By Matvey Voytov, Senior product marketing manager, Kaspersky Lab
Using full security software agent and anti-malware database-based products within a virtualized environment is not very effective thus the need for Agentless security applications
The endpoint security software used to protect physical computers and servers is what’s known as an agent-based solution. In a non-virtualized environment, the full security software agent and anti-malware database are installed on the machine (server or desktop). Generally, using these agent-based products within a virtualized environment is not very effective. Each virtual machine will require the full agent and full anti-malware signature database to be installed on it. So, if the company has 100 virtual machines running on one virtual host, it’ll have 100 instances of the security agent and 100 instances of the malware signature database on that virtual host.
Agent-based security configurations cause the following problems in a virtual environment:
- Duplication: Every VM will carry an identical set of security components, including an isolated anti-malware engine and signature databases, each of which will need to update independently. This high level of duplication of the antivirus database wastes storage capacity.
- Instant-on gaps: It is not possible to update security components or databases on an inactive VM. So immediately after booting and before the security update is completed, the VM is vulnerable to attack.
- Update Storms: A virtual host stores the anti-malware databases and provides this database to the security agent on each virtual machine – simultaneous updates of each virtual machine’s anti-malware database can severely impact the performance of other applications.
- Scanning Storms: Virtual machines simultaneously start to run a routine security scan, the other applications that are running on that host will be affected.
Agentless security applications only need one instance of the anti-malware database and one virtual machine that’s dedicated to security in order to protect every virtual machine that is running on that host. Compared to agent-based security, agentless solutions place much less demand on the host machine’s CPU, memory and storage. Furthermore, with only one dedicated security virtual machine, malware ‘scanning storms’ and security database / application ‘update storms’ are eliminated. In addition, instant on gaps do not occur.
It should be noted that agentless security is only available using VMware’s vShield technology, so agentless security is not an option for Citrix or Microsoft virtual environments.
However, agentless security also has some limitations. vShield capabilities only allow access to protected VMs at file systems level. This means that other endpoint protection technologies, like Application Control with Dynamic Whitelisting, designed to provide powerful additional layers of security, cannot be implemented.
Light Agent: Aiming to be a balance between “agentless” and “agent-based,” a light agent security solution uses a dedicated virtual appliance at the hypervisor level to store databases and conduct file-scanning (similar to an agentless configuration). This configuration also installs a small software agent on each virtual machine, which is specially configured to be lightweight and use far less processing power than a traditional software agent. This provides the benefits of performing the “heavy work” away from the VMs, but still having a direct link for performing advanced security tasks on each VM.
Even though there is a light agent on each virtual machine, ‘update storms’ do not occur – as there is only one instance of the security database, which is held within the virtual appliance – and ‘scanning storms’ are eliminated.
Light agent solutions can deliver security and management technologies that are not provided by agentless products, including:
- The ability to scan memory – and find memory resident malware,
- Control tools that can be particularly useful in virtual desktop environments,
- Host-based network security – including a firewall and host intrusion prevention system (HIPS).