In VDI environments, administrators must take special care to ensure that the organization remains protected from...
malware, but without the antivirus software causing problems in the process.
There is no such thing as a universally accepted standard for malware protection in virtual desktop infrastructure (VDI). Each VDI vendor has its own recommendations for how protection should be implemented, so there is no definitive, step-by-step guide to anti-malware software use with VDI. Still, in general there are three main things that need to be protected -- the VDI servers, the virtual desktop images and the user profile folders.
VDI server protection
For the most part, you can use the same methods and techniques to protect VDI servers that you would use to protect any other server. The big exception to the rule, however, is that there are special considerations for the hypervisor that hosts the virtual desktops.
Once again, the specifics vary widely depending on which vendor's products you are using. Even so, there are typically certain processes and folders that need to be excluded from the malware scanning process. For example, in a Microsoft environment, you must exclude all of the virtual hard disks that make up your virtual desktops. There are also certain system folders that have to be excluded. It is important to consult the documentation for the specific hypervisor that you are using to determine malware protection requirements.
Protecting virtual desktop images
Once again, the specifics of image protection depend on the products that you are using, but often the easiest approach may be to allow antivirus software to be installed directly onto the virtual desktop image. Even so, this approach is not always the best. For one thing, there is a performance hit that will occur as a result of the scanning process. Another issue is keeping the anti-malware software up to date.
Oftentimes in VDI environments, virtual desktop images are static. Each individual virtual desktop may make use of a differencing disk that is linked to a static virtual desktop image. In these situations, there is little danger of the virtual desktop image becoming infected, because the image is read-only. As such, consider scanning the image before it is put into production rather than trying to actively monitor the image while it is in use.
Protecting the user profile folders
User profile directories are by far the most difficult element when it comes to malware protection. These directories store all the files and folders that are created by the end user. Often, user profile directories exist within the differencing disks.
There are typically two main sources of potential malware problems within user profile directories. First, there are the user documents themselves. Second, the user's browser cache may become a source of infection.
More on VDI security
Guide to virtual desktop security best practices
The reality of VDI security
How VDI can stop cybercriminals
There are a variety of techniques you can use to protect the user profile directories, but there is one option that seems to work especially well. In this approach, data files are redirected to either a file server or a SharePoint server for storage (with its own malware protection). This prevents any actual data from being stored within the user profile.
Because there is no data in the users profile directories, the differencing disk containing the user's profile can be reset at the end of each VDI session. That way, any malicious files that might have been downloaded from the Internet are purged at the end of the session along with the rest of the contents of the browser cache. As such, users are guaranteed a pristine experience each time they establish a session.
Keep in mind that this is only one approach for protecting user profiles, and it is not appropriate for every situation. Organizations that need top-level security are obviously going to be better off taking the performance hit and running anti-malware software within the individual virtual machines.
Protecting virtual machines against malware is something of a balancing act. The need for security must be balanced against the need for performance. All the while, you must implement malware protection in a way that avoids interfering with the underlying virtualization stack.