advising a client recently who is maxing out the CPU cycles available in the virtualized XenApp environment, I looked at whether Appsense Application Manager could do the job of the antivirus. The client uses AM mainly for software licence management. CPU is at such a premium in the virtual environment that the client is considering deprecating use of AM to save CPU cycles.
I examined whether the client could in preference deprecate their use of AV real-time scanning in this scenario, as AM can potentially do a good job of preventing unauthorised executables from running.
I came across the following Appsense whitepaper . AppSense_WhitePaper-Eliminating_Malware_on_the_desktop.pdf , which seems to indicate the AM could be used to prevent viruses from running, but makes clear at the same time that AM is not a virus removal tool. And of course it is not. But is can stop anything not installed by a Trusted Owner from running. The whitepaper makes comment on how AM's self-healing feature can actually protect the antivirus program from stealth attacks, so this appears to suggest that best practice still dictates running AV on the protected VMs.
My own view is that the PVS-based images revert to the gold image on a weekly restart, and that at most overnight virus scanning (to remove viruses) can complement AM's application control, but that real-time antivirus scans are not actually necessary.
A useful discussion blog trail appears on Dan Feller's blog at http://virtualfeller.com/2011/07/22/virus/
gray
No comments:
Post a Comment