting malware scanning processes could mean that key applications will almost grind to a halt.
These scanning storms can be avoided if you choose a security solution that has been optimized for virtualized environments.
IT administrators often set up policies whereby security will tighten up during a virus outbreak – so that scanning processes simultaneously run on all virtual machines and heuristic analysis is set to maximum. Obviously, this leads to each virtual machine consuming high levels of the host’s resources – including memory and CPU power – and can severely affect the performance of the host machine.
With the virtual host storing the anti-malware databases for multiple instances of the security agent, all of those databases will be subject to regular updates. Simultaneous updates of each virtual machine’s anti-malware database can severely impact the performance of other applications.
To alleviate this, you may be tempted to stagger the database updates – so that no more than a specified number of virtual machines will update at the same time. However, this approach will mean that the security on some of the virtual machines will lag behind that of other virtual machines on the same host – so some of your virtual machines will be more vulnerable to new or emerging malware and attacks.
Some security products that have been specifically developed for virtualized environments will randomize updates – to minimize the potential for update storms.
INSTANT ON GAPS
Instant on gaps can be a major security risk for agent-based products.
Consider the case of an office worker logging off his virtual desktop at 5 PM and then logging back on at 8 AM the next morning. For those 15 hours, his virtual machine has been totally inactive – and that means its antivirus database and the security application won’t have received any updates.
Although 15 hours may not seem like a long time, in today’s fast moving world, there are a lot of new malware items that can be launched in this relatively short period – and, when it’s first powered up in the morning, the user’s virtual desktop could have no protection against the latest threats.
If the user starts his day with a quick browse across a few Internet sites – before the security software update has completed – his virtual computer could be extremely vulnerable to attacks.
Similarly, when administrators first set up a new virtual machine, the instant on gap will mean the machine is vulnerable – until after the security application and database have been updated.