McAfee introduces agentless virtualization AV management through VMware vShield Endpoint integration

By | April 04, 2012

Posted in: Network Security Trends

Virtualization brings significant practical advantages to the enterprise, particularly in terms of hardware, network infrastructure and energy savings. It makes data center consolidation feasible, from a business perspective almost mandatory. Virtual desktop interface (VDI) is seeing increasing adoption, as it simplifies management, enables enterprises to better maintain standard client images and improves security. However, virtualization also introduces significant endpoint antivirus performance issues. AV vendors have been addressing this over the last couple of years through tighter integration of their products with the virtual machine environment. McAfee’s new release of its Management for Optimized Virtual Environments (MOVE) product is the latest enhancement towards solving this issue.

This release of MOVE introduces agentless management of McAfee security on VM servers and VDI client endpoints, integrating with VMware vShield Endpoint.  MOVE has been on the market for some time, utilizing light agents on each VM; the agent-based approach integrates with all hypervisors, so enterprises with mixed-vendor virtual environments can now mix and match the agent and agentless technologies according to need.

The main issue at the heart of McAfee’s and other AV vendors virtualization optimization efforts is performance. Performance has become a significant problem for endpoint AV even on physical devices, as the requirements for filtering against millions of unique malware samples became overwhelming. So AV vendors have turned to various techniques, such as utilizing cloud-based checks to offload the burden.

The problem is significantly exacerbated on virtualization hosts, with multiple VM clients, each with its own AV installation, all contributing performance hits. This is especially true when a number of clients launch simultaneous scans,  creating so-called “AV storms.” MOVE has addressed that until now through an agent that fingerprints each file scanned and caches the information. Subsequent scans check the cache and skips files that have already passed muster.

The agentless integration with VMware leverages vShield Endpoint rather than rely on a McAfee agent. This has a couple of advantages in VMware implementations: It removes the management overhead of handling yet another agent on endpoints, and it also means that new VMs are automatically protected as soon as they are created. This latter point is especially helpful, as new VMs are frequently created in large, complex and dynamic enterprise networks.

Other major AV vendors, such as Symantec and Trend Micro, have also taken steps to optimize virtualized endpoint performance with virtualization-aware technology and their own integration through VMware's APIs.

Performance is the same in both agent-based and agentless MOVE implementations, McAfee says. The only significant difference is in how the product scales. Agent-based deployments can scale to offload processing of roughly 450 VMs. VMware limitations mean enterprises will need one MOVE VM for each hypervisor, managing perhaps 150-200 endpoints, depending on the host hardware capabilities. The pricing is the same, as enterprises have the option of paying per hypervisor or per node, or a mix of both if more than one virtualization vendor is involved. McAfee also points to its very popular ePolicy Orchestrator (ePO) management software, which scales effectively across very large, distributed infrastructures.


You May Also Be Interested In: