I also just got back from BriForum 2011 – Chicago and attended two sessions that furthered my beliefs that blanketing antivirus across all of my virtual desktops probably isn’t the best thing. First, Jim Moyle focused his session on a deep dive into Windows IOPS and showed how different actions impact IOPS requirements in a virtual desktop. Let’s just say the graph for certain Antivirus and security products were absolutely crazy. Basically, if you run antivirus in a virtual desktop, you might as well double your IOPS requirements (this is not news to me or many people in the crowd, but the graph was so telling). Michael Thomason, who presented on how to mitigate IOPS requirements also said their Antivirus killed their storage and that they had to take drastic measures by limiting what was being scanned. Then, I remembered looking at Citrix’s recommendations for Antivirus in a virtual desktop. Basically, you should only scan writes to local files where the data changes while excluding a bunch of other folders. Basically, it says you should scan as little as possible.

Three different areas and I get the same result: Antivirus has a noticeable disk impact.

So what we have is a situation where we will double storage requirements for something that everyone believes is a requirement, but we take drastic steps to limit how much/how often it runs to try and reduce storage requirements. Does anyone see the problem here? People think they need it but take steps to limit it. Many believe that what was once good for the desktop is still good for the virtual desktop. Fortunately, things have changed and we have to question our old beliefs. Unfortunately, changing old beliefs, especially anything to do with security of IT systems in an enterprise, is a very big uphill battle. How many of you want to go into a financial company and say remove your antivirus software from you desktops. They would laugh at you while security threw you out the front door.

However, with the traditional desktop, the costs of using antivirus were minor. We just did it because it provided a sense of security. We never cared about storage optimization and performance on a traditional endpoint (at least I never did). With virtualization, things changed. We do care about storage performance. I know more about IOPS now than I really care to know. ProjectVRC Phase III tests show how to reduce and optimize IOPS. So why is no one asking the question if one of the biggest IOPS consumers is really a requirement? No one dares to ask the question because it is almost a forbidden topic.

Now let me make this clear… I do not have a virus scanner on my laptop, I do not have a virus scanner on my home desktop, I have never had a virus scanner on any of these devices, and somehow, I have never had a virus. Now the smart ones reading this are asking “But if you don’t have a virus scanner, how do you know you don’t have a virus?” Because every so often (maybe yearly or every ½ a year), I run a free scanner that doesn’t require an install just to see if everything is still clean (it always is)

How can I go so long without getting a virus? Is it because I don’t go online? Is it because I’m completely disconnected from the network? No. I work like anyone else. Being virus free used to be pretty hard to do, but it has gotten so much easier over the past few years. There are systems in place protecting me from doing very stupid things. As I see it, there are only a few places where I will get a virus, but systems protect me.

  1. Email:
    1. The Citrix IT team is running virus protection on the Exchange email servers. I can feel pretty confident that I am safe with corporate email.
    2. Google, Yahoo and Microsoft have virus protection running on their email systems. When I receive attachments and try to open, each one scans the file first (although they are probably just reading my email and realize I lead a pretty boring life). This scan helps protect my personal email.
  2. Internet: I usually stay on pretty well-known and safe sites (especially on my work computer), but sometimes I accidently hit a pop-up and next thing you know, I’m somewhere I don’t want to be. Luckily, the browsers are much smarter than they used to be
    1. Some will tell me if the site I’m going to isn’t safe
    2. Some will ask before downloading anything
    3. Some will scan downloaded files for viruses
    4. Even Windows 7 doesn’t install anything unless I tell it that it is ok
    5. Most run with user privileges and not administrative privileges
  3. Sharing USB drives: I don’t. If someone wants a file from me, I usually just ask for email address. This doesn’t happen very often though as I have nothing of value on my laptop J And if you are running a virtual desktop, you can simply disable this functionality.
  4. Network: If someone else gets a virus, there is a chance that the virus will worm itself across the network and infect other desktops. With my firewall enabled, this provides some level of protection.

Do these protect me completely? No, and I’m not so naive to believe that they do, but antivirus solutions don’t completely protect me either. My point is that these other solutions provide enough protection for the level of risk I can tolerate. Does this mean you should dump your antivirus from all of your virtual desktops? No. But I do encourage you to look to see if you need it on every desktop. Maybe you would be better off

  1. Splitting your XenDesktop sites into security levels where only the most secure desktops have antivirus because they are dealing with your company’s secret recipe.
  2. Setting up your environment in such a way that you have blocks of desktops where the one block cannot infect other blocks. That way, in case a virus does get through, the area to attack is much smaller and easier to contain.
  3. Hosting mission critical applications as XenApp resources with antivirus enabled to a non-antivirus enabled virtual desktop. That way you still keep that warm fuzzy feeling of having an antivirus solution but it doesn’t have nearly as large of a resource hit as putting it on every desktop.

Whatever you do, think about the decision, the ramifications and your tolerance for risk. Citrix says one size doesn’t fit all for virtual desktops, and I say the same statement can be made for Antivirus.