Running antivirus scans on virtual hosts and virtual machines (VMs) is the right thing to do. But even before McAfee's latest blunder, IT administrators had begun to move away from running antivirus scans in virtual
The issue isn't whether antivirus scans provide a valuable line of defense but that antivirus applications kill system performance. Luckily, you can optimize an antivirus application and reduce its load on a host resource pool; you can also identify certain essential characteristics for an antivirus application for hosts and VMs.
The problem with antivirus scans
Most antivirus vendors have not embraced the shared virtualized server model. Many applications treat VMs as standalone desktops and use most of the system resources to finish antivirus scans as fast as possible.
A VM that uses 50% of its processor to scan every file, for example, can use a lot of resources. If you have 10 VMs simultaneously running antivirus scans, you could see severe performance degradation across every VM -- or even stoppages because of host resource saturation. If left unadjusted, the host becomes crippled and workloads become inaccessible until VMs finish their scans or you manually intervene.
Virtualization administrators face a tough decision: take a chance by not installing security software or run antivirus software and face regular disruptions.
Considerations for antivirus scans on virtual hosts
The process of choosing and deploying antivirus software for virtual host servers is fairly straightforward. Antivirus applications that minimize the use of host resources, for instance, best serve your environment. It seems basic, but the more resources used at the host level, the fewer resources are available for guests, which reduces overall consolidation cost potential.
Other than an application's resource footprint, consider the following scheduling and configuration features before deploying antivirus software.
- Exclusions. For Microsoft Hyper-V servers, it is almost always a best practice to exclude directories, file extensions, processes and even complete volumes from antivirus scans. Cluster Shared Volumes (CSV) -- or more directly, the reparse point to the CSV volume C:\Clusterstorage -- should always be excluded, for instance. Antivirus applications accessing this location from multiple servers can cause file lock issues. Because CSV are used only for Hyper-V VMs at this time, excluding this entire location eliminates unexpected problems. Microsoft TechNet has recommendations for Hyper-V exclusions.
- Timing. Scheduling scans is very important. A poorly timed, full antivirus scan can result in VM performance degradation. Determine when your production VM workloads are at their busiest, and plan your antivirus scans when the host is using fewer resources. Don't assume that the middle of the night is an off-peak time; it depends on the given workload.
- Real-time scans. Some antivirus applications have separate exclusions for real-time scans. Be aware of this, and duplicate the exclusions if applicable.
Considerations for antivirus scans in VMs
The architecture of antivirus applications running on VMs is a major shortcoming on any hypervisor. An antivirus application simultaneously running scans on multiple VMs has the potential of bringing a host resource pool to its knees.
Before you deploy an antivirus product in VMs, weigh the following scheduling considerations.
- Scan times. Scheduled antivirus scans also influence host resources saturation. It's OK if a small number of VMs run CPU-intensive scans. Problems arise, for example, when 20 VMs simultaneously use 50% of their CPU in a host with only eight CPU cores. In my experience, the highest CPU utilization by 20 VMs occurred during antivirus scans. It's clear that antivirus vendors must allow users to randomize scan times to reduce the potential for host CPU saturation.
- Other scans. On-access scans and quick scans are resource hogs. Often, there are detailed exclusions and adjustments for full antivirus scans but little or no adjustments for these types of scans.
Similar to full scans, on-access scans should have the ability to adjust the settings, including exclusions. Quick scans, on the other hand, sometimes start after a new definition arrives. I have used an antivirus application, for example, where I made the adjustments to full and on-access scans, only to have a quick scan bring the host server to a crawl. In this case, I had to disable the quick scans by modifying each VM's registry. Therefore, look at the options for these scans when choosing antivirus applications.
- Application and definition updates. A good antivirus application allows users to select an automatic or manual update. Definition updates should also permit randomized distribution.
You may need to immediately update your definition libraries, so the antivirus software design needs to be flexible.
After you've implemented antivirus software, here are ways to optimize its performance in VMs.
- Memory. This is a battle ground for antivirus applications, and lower memory usage is better for VMs. Without efficient dynamic memory allocation, any additional memory that's assigned to VMs may diminish overall VM-to-host ratio and reduce the cost savings of a virtual environment.
- CPU. Again, lower CPU usage is better. This is true for virtual and physical systems. But extra CPU usage for VMs is magnified because it resides in a shared host resource environment. Look for antivirus vendors that focus on a way to set CPU usage maximums or priority on scan processes. One vendor uses a slider bar that adjusts CPU usage, for example.
- Disk I/O. Obviously, file scanning increases disk I/O. Coupled with increased CPU and memory usage, a disk subsystem's resources can be taxed when multiple VMs scan all their files. Randomizing antivirus scans, in addition to the appropriate exclusions, will ensure disk resource saturation is minimized.
In shared resource environments, even the smallest increase in VM resources can drastically affect hosts. Some of these pain points have been seen for years with physical servers. But these problems are exponentially magnified in shared resource environments, such as virtual host servers.
Adding antivirus software to enhance virtual environment security should not penalize performance. But antivirus products require further innovation to adjust to virtualized and cloud infrastructures.
About the expert
Rob McShinsky is a senior systems engineer at Dartmouth Hitchcock Medical Center in Lebanon, N.H., and has more than 12 years of experience in the industry -- including a focus on server virtualization since 2004. He has been closely involved with Microsoft as an early adopter of Hyper-V and System Center Virtual Machine Manager 2008, as well as a customer reference. In addition, he blogs at VirtuallyAware.com, writing tips and documenting experiences with various virtualization products.
This was first published in June 2010