A boon for virtual machine security

New anti-virus solutions designed to make it easier and cheaper to protect large-scale virtual environments are hitting the market

This year has seen security software vendors turn their attention to IT managers who are concerned that anti-virus and anti-malware applets are having a negative effect on virtual desktop and server performance.

Anti-virus software company BitDefender is working with VMware and other vendors to protect virtualised environments without running scans on each VM, after Trend Micro added agentless anti-malware to the latest version of its deep security suite earlier this year.

Security certainly causes some headaches for organisations running hundreds or thousands of virtual machines (VMs) on physical servers owing to the processing overhead created by having to run the same security application on each one. But the extent of IT department concern is unclear, and working out how to run VM security scans efficiently has proved a challenge, with different software vendors taking different approaches to the same problem.

"Anti-virus software puts a lot of pressure on CPU and I/O resources, so if you run 100 VMs, you need hardware that is 100 times more powerful," said BitDefender head of malware Viorel Canjai.

There are several ways of running virtual security, according to Canjai. "Running the security at the host hypervisor level is one way to do it, but another way is to have a virtual appliance that uses caching to scan all the VMs running on the server while avoiding scanning the same file. It is no use on the desktop PC where the software is different all the time, but it is good for virtual environments where there are lots of duplicate requests and shared files," he said.

BitDefender announced earlier this month that its patent-pending software would be integrated into VMware's VShield Endpoint virtualisation security platform, and the company has not ruled out working with other server virtualisation software vendors to provide either virtual appliance-based or agentless security solutions for their virtualisation management platforms.

"It's still under non-disclosure agreement with vendors, but as long as we find the right way to implement it we will expand it way beyond what is available today," said Rares Stefan, BitDefender director of business solutions.

"The opportunity is clear - the cloud runs on virtualisation but so far Trend Micro is the only company that can offer agentless security for hypervisor introspection and other vendors will follow the same model. We will see a lot of movement in the industry and a lot of vendors jump on the bandwagon in the next 12 months," he added.

The BitDefender software centralises scanning functions onto a Linux-based virtual appliance - a separate security VM running on top of the host hypervisor - which also runs de-duplication and caching processes to partially reduce the performance overhead by copying system updates to every VM.

It uses a patent-pending technology called B-HAVE that analyses malicious code inside the VM.

Although the results are yet to be publicised, BitDefender said it has conducted tests that show how the software significantly improves the performance of the host server while running multiple VMs.

"They are not our numbers but they are verified. We need to be vendor-agnostic to allow us to tackle any virtual environment," said Stefan, who argued that though VM security occupies something of a niche today, most IT managers know there is a problem even if they do not choose to admit it.

"It is very important to give people visibility into both virtual and physical security environments, so the software can sift through millions of security messages and pull out important events in near real time," he said.

Unlike BitDefender, Trend Micro's Deep Security Suite 8.0, expected to ship before the end of this year, will use the trusted protection management features embedded in dedicated CPUs on some Intel motherboards to create alerts when a hypervisor is attacked by a virus. Benchmarking conducted by the Tolly Group indicated that Deep Security could achieve total savings of $157 per desktop VM and $454 per server VM over three years compared with "traditional" anti-virus agents.