VMware vSphere

What do you recommend for agentless anti-virus?  We are looking at Trend Micro's Deep Security product, but each host requires a dedicated virtual appliance.  So far this sounds like we can't use DPM anymore to power down unneeded hosts as it will have a VM assigned to it and they don't seem to have any scripts or anything in place to handle this.

Other recommendations or other news regarding this?

you may want to look at Symantec EndPoint Protection.  In my opinion TrendMicro is the clear leader in this game.  Trend overs a whole lot more than just virus protection.

I don't know much about SEP, but it may be worth looking into

I know that Trend can cover more, but we don't have the budget or use case for all of the other components.

Are you a Trend user?  Do you use DPM or just turn it off and not worry about it?  What about doing automated VMware updates? Same situation with an unmovable appliance sitting on the host.

We have been through numerous POCs and will start one back up again soon.  We do not use DPM in our environment.

I believe Trend has a plugin for an Agent VM that allows the appliance to go into a standby or powered off state during maintenance mode situations.  You may want to follow up with your trend contact with that.

I've been working with a Trend rep but they are not giving the air of familiarity with DPM or this type of request.

as suggested you may want to reach out to other vendors to see if there is anything they offer that will fit your requirements.  McAfee has "Move" but it still requires and ePO agent, I believe.

Troy Clavell wrote:

as suggested you may want to reach out to other vendors to see if there is anything they offer that will fit your requirements.  McAfee has "Move" but it still requires and ePO agent, I believe.

The McAfee literature is confusing.

They offer "MOVE" in two models. There is a "generic" model, which works on "free" VMware deployments and Hyper-V deployments, which requires an ePO agent.

They also offer an agentless product, which uses vShield and does not require any guest level installation.

The latter is clearly the "better" option from a resources and management point of view, and I have deployed it several times. Although, unlike other models, McAfee's agentless product uses MD5 to cache cluster-wide scanning of a binary. Given there are known MD5 collisions, this presents an interesting weakness that they have refused to acknowledge.

Both models are obtained under the same license (so you don't have to make a decision on this at purchase time).

Most of these require an appliance on the host. Is DPM really worth it in your environment? Maybe you can change the DPM idea and have a safer environment :smileywink:.

Niels Engelen wrote:

Most of these require an appliance on the host. Is DPM really worth it in your environment? Maybe you can change the DPM idea and have a safer environment :smileywink:.

I feel DPM is quite overrated. Unless you are supplying compute power to the amazon cloud, how often do you really spin up and down physical hosts? The second a host is turned off, someone in management is going to ask if they should have ever paid for it in the first place.

For us, DPM is useful.  We only have 3 hosts, but only need the capacity of 2 and keep the 3rd in DPM sleep unless memory spikes or we are doing maintenance.

In our datacenter, we pay per kilowatt so why have it on if not necessary?

Also, with this idea of a virtual appliance on each host, how does Update Manager work? Can't do scheduled updates anymore for the hosts?  Have to manually shut down the appliance so it can go into maintenance mode?

I did a POC for Trend Micro Deep Security 9.0 and ran into the following shortcomings when using with vCloud Director 5.1:

- Deep Security cannot protect Windows VMs, if the VMs have the same SID.  It will come up as "duplicate SID" and will not be protected.  Unless you have a way to enforce the tenant to click on "Generate a new SID" checkbox in the customization box in vCloud Director when deploying a new VM/vApp, it will be difficult to ensure that the new VMs deployed by the tenant will be automatically protected.  I spoke to TrendMicro about this, and this issue existed in Deep Security 8.0 as well, and they submitted it as a "feature request"

- In order to make the vShield Endpoint based anti-virus solution work, all of the VMs will have to have VMTool installed, with a custom option to make sure that vShield Endpoint driver/agent is installed.  I spoke to VMware vCloud Product Manager about this, and requested that "Install VM Tool" option in vCloud Director would automatically install this agent/driver.  That should take care of the Windows VMs.  Also, with so many different flavors of Linux OS out there, it will be very difficult to ensure that VMTool is installed automatically on all of the Linux VMs that the tenants deploy.  This issue will hold true for any vShield Endpoint based anti-virus solutions.

These products seem to be geared more toward VMware View environment, where you have the complete control of the template.  I have not come across a solution that will work seamlessly in vCloud Director environment yet.

We used Kaspersky for our "agentless" antvirus solution. Not really agentless since its actually using the VMware tools software to do the AV scanning.

Like Trend, a virtual appliance is required on each host to perform the  AV function.

Overall Kaspersky has worked well for us. AVOID SYMANTEC LIKE THE PLAGUE. Best advice I can give you.