Traditional AV requires the installation of a scanning engine and virus definition files for the scan engine to check for onto the computer system that is to be protected, this is not new and is a well-established method of protecting against malicious software, the virus definition files are periodically updated so that the scan engine is aware of new threats. When the system is scanned local CPU, RAM and disk resources of that system are utilised – these days the increase is resource utilisation is barely noticeable on a modern desktop or laptop computer systems since the systems have more than adequate resource to be able to cope with performing the scan and allowing the user to work normally.
Most data centres these days have some form of virtualisation in them be it for back-end servers or shared/virtual desktops at the front end providing the end-user environment. These environments are every bit as vulnerable (more in some cases) to malicious software as traditional desktop computers and also require effective AV protection. One of the biggest benefits that a virtual infrastructure brings over traditional physical servers and computers is the efficiency of resource utilisation – physical computers have fixed amounts of CPU, RAM, and Disk and the workloads running on that computer has access to those resources whether it needs them or not; since the resources are local to that computer then when they are not in use nothing else can use them. Virtualisation on the other hand centralises the resources meaning they can be shared, made better use of and consequently will require less resources than running physical equipment.
When it comes to AV the huge benefit virtualisation brings with regards to sharing the resources also becomes something of a hindrance. Since the CPU, RAM and disk resources are now shared, then any workload that requires each computer to consume resources simultaneously – such as running a scheduled AV scan – has potential to significantly affect the smooth running of the virtualisation platform if the total pooled resources are not sufficient to cope with the workload. In the early days of virtualisation this became a problem very quickly and required careful co-ordination of scan schedules to limit the number of virtual machines running a scan simultaneously.
To mitigate this and provide a viable solution VMware created vShield. Similarly to the way that virtualisation allowed the collation of small amounts of physical resources into a large single platform, vShield takes a similar approach to the AV – rather than having multiple small scan engines installed on multiple VM’s, why not build a single large scan engine appliance that will scan the VM’s remotely? This approach means that the utilisation of resources in the environment is far more predictable since the resources being consumed are now allocated to a single virtual appliance rather than distributed across the virtual machine inventory.
At a very high level this is why AV in virtual environments should be centralised – to allow more predictable operation of the virtual environment and arguably more importantly, to preserve the ability of your users to work and be productive.