As the number of virtual servers/desktops increase, one may begin to ponder…”Do I really need to have AV agents running on ALL of my VMs? Is there anything I can do to optimize all of this AV scanning/updating?” To that end, I’ve seen more customers consider an agentless AV solution that integrates with VMware vShield. Going into too much detail is beyond the scope of this post, but I hope it sufficient to say that VMware vShield offloads antivirus and anti-malware agent scanning and processing to a dedicated secure virtual appliance delivered by select VMware partners such as McAfee, Trend Micro, and Kaspersky among others. An excellent resource to review in regards to AV best practices in a VMware View environment can be found here:
Typically, when our customers transition to vShield and agentless AV scanning, they have chosen McAfee MOVE. A very high level diagram of vShield and MOVE is shown below:
The only statement I really disagree with is “VMware VMs are instantly protected with VMtools”…..when installing VMware tools on your VMs, select a Custom setup and be sure that the vShield drivers are selected.
Referencing back to the first picture, the MOVE SVA (Security Virtual Appliance) is the scanning machine…its responsible for the VMs residing on its ESX host; additionally, each ESX host should have its own MOVE SVA. The operating system of the SVA is Linux and so the software used to perform the scans is McAfee VirusScan Enterprise for Linux. Similar to physical systems, the SVA will have the McAfee Agent installed and to protect the “agentless” VMs with the latest virus definitions, you must perform a DAT update on your SVA system by assigning a DAT update task (to be covered in part 2) to your SVA system.
The first step in setting up automatic DAT file updates is to verify that the Update Master Repository server task is enabled and running on the EPO (ePolicy Orchestrator) server. On the EPO server, launch the EPO administrator utility and login with valid credentials.
Click Menu | Automation | Server Tasks
Look for the Update Master Repository task and check the settings as this task is responsible for downloading the DAT files from McAfee onto the EPO server. Verify that the task is Enabled and has executed by reviewing the Last Run column in the EPO administrative GUI.
I’ll cover creating a new DAT file update task on the next post which will cover updating the DAT file on the SVA from the EPO server but the Update Master Repository server task must be checked first to ensure the DAT file update will work correctly on the SVA.