Avoid Virtual Machine Performance Problems from Antivirus Tools
You’re probably familiar with the kind of performance issues inherent in antivirus/antimalware tools. Anyone who has used a PC when the antivirus scan boots up can attest to sluggish performance. The same issues rear their head when using antivirus in a virtual environment – but virtual machines come with their own set of wrinkles.
Antivirus software can be installed either on the VM itself or on the host. Depending on your approach, you’ll want to consider these key factors to maximize performance.
Agent or agentless?
For VMware cloud environments, an agentless antivirus is often the best option for maximum performance. Agentless AV software installs on its own VM that then scans the other VMs. This VM is called a Security Virtual Appliance or SVA. Agentless AVs can typically take advantage of applied policies, scheduling, and optimization. VMware’s own vShield is one example of an SVA, but other vendors like Trend Micro integrate their VSAs with vShield APIs.
Agentless solutions may be more basic in their scanning as they don’t always have quarantine. They generally provide file scanning but not active processes in CPU or memory.
Installing an agent-based antivirus program is much more similar to the antivirus tools you may already have on your PC. In this case, the software is installed on each VM itself and operates in a similar manner to desktop scans.
Agent-based security solutions might have more granular scanning abilities (which is not even always true), but they come with a high performance price tag. Each VM takes a memory and CPU hit, which adds up significantly over an entire virtual data center. Another problem is antivirus storms, which occur when multiple machines run their scans or updates at the same time, dramatically increasing resource demand.
Agent-based AVs also require more involved administration, as each VM must have software deployed and updated individually. When VMs are migrated or change state, the AV must often be reconfigured.
Configuring for performance
While it may slightly increase risk, for best performance you will likely want to exclude some VMware files from the AV scan, namely the:
- .vmdk, or virtual disk file
- .lck, or disk consistency lock file
- .vmsn, or snapshot files
- .vmem, or memory snapshot files
- VMware tools installation folder
Many AV tools can not read these types of files in any case, and they are unlikely to be used as an attack vector. If they do attempt to scan them, scanning the disk files while accessing them can negatively affect administration of the VM.
Some allocation rules of thumb can help improve performance when using AV, too. Dynamic memory allocation can assign additional memory when needed, but you’ll want to set limits or risk running up a high bill for your cloud. Same with CPU — your AV should have configuration options for maximum CPU consumption. Disk I/O increases during a scan, as well. Because of the performance toll, you will want to randomize your scans or set up a staggered schedule to avoid AV storms.
Ultimately, running an AV for your virtual environment is not much more difficult than administrating AVs for desktops or physical servers. If you need help setting up an AV or want to purchase a license as part of your cloud deployment, Green House Data can help maximize your performance and manage your licensing, updates, scheduling, and more.