VMWorld: Virtual Antivirus, Endpoint Security Gaining Ground

That was the focus of a session, "Hyperviser-based Antivirus and Endpoint Security," held Wednesday during the second full day of the VMWorld Conference and Expo at San Francisco's Moscone Center.

In his presentation, Dean Coza, director of product management and security for VMware, said that VMware vShield, VMware's new suite of security virtual appliances, is addressing security threats and while increasing efficiency and memory benefits beyond traditional antivirus agents.

In particular, one component of the VMware vShield is the VMware vShield Endpoint, which provides an introspection-based antivirus solution for virtual environments.

Coza pointed out that traditional antivirus agents are often resource-intensive, consuming copious memory for storing signatures that range anywhere from 1,000 megabytes to one gigabyte.

Sponsored post

In addition, downtime issues are created when traditional antivirus and endpoint security agents undergo frequently scheduled signature scans and updates, which can result in downtime or latency as the antivirus engines attempt to keep up with the barrage of new malicious threats.

"Those (machines) get updated more and more frequently as antivirus engines are trying to keep up with new malware," Coza said. "This is creating an issue in a virtual environment."

For businesses, that exponential memory usage translates to vastly increased costs.

"In the future, it just grows," he said. "This is big cost on every virtual machine as memory is consumed."

"The main reason for consolidation is memory," he said, adding that VMware seized on the opportunity to expand its virtual offerings in the endpoint security space, and further enable their partners.

[VMware is] "enabling our partners to provide with introspection, to be able to run the same security engine outside the guest in a hardened virtual appliance," he said. "It's not a new way to do antivirus engines. Now they can do it from the outside."

In fact, cost savings from decreased memory consumption is one of the most compelling reasons to migrate to a virtual antivirus solution outside the guest, he said.

"By removing all this memory footprint from the guest into a single virtual appliance we save that (money), depending on the footprint the agent has," Coza said. "This could be substantial savings. It translates into consolidation which directly translates to cost."

Constantly updated virtual machines were another benefit, he said. In a physical environment, systems get backed up with signature updates when they're turned off, then have to play "catch up" when they're turned back on, leaving a window where they're left unprotected.

Not so in a virtual environment, Coza explained. With virtual machines, users can create templates and copy them. While the original machines go off line and on line, virtual machines are "always on" and subsequently are available to receive security updates without any lag time.

"Virtual machines can go off line and online, and they're always protected," he said. "You don't have the issues of machines going out of date as far as protection goes. You don't have addition costs of updating every machine that goes back online."

Finally, moving the antivirus agent outside the guest reduces the chance that the security solution will be targeted by malware, Coza said. By decreasing the footprint of the antivirus solution, and moving most of the antivirus code outside the guest, users can reduce the chance of an attack from "anti-antimalware" -- malware designed to counter traditional antimalware/antivirus agents.

"You can for a price get anti-antimalware kits that allows malware coders to automatically attack antivirus engines," he said. "It's this battle between antivirus and malware with the most privileged levels; this is the battle the companies are fighting against malware. By moving most of the footprint, most of the code, outside the vulnerable part, and hardening the security appliance separated by hypervisor, now it's much, much harder for malware to access to the antivirus engine."