Protection From Anti-Virus

Protection from antivirus.  Are you wondering if you read that correctly?  Yes, it is correct.  Odd isn’t it?  Anti-virus is there to protect us, but we also need to be protected from antivirus. Antivirus solutions are critical, even in a virtual desktop environment. Many people believe that because a hosted VM-based virtual desktop image is created from a real-only image that they are immune from virus.  That is only partially true.  When you reboot, the virus goes away because the changes to the base image are destroyed (including the virus), but what about that time period between getting infected and the next reboot? Those few hours are dangerous.

If using hosted shared desktops or hosted VM-based VDI desktops, those virtual desktops are located within the data center with other critical systems.  If a virus made it into the data center, the entire infrastructure is at serious risk.  However, simply adding an antivirus solution to the virtual desktop can protect the environment. So what’s the big deal? Just do it right?  Well, nothing is as simple as one expects it to be.  Antivirus can have a major impact on the virtualization infrastructure, and even cause users to experience poor virtual desktop performance, if done improperly.

If the virtual desktops are streamed with Provisioning services, and those desktops start a full system scan at roughly the same time. Provisioning services only streams the portions of the disk image that are required.  However, if a full system scan is done,  those virtual desktops will eventually request the entire vDisk image. This not only overwhelms the network and Provisioning services, but also impacts the storage infrastructure as the write cache is utilized and explodes in size. Overcoming these issues is a fairly easy matter and is based on the following recommendations:

  1. The desktop image must be free from viruses. It is recommended to do a full system scan in private image (read/write) mode. This guarantees the image is clean.
  2. When the desktop image is in standard mode (read-only), the antivirus should be configured as follows:
    1. Only scan create/modify activities of files
    2. Scan on write events only
    3. Scan local drives only
    4. Exclusions
      1. Pagefile
      2. Print Spooler directory
      3. Write cache file
      4. EdgeSight database
      5. ICA client’s bitmap cache directory
    5. Remove the antivirus configurations from the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
      \Current Version\Run registry key
  3. Reconfigure antivirus so that the virus definitions file is stored on a persistent disk so antivirus doens’t have to download the entire definition file on each startup.

These will help overcome antivirus headaches.

Daniel – Lead Architect

7 thoughts on “Protection From Anti-Virus”

  1. Daniel,

    Great advice. One thing we are finding is by de-duping reads and writes inline between storage and the hypervisor then serving them from a 50,000 to 120,000 IOPS cache the IOPS bottleneck from Anitivirus is eliminated.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.