RE: using AV in virtual machines

["Hechler, Adam" <he...@rpi.edu>]

Thanks everyone who replied already.

Aaron - curious as to why image creation privileges is one of the deciding factors. One of the things we talked about here was a user having a reservation and getting infected in a normal VM and since that would be on a local (private) network it can at least spread through any reserved VMs (am I correct in that?)

There was also concern, and maybe this is for another question, that VCL users also would have local drives mounted via RDP and a virus in a reserved image can then spread to a local host.

Michael - the overhead on the images is my concern. Especially since most enterprise AV products I'm aware of attempt to update almost immediately upon startup or login which is when the users would notice it the most.

For everyone - if you do have AV in your images, are you updating the images often to get the latest definition files? Have you configured the AV to not update automatically?  Forgive these seemingly simple questions, but on our normal desktops we just let the AV auto-update so it's not an issue. But there is a performance hit to Windows upon startup or login. We're just looking for the best experience for our users.

Thanks,
Adam

From: Aaron Coburn [mailto:acoburn@amherst.edu]
Sent: Friday, November 30, 2012 4:43 PM
To: <us...@vcl.apache.org>
Subject: Re: using AV in virtual machines

We do not run anti-virus software in our VMs.

The main reason we don't is that we felt there are negligible security benefits while there are significant performance gains.

I should also mention that we really significantly restrict which users can create images. I would be more concerned about this if we opened up the image creation privileges to more people.


--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>




On Nov 30, 2012, at 10:03 AM, "Waldron, Michael H" <mw...@email.unc.edu>> wrote:


We are running anti-virus on our VMs because our security organization insists on it.

We do have it configured however not to run scheduled scans to reduce excess pounding on our backend storage. We run a scan when initially creating the image. Since the VM always reverts back to a clean image after a reservation, this satisfies our security group.

Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill
________________________________
From: Hechler, Adam [hechla@rpi.edu<ma...@rpi.edu>]
Sent: Friday, November 30, 2012 9:56 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: using AV in virtual machines
Hello,

Can the rest of you running VCL in production tell me if you're running Anti-Virus software in your VMs?

Can you explain briefly why you are or are not?

We're trying to determine if we should install AV in our images or not.


Thank you,
Adam

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Adam Hechler
Senior Analyst /PC Systems Administrator
Rensselaer Polytechnic Institute
275 Windsor Street
Hartford, CT 06120 USA
Ph: 860-548-2446
Email: hechla@rpi.edu<ma...@rpi.edu>
Web: http://www.ewp.rpi.edu<http://www.ewp.rpi.edu/>
<image001.jpg><http://www.facebook.com/pages/Rensselaer-Hartford-Campus/216532895053858> <image002.jpg><https://twitter.com/#!/RPI_Hartford> <image003.jpg><http://www.youtube.com/user/RPIHartford>  <image004.png><http://rpihartford.blogspot.com/>

RE: using AV in virtual machines

["Waldron, Michael H" <mw...@email.unc.edu>]

Adam

Our AV is set to auto-update the definitions file, as it would be rather pointless to have AV and let this get stale. We have not observed any significant overhead of just the definition files updating, it's a rather lightweight operation. It has not been a concern for us. The main issue was to disable scheduled scans, as this obviously causes a lot of disk thrashing.


Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill

________________________________
From: Hechler, Adam [hechla@rpi.edu]
Sent: Monday, December 03, 2012 8:58 AM
To: user@vcl.apache.org
Subject: RE: using AV in virtual machines

Thanks everyone who replied already.

Aaron – curious as to why image creation privileges is one of the deciding factors. One of the things we talked about here was a user having a reservation and getting infected in a normal VM and since that would be on a local (private) network it can at least spread through any reserved VMs (am I correct in that?)

There was also concern, and maybe this is for another question, that VCL users also would have local drives mounted via RDP and a virus in a reserved image can then spread to a local host.

Michael – the overhead on the images is my concern. Especially since most enterprise AV products I’m aware of attempt to update almost immediately upon startup or login which is when the users would notice it the most.

For everyone – if you do have AV in your images, are you updating the images often to get the latest definition files? Have you configured the AV to not update automatically?  Forgive these seemingly simple questions, but on our normal desktops we just let the AV auto-update so it’s not an issue. But there is a performance hit to Windows upon startup or login. We’re just looking for the best experience for our users.

Thanks,
Adam

From: Aaron Coburn [mailto:acoburn@amherst.edu]
Sent: Friday, November 30, 2012 4:43 PM
To: <us...@vcl.apache.org>
Subject: Re: using AV in virtual machines

We do not run anti-virus software in our VMs.

The main reason we don't is that we felt there are negligible security benefits while there are significant performance gains.

I should also mention that we really significantly restrict which users can create images. I would be more concerned about this if we opened up the image creation privileges to more people.


--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>




On Nov 30, 2012, at 10:03 AM, "Waldron, Michael H" <mw...@email.unc.edu>> wrote:


We are running anti-virus on our VMs because our security organization insists on it.

We do have it configured however not to run scheduled scans to reduce excess pounding on our backend storage. We run a scan when initially creating the image. Since the VM always reverts back to a clean image after a reservation, this satisfies our security group.

Mike Waldron
Systems Specialist
ITS - Research Computing Center
University of North Carolina at Chapel Hill
________________________________
From: Hechler, Adam [hechla@rpi.edu<ma...@rpi.edu>]
Sent: Friday, November 30, 2012 9:56 AM
To: user@vcl.apache.org<ma...@vcl.apache.org>
Subject: using AV in virtual machines
Hello,

Can the rest of you running VCL in production tell me if you’re running Anti-Virus software in your VMs?

Can you explain briefly why you are or are not?

We’re trying to determine if we should install AV in our images or not.


Thank you,
Adam

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Adam Hechler
Senior Analyst /PC Systems Administrator
Rensselaer Polytechnic Institute
275 Windsor Street
Hartford, CT 06120 USA
Ph: 860-548-2446
Email: hechla@rpi.edu<ma...@rpi.edu>
Web: http://www.ewp.rpi.edu<http://www.ewp.rpi.edu/>
<image001.jpg><http://www.facebook.com/pages/Rensselaer-Hartford-Campus/216532895053858> <image002.jpg><https://twitter.com/#!/RPI_Hartford> <image003.jpg><http://www.youtube.com/user/RPIHartford>  <image004.png><http://rpihartford.blogspot.com/>

Re: using AV in virtual machines

[Andy Kurth <an...@ncsu.edu>]

As Aaron P. mentioned, we run Trend OfficeScan at NCSU.  We have a
rather elaborate setup to overcome some issues with the university's
AV solution that are particularly problematic to a VCL environment.
We switched from Symantec to Trend a few years ago.  As a result,
Symantec had to be uninstalled and replaced with OfficeScan in all of
our images.  This is a huge deal since we had > 1,000 images at that
time and a large number of image creators of varying skills.
Uninstalling Symantec can be problematic and takes a couple reboots.
We wrote a custom module to do this.  It gets invoked during image
capture to replace the software.  It also gets invoked when an image
is loaded to "fix" OfficeScan by making sure it is configured to our
liking -- bypass our central software group's forced configuration
which causes problems such as regular pop-ups appearing from the
system tray/notification area, forced reboots, as well as scheduled
scans.

> Michael – the overhead on the images is my concern. Especially since most
> enterprise AV products I’m aware of attempt to update almost immediately
> upon startup or login which is when the users would notice it the most.
>
>
> For everyone – if you do have AV in your images, are you updating the images
> often to get the latest definition files? Have you configured the AV to not
> update automatically?  Forgive these seemingly simple questions, but on our
> normal desktops we just let the AV auto-update so it’s not an issue. But
> there is a performance hit to Windows upon startup or login. We’re just
> looking for the best experience for our users.

These are good questions.  There are several details regarding AV
software which may cause performance problems or failed reservations.

Our images get configured to install AV definition updates when an
image is loaded.  I have not noticed any performance issues because of
this.  Our AV product seems to behave pretty well regarding definition
updates.  It usually takes 30 seconds or less.

The AV software version does not get updated, only the definitions.
If your update mechanism updates the actual AV software version I'd
guess performance issues would be more likely.  You also have to make
sure nothing will automatically reboot the computer.  This will cause
VCL reservation failures depending on when the reboot occurs.


> From: Aaron Coburn [mailto:acoburn@amherst.edu]
>
> We do not run anti-virus software in our VMs.
>
> The main reason we don't is that we felt there are negligible security
> benefits while there are significant performance gains.

I'd agree with this.  The security benefits of the AV software are
severely diminished in a VCL environment where users have full
root/Administrator access within the images.  There is very little you
can do to prevent a savvy user from disabling or uninstalling the AV
software if it gets in the way of more alluring and dangerous actions.
 Some AV products (including ours) have mechanisms which are supposed
to prevent this by requiring a password.  This is easily circumvented.

-Andy