VMware’s new vShield product works by replacing an antivirus vendor’s endpoint agent with a VMware “thin agent” that looks for the kind of activity a security product monitors.
The workings of the new vShield Endpoint product were described today by Marios Leventopoulos, a VMware Security Software Project Manager, in a session at VMworld 2010.
Marios Leventopoulos explained how previous approaches to endpoint security for virtual machines typically saw antivirus software installed on each guest machine. When those guests were invoked, each would simultaneously download new antivirus signatures, unpack them and store them. This created an initial “storm” of network traffic, followed by a collective spike in CPU utilisation, followed by a third spike of demand for storage space. The last spike, he said, was generally the worst. Similar problems then repeated as virtual machines simultaneously conducted scheduled scans.
VMware’s answer to this issue is vShield Endpoint, which removes the need for security software to be installed on every endpoint and instead provides vendors with an API to create a virtual appliance that runs on the ESX server. That appliance contains all of a security vendor’s engines for detecting and repelling malware. But instead of the security software being resident on each virtual machine, software Leventopoulos explained that VMware has devised a “thin agent” that looks for the kind of activity that interests antivirus software – files opening or closing, for example – and alerts the appliance to this activity.
The appliance and its security software then accesses the virtual machine in question and iinspects the activity, then acts if necessary.
VMware calls this arrangement “introspection.”
“This is not a new way to do antivirus,” Leventopoulos said. “This is the same engines that our security partners already have in the field, but now they can do it from the outside.”
Leventopoulos added that VMware believes this approach improves security, as it means guest virtual machines no longer offer antivirus software as a target for criminals. “By moving the software into a hardened appliance it is harder for malware to even access the AV engine, and harder to tamper with it,” he told the well-attended session.
Security administrators will notice little change, he added, as security vendors administrative tools drive the new virtual appliance in the same way that users would manage the software in a conventional deployment. Security software operates as it always did, with functions such as remediation of infected files made possible through the introspection-driven interaction between the security appliance and the thin agent on guest virtual machines.