BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
How does antimalware software affect VM performance? How can we overcome these performance problems?
Antimalware software (like antivirus software) presents a special problem for virtual machines. Although it is certainly possible to install and operate antimalware tools inside a virtual machine, it's important to remember that the antimalware tool can make significant demands on computing resources -- especially when it runs a scan. This means the tool can demand a sizable portion of CPU cycles, some memory space and almost exclusive access to storage.
The impact really isn't such a big deal when the underlying system supports a single workload (such as your desktop PC), and software developers attempting to develop software might indeed create a desktop VM -- complete with common antimalware products -- to simulate a complete desktop or other endpoint environment while isolating the environment from other workloads. This happens routinely in test and development situations.
But just imagine a server consolidated to run 10 or 12 enterprise-class workloads in order to maximize the use of server resources. When antimalware tools run (especially when they run simultaneously), the sudden burden on system resources can slow workloads to a crawl. Consider the hit to shared storage when 10 VMs all try to scan a LUN across the storage network.
There are several options to guard a virtualized server against malware while minimizing the performance problems antimalware software can present. First, IT administrators can consider installing antimalware software that is designed and optimized to reduce the computing burden on virtual machines. One example is Symantec Endpoint Protection software, which integrates with VMware vShield Endpoint. A second alternative is to install antimalware tools in the host rather than in each guest. This is certain to protect the host, and network scanning can often monitor network traffic to each VM. A third option is to install antimalware protection in the form of a dedicated network-based appliance, such as WatchGuard's XTM product line or Cisco's IronPort S-Series Web Security Appliances, which are designed to provide a network traffic gateway that can scan for malicious content before it ever reaches the servers and virtual machines.