VMware host-based antivirus

[mp3turbo]

Folks, can you recommend any antivirus solution for VMware platform ? We've been evaluating two solutions already but they seem to be a little more pricey that we would like to hear [I'm intentionally not mentioning those two] but I feel there are not so many vendors in this market.

Environment sizing : 500 VMs, 24 physical CPU sockets.

Can you recommend any nice antivirus (feature rich, stable etc) that doesn't cost arm and leg ?

 

[OSUmaxx]

I, too, would be interested to hear what people are using in this space.

 

[bigdogchris]

Price out 24 sockets of System Center 2012 R2 datacenter.

Would be unlimited Endpoint protection for any VM you run on the servers.

CDW pricing is $35,000 but system center also would include a pretty decent backup product as well.

 

[Child of Wonder]

Would only need 12 System Center licenses. One license covers two sockets.

 

[MrGuvernment]

what market specifically, are you installing the AV on the VM's which means on windows / linux or what ever OS then?

So why would Viper / Bitdefender all those not work?

 

[bigdogchris]

Would only need 12 System Center licenses. One license covers two sockets.

Somewhere I saw $2800 for 2 sockets which equates to roughly $35000. Price drastically varies depend on your organization type.

 

[RiDDLeRThC]

we use sophos for vm protection using the "Guest Introspection Driver" aka vshield driver

 

[snakethejake]

You really want a vShield compatible system with that many VMs. TendMicro and Kaspersky both make enterprise level AV that works with vShield so you don't need to load an agent on every machine. The driver is a part of the VMWare tools and allows for protection through a single VM appliance per host. All scanning and definitions are done through this appliance on each host. Much more efficient and eliminates scanning storms as well as overhead from full AV agents on every machine.

It is all centrally managed through their management consoles as well so there's a single one of glass. You can also manage desktop protection through them as well.

Jake

 

[leeleatherwood]

sophos

 

[Thuleman]

TL;DR forget vShield if you want real protection

The whole vShield experience is meh. The idea is brilliant but totally comes apart at the execution level. I am not knowledgeable enough to know what exactly the holdup is but I know for a fact that Sophos is essentially useless because it can't take any action on infections found.

Sure, you get notified of an infection, that's great, and rather pointless if your goal is to prevent/quarantine infections in real-time.

TrendMicro doesn't provide an Intrusion Prevention System.

Symantec has the vShield appliance, but the level of protection is meh and the performance isn't great either when compared to just running SEP and being done with it. SEP has a shared insight cache where files are only scanned once and then are considered trusted, cached, and never touched again, which eliminates a lot of scanning (disk i/o). With SEP scans are now randomized within the scan window which also lessens the "scan storm".

 

[moto316]

what would you guys recommend for a non-persistent vdi environment then? We're using system center now on our full clones but don't have anything for av protection on our non-persistent linked clones. Due to auditing requirements we're going to need something for AV on all our endpoints. I've read about ways to have system center endpoint protection loaded into the master image and have definition updates turned off but then it would require frequent recompositions of the pool to keep the definitions up to date.

 

[WoodiE]

We're in the process of setting up McAfee MOVE onto one of our new clusters. I couldn't tell you the price for it though.

 

[SGalbincea]

We too are looking into this. Currently we have Bitdefender deployed to all of our desktops, etc. and run ESET NOD32 on the servers. BD has a hypervisor based offering that we are going to be looking into, but we will also be looking at the other players on the market.

 

[Notorius]

I run MOVE on our vdi environment at work. 500ish VMs, both linked clones and now Unidesk. 10 hosts. Move works well enough but you never quite know what it's doing. If you like being able to explain what a product is doing, sequence if events, etc, Move isn't good for that. If you want to meet compliance requirements Move works great. As a product it works too to be fair. It detects threats and cleans them.

Vshield Endpoint has caused problems for us in the past year with a known memory leak issue. That sucked but once we worked with VMware we got things sorted out quickly.