Video Screencast Help
Symantec Analyst Relations

Antivirus and virtual machines - host or instance?

Created: 09 Feb 2012 • Updated: 25 Jun 2013 • 3 comments
GregDay-SecurityCTO's picture
0 0 Votes
Login to vote

Strip away all the technical jargon and a virtual machine management package is just a software program, which emulates a real computer for each instance of a virtual machine (VM). So, it will have virtual USB ports, virtual network connections, a virtual processor and so on, each of which will use up resources of the real, 'physical' machine.

Each VM instance will need to run an operating system and whichever applications it requires, as will the physical machine. In principle, it stands to reason that the total load on the physical processor at any moment in time is going to add up to the sum of all the OS'es, applications, device drivers, virtual machine management tools and whatever else is running, whether they are on a physical machine or a virtual machine.

With this in mind, a question we are often asked is whether anti-virus software should be installed on the physical machine, or in each virtual machine instance. At first glance you'd think the answer would be obvious - let's say, if you've got 10 VMs, each running its own anti-virus package, then the total load on the CPU would be 10 times that of running anti-virus on the physical machine, wouldn't it?

In fact, the answer is more complicated than that - not least, because the equation is no longer linear. As virtualisation has increased in popularity, both hardware and software vendors have built their products to have a better understanding of the virtual machine architecture: this includes how applications access dynamic memory, which is a major element of antivirus efficiency.

We've been working closely with VMware to ensure our software runs as efficiently as possible on both physical and virtual machines. Not only does antivirus software on the host machine understand the notion of virtual machines (so it doesn't try to virus-check the VM as a single, multi-gigabyte fie for example), but also - and here's the kicker - computers with antivirus software running in virtualised instances can actually perform more efficiently than those with AV running on the physical host.

As virtualisation evolves, this question of whether to run functions in the management layer or within virtual machines will grow in importance, simply because both options will be increasingly valid. What works best in one scenario (say, where there is a lot of I/O) may not be best for another, which implies that having visibility onto what's running where, and the relative performance impact, will also become increasingly important.

We can even envisage the ability to re-arrange capabilities as workloads change, to maximise use of processing resources and respond to business requirements based on changing demand. Such capabilities may be in the future, but the important take-home point for now is not to just assume that one model is better, or worse than another.

Comments 3 CommentsJump to latest comment

Srikanth_Subra's picture

Now we are installing antivirus in each individual VMs..is it OK?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote
GregDay-SecurityCTO's picture

...requires appropriate security controls.  We so often see VM sprawl where security control can easily be lost.  As such strong visibility and applying security that is aware of the virtual environment is key to enablement.

0
Login to vote
Srikanth_Subra's picture

Ok..Thanks for the update..

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

0
Login to vote