One of the problems with virtual desktop infrastructure is that not a lot of people talk about antivirus software. Since VDI solutions consolidate all desktop processing onto centralized servers, CPU-intensive tasks like virus scanning can really have a negative impact on the overall performance or density of an environment.
To understand this, consider how antivirus protection works in a traditional environment. You might have all of your workstations perform a full system scan once a week. Do you know what day and time that is? Do you care? Do you care if all the workstations do their scans at once? Do you care if a workstation does its scan at a different time because it was powered off when it was originally scheduled to do its scan? What about on-demand scanning? Do you care if all of your users do an on-demand scan of the same Word doc at the same time because the CEO sent out a corporate press release?
In traditional desktop environments, the answer to all of these questions is probably "No." But in VDI environments with dozens of users' desktops running on the same physical host, each of these questions requires some thought. You can't run full system scans on too many virtual machines at once, or you'll kill your host CPU and max out the I/O on your storage (both of which are very bad). You don't want 50 users on the same desktop to run an on-demand antivirus scan on the same email attachment at the same time.
But what are your options?
As tempting as it is to just skip antivirus altogether in your VDI environment, that's just not realistic in today's environment. In fact, I wrote about this a few weeks ago. But most of today's antivirus products are not "VDI-aware." In other words, they treat a virtual desktop running in a VM in a VDI environment no differently than a physical Windows desktop running on a normal desktop computer. This means that you often have many separate VMs scanning the same file over and over, and you have the overhead of running antivirus agents inside of every single VM.
At Citrix Synergy in San Francisco a few weeks ago, McAfee announced a new platform called MOVE, for "Management of Optimized Virtual Environments." You can use MOVE to offload the "work" that agents typically do inside a desktop to a dedicated security virtual appliance, including all on-demand and on-access scanning. If you're running the full McAfee client security suite, then McAfee claims that you can more than double the number of VMs that run on a specific VDI server.
MOVE is not a real product yet -- it's more of a concept that will come out in phases over the next few months. (And McAfee certainly isn't the only client security vendor working on this kind of stuff.) But I hope this means that our painful days of running antivirus in VDI virtual machines will be a thing of the past.
ABOUT THE AUTHOR
Brian Madden is an independent industry analyst and blogger, known throughout the world as an opinionated, supertechnical desktop virtualization expert. He has written several books and more than 1,000 articles about desktop and application virtualization. Madden's blog, BrianMadden.com, receives millions of visitors per year and is a leading source for conversation, debate and discourse about the application and desktop virtualization industry. He is also the creator of BriForum, the premier independent application delivery technical conference.