Antivirus and many antimalware tools operate by scanning files against a database of known threats and often perform...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
additional heuristic analysis of those files for potentially unknown threats. In a typical bare-metal or virtualized system, the process of file scanning can take some time and possibly impact workload performance. But malware scanning can pose an even greater performance impact for a system hosting containers.
The problem is shared components. Containers are built from a series of components or layers, such as the Windows base OS package. Those components or layers are typically shared between containers using placeholders -- called reparse points -- to compose each isolated container. When placeholders are read, the reads are redirected to the underlying component. If a container modifies a component, the placeholder is replaced with the modified component.
However, most antimalware tools operate above this level and never see the redirection taking place. Therefore, they have no way of knowing which container components are placeholders and which are modified. As a result, a scanning process can wind up rescanning the same underlying components for every container. This can cause a significant amount of redundant scanning on a host system with many containers. The result is reduced container performance because the same components are getting scanned far more often than they need to be.
It might be possible to avoid redundant scanning by helping antimalware tools "see" whether the container components are placeholders or modified -- new -- elements. Administrators can modify a container volume by attaching a specific extra create parameter to the Create CallbackData flag that receives placeholder information and then checking the ECP redirection flags. If the ECP indicates that a file was opened from a remote or registered layer, antimalware tools can skip the scan. If the ECP indicates that a file was opened from a local package or scratch layer, antimalware tools can scan normally.
Microsoft documentation provides additional details and instructions for this antimalware scanning workaround.
Learn about antimalware protection and endpoint security
Dig Deeper on Application virtualization
Related Q&A from Stephen J. Bigelow
VSAN 6.6 and 6.6.1 boast new features, such as vSAN Configuration Assist, integration with vROps and a streamlined upgrade process to improve storage...continue reading
For enterprises that require powerful security and resiliency, vSAN 6.6 presents an array of features, such as encryption and stretched clusters, to ...continue reading
Certain versions of the Linux kernel offer more complete and uniform support for paravirtualization than others due to the open source nature of ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.