Is it possible to have a Single Anti-virus program for many VMs?

Solution 1:

The main problem is that the host OS does not necessarily understand the internals of the guest OSes - i.e. it does not know what processes are running in the guest OS or even the filesystem layout. Usually, the host OS sees the virtual machines just as a black box using a certain amount of memory, a disk image/partition and a some CPU cycles.

But to implement and effective anti-virus program, you will need to have access to the process details and file information (and that information is only available inside the virtual machine).

Solution 2:

Bit late to this particular party but VMWare's vShield Endpoint product when combined with specific third-party virtual appliances (such as Sophos Endpoint) allows for a single central VM to handle all antivirus operations for an entire VM farm.

Solution 3:

Antivirus programs operate at the file level, that is, on every filesystem access (open, read, write, etc) they intercede on the request and filter it according to their various rules. For example, checking the contents of the file for viral signatures if it's an executable.

Virtual Machine hosts operate at the cpu level, that is they intercede on their Guest OS's when the OS does something that is very low level and needs to be emulated to preserve the state of the VM. The Host VM software is oblivious to the actual operation of the Guest OS, and operates simply to continue the illusion that the Guest OS is running on real hardware (this isn't strictly true, various tools exists to allow the Guest OS access to the Host OS, VMWare tools drivers for example).

The only way for this to work would be a driver loaded in the Guest OS that delegated control on each access to the Host VM and from there to a user space AV program running on the host. The result of those operations would have to be propagated back into the Guest OS to be applied by it's OS to avoid corruption from the Guest and the Host modifying the disk structures concurrently.

So, at the end of the day you would have one copy of your AV software running external to the Guest OS, but having to communicate with all of them (in a very complicated manor) to achieve what a traditional AV solution would do.

We haven't even touched on dealing with running multiple heterogeneous OS's on the same Host VM, upgrades to this shared AV service, VM migration between physical hosts, etc.

I doubt that the solution above would prove to be as performant as a traditional AV service running inside the Guest OS. What was your motivation for asking this question ?

Solution 4:

You didn't mention which VM tech vendor you were using, but this is something that has come up as a product request on the VMware side and I believe it is set to be architected into the next version of their "bare-metal" product, vSphere.

http://www.vmware.com/technology/security/vmsafe.html

That's their main product page for this technology. You can look at the little flashy demo for a little bit more of a high-level view of how it would work, but as you suggested, the hypervisor layer could allow a vmsafe 'appliance' (just another VM in the DataCenter) to monitor all the virtual hardware components (network, CPU, RAM, Disk) for evidence of malware and snuff it out before it becomes a problem.

Pretty cool, but only if you're running VMware, and well, the product isn't fully released yet, anyway!

Good thoughts.