Grafvision - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do you need malware protection on a VDI thin client?

There are plenty of options for VDI thin client devices out there, and most are safe to use without antimalware software. Learn which thin client needs extra protection and why.

Most thin client devices don't require malware protection, but PCs repurposed as thin clients do.

There is a huge variety of VDI thin client hardware on the market, and these devices have widely varying capabilities, but as a general rule thin clients are not extremely susceptible to malware. It's usually not worth an administrator's effort to add malware protection to these machines.

However, some organizations repurpose old desktop PCs for use as thin clients, and admins should add malware protection on those. Repurposed PCs often run a desktop operating system with a hardened security configuration and connect directly to a virtual desktop session. These devices are configured not to run software locally, but it is still technically possible for malware to infect a repurposed desktop. Malware on these types of thin client devices can also attack hardware redirection or hardware drivers, which might, for example, inject a key logger onto the device.

Of course, many organizations use traditional thin client hardware from vendors such as Dell Wyse and HP Inc., which typically consist of little more than a small plastic case with ports for the keyboard, mouse, monitor, network and power supply. These types of devices do technically contain an operating system, but the OS is designed to have an extremely minimal footprint and is not easily exposed to or exploited by malware. Most organizations do little, if anything, to protect the OS on traditional VDI thin client devices.

If they really need to, administrators can gain root level access to a thin client's OS and install antimalware software if the device has sufficient capacity. In most cases, repurposed PCs with a thick operating system are the only type of thin client that admins can add antimalware protection to.

By and large, thin clients don't really need malware protection because the odds of malware being able to reach and infect them are very low.

Next Steps

Guide to choosing and managing thin clients

Test your knowledge of VDI hardware

Use Citrix XenClient to change a PC to a thin client

The basics of mobile thin clients

Dig Deeper on Virtual desktop management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

On which VDI thin client devices do you run antimalware software?
Your statement is partially accurate.

Thin client malware vulnerability is based on the OS that is installed on the device. Linux based devices are fine without malware protection, and more than likely cannot have any installed. However, a significant number of Thin Clients run Windows Embedded. This is a full version of Windows, and while it can have a Write Filter, it is as susceptible as any other Windows based PC.

The Write Filter can easily be disabled as part of the configuration, and then is an open device. Even with the Write Filter active, it can host malware while the device is on. A power cycle will lose any infection, providing it is not on the LAN already.

So in answer to your opening statement, it should be: No, but then yes, depending on your device.