Understanding vGW Series AntiVirus

This topic explains the vGW AntiVirus feature. vGW AntiVirus provides improved security and flexibility that agents alone cannot provide. It does this through:

• use of its kernel module installed in the ESX/ESXi host hypervisor.
• its management integration.
• its On-Access scans on VMs with only a light installation on the machine using its vGW Endpoint. An on-access scan is performed whenever a file is read from or written to disk.
• its On-Demand scans on VMs entirely without any installation on the VM and including no requirement to reconfigure the VM after the scan. vGW Series takes snapshot of the VM disk, and it performs the scan offline and deletes the snapshot that it takes and scans.

This topic begins by giving background information on antivirus technology. Then it explains vGW AntiVirus.

Note: vGW Series AntiVirus feature requires a license.

For an overview of the complete vGW AntiVirus configuration process, including information on mandatory preliminary configurations, read vGW AntiVirus Configuration Overview . For each step, the topic provides links to topics that give detailed procedures.

This topic includes the following sections:

• About Antivirus Software
• Signature-Based Detection
• The vGW AntiVirus Feature

About Antivirus Software

Antivirus software prevents and detects malware, such as viruses, worms, and spyware. A variety of strategies are usually involved in implementing antivirus software, including use of signature-based detection and rootkit detection, both of which the vGW AntiVirus supports.

Virtualized environments experience the same persistent threats and proliferation of malware that physical networks do. Not uncommonly, administrators of physical networks who have virtualized their environments install the same antivirus software that they use on their hardware desktops on their virtual machines. When it is installed on virtual systems, antivirus software designed for physical environments is severely limited, and it creates many problems. It does not recognize the virtual infrastructure; it consumes excessive memory usage, often exceeding 100 MB of RAM for a single guest VM; and it heavily degrades system performance through exhaustive CPU usage, often resulting in what is referred to as brownout.

Antivirus software is often the first line of defense against malware, but it should not provide this protection in the virtual environment at the cost of system performance.

Signature-Based Detection

A signature is a unique string of bits, or a byte pattern, that is characteristic and part of a certain virus or group of viruses. During a virus scan, the vGW AntiVirus feature compares the content of resources and files to be scanned against its virus signature database.

When vGW Series detects a signature pattern, it takes the remediation action that you specify when you configure the vGW AntiVirus scan. You use the vGW AntiVirus module’s Scanner Config tab, which allows you to specify more than one action, for this configuration.

For example, when you select Alert when a virus is detected as an action, the Virus Alerts tab shows details on the event when vGW AntiVirus detects a virus. You can view the Virus Alerts tab content to gain an understanding of the types of threats that have been found, such as worm.exe, and where the threat was identified, such as the workstation name and other related information.

The vGW AntiVirus feature is robust in that it uses two methods to detect viruses and malware. It uses a signature database to detect specific viruses. It complements this approach with heuristics methods for detecting suspicious code parts.

The vGW AntiVirus Feature

Traditionally and extending into the present, antivirus software for the physical environment was developed to protect either the host—your desktop, servers, and other local devices—or the network for which malware and attack attempts could be caught before they reached the host.

Software for the desktop, and other hosts, is thought of as agent, or endpoint, software. Endpoint software involved installing a scanning engine and an attack signature database on every machine, which results in slower system startup and performance on the device. When device scans run, memory is consumed and performance is affected. This model was carried into the virtualized environment as security products began to become available for it; the virtualized network and the virtualized host were protected separately by separate products.

The vGW AntiVirus feature constrains performance impact on the VM in both cases by centralizing its scanning engine and signature database on the vGW Security VM firewall instantiated on each ESX/ESXi host for which you configure vGW AntiVirus, and not on each VM. For On-Access scanning, whenever a VM’s disk is written to or read from, the “lightweight” vGW Endpoint that you install on it passes several portions of the file necessary to determine if it contains a virus to the vGW Security VM across the virtualized network for examination.

The vGW AntiVirus feature remains effective when VMware VMotion is used. When a VM that is protected by vGW AntiVirus is migrated to another ESX/ESXi host through VMotion, the VM remains protected. The vGW Security VM on the host to which it is moved takes up the vGW AntiVirus protection work, based on the original configuration.

The vGW AntiVirus feature protects VMs by detecting malware, quarantining affected VMs and for On-Access scans also quarantining affected files. It allows you to define a remediation plan.

When you enable the vGW AntiVirus feature, the vGW Security Design VM activates its scanning engine on the vGW Security VM. This approach centralizes the scanning engine to limit disk, disk I/O, memory, and CPU consumption, and distribute the load across the virtualized infrastructure. The vGW AntiVirus database and the updates to it are also deployed on the vGW Security VM.

• vGW Security Design VM

  You use the vGW Security Design VM to enable vGW AntiVirus, configure scans, view reports and alerts, download new signature versions, and download the vGW Endpoint.

  If the vGW Security Design VM is configured for dual stack, first it attempts to use the IPv4 protocol to communicate with the vGW Security VM.

  Note: By default, a dual stack vGW Security Design VM communicates with a vGW Security VM using the IPv4 protocol. However, you can use the vGW CLI to change the default IP protocol used by setting the center.dual.stack.default.communication.ipv4 parameter to false. center.dual.stack.default.communication.ipv4=false By default, this parameter is set to true. This parameter is relevant only if the vGW Security Design VM is configured for dual stack and one or more vGW Security VMs is also configured for dual stack. In all other cases, the protocol used is the one that is common to both the vGW Security Design VM and the vGW Security VM, and this parameter is irrelevant.

• vGW Security VM

  The vGW Security VM performs On-Demand scans.

  It is possible to perform an On-Demand scan on a VM whose ESX/ESXi host does not have a vGW Security VM installed. In this case, the scan is performed by the vGW Security Design VM, a vGW Security VM on a different host (TCP 902 is required), or both.

  vGW AntiVirus remains in effect when a VM is VMotioned to another host for analysis. In that case, the vGW Security VM on that host performs the vGW AntiVirus functions.

• vGW Endpoint

  The vGW Endpoint is used for On-Access scans. It protects a VM against infected files whenever a file is read from or written to disk. The vGW Endpoint sends the file to the vGW Security VM to be analyzed.

  When an infected file is identified and the quarantine action is specified in the On-Access scanner configuration, the file is isolated in the vGW Endpoint on the VM. It remains there until you un-quarantine it, delete it, or fetch it. When you release it from quarantine, it is made available to the VM again.

  Note: On-Demand scans do not require installation of the vGW Endpoint. The vGW Endpoint is used for On-Access scans only.

vGW Series supports both AntiVirus On-Demand and On-Access features in IPv4 or IPv6 environments, or environments that are a mix of the two.

Although the vGW AntiVirus works in an IPv6 environment, communication between the vGW Endpoint and the vGW kernel module installed in the ESX/ESXi host hypervisor occurs over the IPv4 infrastructure. Note that the vGW Endpoint OS should be configured with the IPv4 stack enabled.

The vGW AntiVirus Dashboard

The vGW AntiVirus dashboard gives you an overall view of the current state of all protected VMs in your environment.

• You can view information for all VMs in your environment or for specific VMs. You use the VM tree to select the VMs.
• You can change the time interval to view threats that occurred within a broad or narrow span of time.
• You can view information on vGW AntiVirus events for VMs, such as details on viruses that were detected and signature updates.

Figure 77 shows the vGW AntiVirus Dashboard.

Figure 77: vGW AntiVirus Dashboard

The vGW AntiVirus Dashboard includes these panes:

• Current vGW AntiVirus Configuration Distribution

  This pie chart shows you proportionally the number of VMs that are protected by the On-Access scanner, by the On-Demand scanner, or both of them, and those that are not protected by vGW AntiVirus.

  
• Threats Seen in Time Interval

  This bar graph display the kinds and percentage of threats that were identified in the selected time interval.

  
• Current vGW AntiVirus Protected VMs

  This table identifies VMs that are protected by vGW AntiVirus, the type of scanner configurations that protect them, and the protection status and details for the VM. If the protection status indicates problems, you can click the VM’s row to display a page dedicated to it giving detailed information. The page shows scan statistics for the VM (how many files were scanned, how many files were quarantined, and so on), the scanner configuration for the VM, the threat type bar graph as applied to the VM, and a table identifying attempted virus infections, when they occurred, and how vGW AntiVirus handled them.

The Virus Alerts tab displays a graph that identifies threat types over a period of time. You use the Time Interval box to control the period. It gives details on the threat type, including the date of the event, the source, and the filename.

Figure 78: Virus Alerts

The Scanner Config page allows you define On-Access and On-Demand scans. When you click Add to display the Add Scan Configuration pane, both types of scans are selected. You can configure them separately or together in one configuration. You can configure a typical scan or a custom scan. Figure 79 shows them configured together by default with a typical scan used. For details on configuring them separately, see Configuring vGW Series AntiVirus On-Access Scanning and Configuring vGW Series AntiVirus On-Demand Scanning.

Figure 79: vGW AntiVirus Scanner Config Tab

The Quarantined Files tab displays a list of quarantined files. Only infected files identified through an On-Access scan can be quarantined. When a file is quarantined, it is isolated in the vGW Endpoint on the VM and information about it is displayed on this page. The VM containing the file is identified. The location of the file is shown and its status is noted. See Figure 80.

Note: There must be no items for a VM in quarantine for that VM to appear as non-infected, or in a “clean” state, on the dashboard. However, if a VM is not quarantined and none of its items are quarantined does not mean that the VM is clean. If a VM has items in quarantine is not considered clean. Figure 80: Quarantined Files

You can select one or more files and perform any of the following actions:

• You can fetch the file. In this case, the file is hashed and transferred off the VM for further analysis.
• You can un-quarantine the file. In this case, the isolated file is made available again to the VM.

  In some cases, files are quarantined because of false positive results. That is, the file is suspected of being malware or infected, but that is not the case. Updating the signature database and running the scan again often resolves the problem.

• You can delete the file from the VM if you have confirmed that the file is infected or that it is malware.

When a VM is infected by a virus and the scanning configuration specifies Quarantine the VM, the VM is put in the quarantine policy group. To remove the VM from the quarantine policy group, use the Main module Quarantine tab. Select the VM, and click Un-quarantine.

For details on how the parts of the quarantine process work together for a quarantined VM, see Understanding Quarantined VMs and How to Manage Them.

Related Documentation

• Understanding and Installing the vGW Endpoint
• Understanding vGW Series
• Understanding and Configuring the vGW Series AntiVirus Settings
• Configuring vGW Series AntiVirus On-Access Scanning
• Configuring vGW Series AntiVirus On-Demand Scanning