I also just got back from BriForum 2011 – Chicago and attended two sessions that furthered my beliefs that blanketing antivirus across all of my virtual desktops probably isn’t the best thing. First, Jim Moyle focused his session on a deep dive into Windows IOPS and showed how different actions impact IOPS requirements in a virtual desktop. Let’s just say the graph for certain Antivirus and security products were absolutely crazy. Basically, if you run antivirus in a virtual desktop, you might as well double your IOPS requirements (this is not news to me or many people in the crowd, but the graph was so telling). Michael Thomason, who presented on how to mitigate IOPS requirements also said their Antivirus killed their storage and that they had to take drastic measures by limiting what was being scanned. Then, I remembered looking at Citrix’s recommendations for Antivirus in a virtual desktop. Basically, you should only scan writes to local files where the data changes while excluding a bunch of other folders. Basically, it says you should scan as little as possible.
Three different areas and I get the same result: Antivirus has a noticeable disk impact.
So what we have is a situation where we will double storage requirements for something that everyone believes is a requirement, but we take drastic steps to limit how much/how often it runs to try and reduce storage requirements. Does anyone see the problem here? People think they need it but take steps to limit it. Many believe that what was once good for the desktop is still good for the virtual desktop. Fortunately, things have changed and we have to question our old beliefs. Unfortunately, changing old beliefs, especially anything to do with security of IT systems in an enterprise, is a very big uphill battle. How many of you want to go into a financial company and say remove your antivirus software from you desktops. They would laugh at you while security threw you out the front door.
However, with the traditional desktop, the costs of using antivirus were minor. We just did it because it provided a sense of security. We never cared about storage optimization and performance on a traditional endpoint (at least I never did). With virtualization, things changed. We do care about storage performance. I know more about IOPS now than I really care to know. ProjectVRC Phase III tests show how to reduce and optimize IOPS. So why is no one asking the question if one of the biggest IOPS consumers is really a requirement? No one dares to ask the question because it is almost a forbidden topic.
Now let me make this clear… I do not have a virus scanner on my laptop, I do not have a virus scanner on my home desktop, I have never had a virus scanner on any of these devices, and somehow, I have never had a virus. Now the smart ones reading this are asking “But if you don’t have a virus scanner, how do you know you don’t have a virus?” Because every so often (maybe yearly or every ½ a year), I run a free scanner that doesn’t require an install just to see if everything is still clean (it always is)
How can I go so long without getting a virus? Is it because I don’t go online? Is it because I’m completely disconnected from the network? No. I work like anyone else. Being virus free used to be pretty hard to do, but it has gotten so much easier over the past few years. There are systems in place protecting me from doing very stupid things. As I see it, there are only a few places where I will get a virus, but systems protect me.
-
Email:
- The Citrix IT team is running virus protection on the Exchange email servers. I can feel pretty confident that I am safe with corporate email.
- Google, Yahoo and Microsoft have virus protection running on their email systems. When I receive attachments and try to open, each one scans the file first (although they are probably just reading my email and realize I lead a pretty boring life). This scan helps protect my personal email.
-
Internet: I usually stay on pretty well-known and safe sites (especially on my work computer), but sometimes I accidently hit a pop-up and next thing you know, I’m somewhere I don’t want to be. Luckily, the browsers are much smarter than they used to be
- Some will tell me if the site I’m going to isn’t safe
- Some will ask before downloading anything
- Some will scan downloaded files for viruses
- Even Windows 7 doesn’t install anything unless I tell it that it is ok
- Most run with user privileges and not administrative privileges
- Sharing USB drives: I don’t. If someone wants a file from me, I usually just ask for email address. This doesn’t happen very often though as I have nothing of value on my laptop J And if you are running a virtual desktop, you can simply disable this functionality.
- Network: If someone else gets a virus, there is a chance that the virus will worm itself across the network and infect other desktops. With my firewall enabled, this provides some level of protection.
Do these protect me completely? No, and I’m not so naive to believe that they do, but antivirus solutions don’t completely protect me either. My point is that these other solutions provide enough protection for the level of risk I can tolerate. Does this mean you should dump your antivirus from all of your virtual desktops? No. But I do encourage you to look to see if you need it on every desktop. Maybe you would be better off
- Splitting your XenDesktop sites into security levels where only the most secure desktops have antivirus because they are dealing with your company’s secret recipe.
- Setting up your environment in such a way that you have blocks of desktops where the one block cannot infect other blocks. That way, in case a virus does get through, the area to attack is much smaller and easier to contain.
- Hosting mission critical applications as XenApp resources with antivirus enabled to a non-antivirus enabled virtual desktop. That way you still keep that warm fuzzy feeling of having an antivirus solution but it doesn’t have nearly as large of a resource hit as putting it on every desktop.
Whatever you do, think about the decision, the ramifications and your tolerance for risk. Citrix says one size doesn’t fit all for virtual desktops, and I say the same statement can be made for Antivirus.
Good points, also, you can virus scan the Gold master and then turn off active scanning, at least it would be clean as of the last creation of a vDisk!
LikeLike
I don’t believe in an Anti-virus free environment but there are ways we can mitigate the effects of AV scan.Citrix recommended Best Practice can be a starting place.Second option would be to understand that there are two components to a XenDesktop / Xenapp environment primarily namely the OS disk which can be frequently refreshed and the Data disk which is susceptible to infection. Instead of having AV on every desktop we could use solutions like CAVA for EMC NAS to offload the load to specific servers.
LikeLike
Alternatively , for environments where AV solution is mandatory for every desktop , Solutions like FAST Cache from EMC can help overcome the load by absorbing the Anti-Virus scanner load and we have seen some amazing results on the same as well. Finally , once solutions like McAfee MOVE evolves that would be a big boost for the AV space for VDI.
LikeLike
Sounds pretty reasonable, esp. if you add AV-engines to your central CIFS/NFS store(s). This gives you a higher level of protection and reduces the risk of trojan horses, worms etc. distributing over network shares. Another way could be hypervisor-based AV-scanners, although I did not see any performance results so far…
Michael
LikeLike
It´s interesting to read your article, as always! ?
But I really don´t think a Av free VDI solution is the right way to move, as we know from security perspective – nothing is stronger than the weakest link.. Think about several thousand VDI machines flooding your network..
What about running Trend Micro Deep Security which places the AV scanning on the hypervisor layer? This currently only works on VMware, but as we know, XenDesktop may run well on VMware.
I think other vendor´s, both hypervisors and AV, should consider this approach.
LikeLike
Interesting reading and I have considered the same since I was first introduced to Citrix Provisioning Server – I seem to remember someone from Ardence suggesting this.
Have you considered looking at AppSense Application Manager as a way of mitigating your risk of removing a virus checker? Whilst Application Manager is not an anti-virus tool, it does control unauthorised executables and does not scan, so you have control whilst keeping without impacting you IOPS. You can ensure the virus doesn’t run with Application Manager and then as you suggest rely on the anti-virus to scan the perimeter systems, e.g. email, file share, proxy etc…
LikeLike
Interesting reading and I have to agree Antivirus is far from being the silver bullet of IT security.
However, I would like to add 2 points on the topic:
The use of virus is not always a choice, particularly in the Enterprise world.
For example, if you need to follow the PCI SSC Data Security Standards, you will have to run an antivirus on every endpoint virtual or not.
On a positive note, Antivirus vendors start to make an real effort to adapt their product to Virtualize environment.
Symantec Endpoint Protection 12.1 for example introduce a feature (Shared Insight Cache Server) that allow clients to share scan results.
It will create a white list of safe files that clients will not have to re-scan on multiple VMs.
McAfee create MOVE that is specially targeted for Virtualized environment (the antivirus work is done by an appliance seating on the host) and, as Wakelake said, Thread Micro create an antivirus that work with the VMware WMSafe API.
I believe that it is worst it to review the progress made by security vendors and apply a solution that fit your Virtual world.
Sources:
PCI DSS v2
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Symantec Virtualization Best Practice
http://www.symantec.com/connect/sites/default/files/Virtualization_Best_Practices.pdf
McAfee MOVE
http://www.mcafee.com/us/resources/solution-briefs/sb-anti-virus-optimized-virtualized-environments.pdf
LikeLike
great points … i would love to share your article with friends/bosses because i refuse to use an antivirus program just like you.
LikeLike