Understanding vGW Series AntiVirus

This topic explains the vGW AntiVirus feature. vGW AntiVirus provides improved security and flexibility that agents alone cannot provide. It does this through:

This topic begins by giving background information on antivirus technology. Then it explains vGW AntiVirus.

Note: vGW Series AntiVirus feature requires a license.

For an overview of the complete vGW AntiVirus configuration process, including information on mandatory preliminary configurations, read vGW AntiVirus Configuration Overview . For each step, the topic provides links to topics that give detailed procedures.

This topic includes the following sections:

About Antivirus Software

Antivirus software prevents and detects malware, such as viruses, worms, and spyware. A variety of strategies are usually involved in implementing antivirus software, including use of signature-based detection and rootkit detection, both of which the vGW AntiVirus supports.

Virtualized environments experience the same persistent threats and proliferation of malware that physical networks do. Not uncommonly, administrators of physical networks who have virtualized their environments install the same antivirus software that they use on their hardware desktops on their virtual machines. When it is installed on virtual systems, antivirus software designed for physical environments is severely limited, and it creates many problems. It does not recognize the virtual infrastructure; it consumes excessive memory usage, often exceeding 100 MB of RAM for a single guest VM; and it heavily degrades system performance through exhaustive CPU usage, often resulting in what is referred to as brownout.

Antivirus software is often the first line of defense against malware, but it should not provide this protection in the virtual environment at the cost of system performance.

Signature-Based Detection

A signature is a unique string of bits, or a byte pattern, that is characteristic and part of a certain virus or group of viruses. During a virus scan, the vGW AntiVirus feature compares the content of resources and files to be scanned against its virus signature database.

When vGW Series detects a signature pattern, it takes the remediation action that you specify when you configure the vGW AntiVirus scan. You use the vGW AntiVirus module’s Scanner Config tab, which allows you to specify more than one action, for this configuration.

For example, when you select Alert when a virus is detected as an action, the Virus Alerts tab shows details on the event when vGW AntiVirus detects a virus. You can view the Virus Alerts tab content to gain an understanding of the types of threats that have been found, such as worm.exe, and where the threat was identified, such as the workstation name and other related information.

The vGW AntiVirus feature is robust in that it uses two methods to detect viruses and malware. It uses a signature database to detect specific viruses. It complements this approach with heuristics methods for detecting suspicious code parts.

The vGW AntiVirus Feature

Traditionally and extending into the present, antivirus software for the physical environment was developed to protect either the host—your desktop, servers, and other local devices—or the network for which malware and attack attempts could be caught before they reached the host.

Software for the desktop, and other hosts, is thought of as agent, or endpoint, software. Endpoint software involved installing a scanning engine and an attack signature database on every machine, which results in slower system startup and performance on the device. When device scans run, memory is consumed and performance is affected. This model was carried into the virtualized environment as security products began to become available for it; the virtualized network and the virtualized host were protected separately by separate products.

The vGW AntiVirus feature constrains performance impact on the VM in both cases by centralizing its scanning engine and signature database on the vGW Security VM firewall instantiated on each ESX/ESXi host for which you configure vGW AntiVirus, and not on each VM. For On-Access scanning, whenever a VM’s disk is written to or read from, the “lightweight” vGW Endpoint that you install on it passes several portions of the file necessary to determine if it contains a virus to the vGW Security VM across the virtualized network for examination.

The vGW AntiVirus feature remains effective when VMware VMotion is used. When a VM that is protected by vGW AntiVirus is migrated to another ESX/ESXi host through VMotion, the VM remains protected. The vGW Security VM on the host to which it is moved takes up the vGW AntiVirus protection work, based on the original configuration.

The vGW AntiVirus feature protects VMs by detecting malware, quarantining affected VMs and for On-Access scans also quarantining affected files. It allows you to define a remediation plan.

When you enable the vGW AntiVirus feature, the vGW Security Design VM activates its scanning engine on the vGW Security VM. This approach centralizes the scanning engine to limit disk, disk I/O, memory, and CPU consumption, and distribute the load across the virtualized infrastructure. The vGW AntiVirus database and the updates to it are also deployed on the vGW Security VM.

vGW AntiVirus relies on three main components:

vGW Series supports both AntiVirus On-Demand and On-Access features in IPv4 or IPv6 environments, or environments that are a mix of the two.

Although the vGW AntiVirus works in an IPv6 environment, communication between the vGW Endpoint and the vGW kernel module installed in the ESX/ESXi host hypervisor occurs over the IPv4 infrastructure. Note that the vGW Endpoint OS should be configured with the IPv4 stack enabled.

The vGW AntiVirus Dashboard

The vGW AntiVirus dashboard gives you an overall view of the current state of all protected VMs in your environment.

Figure 77 shows the vGW AntiVirus Dashboard.

Figure 77: vGW AntiVirus Dashboard

vGW AntiVirus Dashboard

The vGW AntiVirus Dashboard includes these panes:

The Virus Alerts tab displays a graph that identifies threat types over a period of time. You use the Time Interval box to control the period. It gives details on the threat type, including the date of the event, the source, and the filename.

Figure 78: Virus Alerts

Virus Alerts

The Scanner Config page allows you define On-Access and On-Demand scans. When you click Add to display the Add Scan Configuration pane, both types of scans are selected. You can configure them separately or together in one configuration. You can configure a typical scan or a custom scan. Figure 79 shows them configured together by default with a typical scan used. For details on configuring them separately, see Configuring vGW Series AntiVirus On-Access Scanning and Configuring vGW Series AntiVirus On-Demand Scanning.

Figure 79: vGW AntiVirus Scanner Config Tab

vGW AntiVirus Scanner Config Tab

The Quarantined Files tab displays a list of quarantined files. Only infected files identified through an On-Access scan can be quarantined. When a file is quarantined, it is isolated in the vGW Endpoint on the VM and information about it is displayed on this page. The VM containing the file is identified. The location of the file is shown and its status is noted. See Figure 80.

Note: There must be no items for a VM in quarantine for that VM to appear as non-infected, or in a “clean” state, on the dashboard. However, if a VM is not quarantined and none of its items are quarantined does not mean that the VM is clean. If a VM has items in quarantine is not considered clean.

Figure 80: Quarantined Files

Quarantined Files

You can select one or more files and perform any of the following actions:

When a VM is infected by a virus and the scanning configuration specifies Quarantine the VM, the VM is put in the quarantine policy group. To remove the VM from the quarantine policy group, use the Main module Quarantine tab. Select the VM, and click Un-quarantine.

For details on how the parts of the quarantine process work together for a quarantined VM, see Understanding Quarantined VMs and How to Manage Them.

Related Documentation