Is host-based antivirus software losing luster?
As virtualization and Web apps pick up steam, they are leaving traditional antivirus software behind
Traditional host-based antimalware packages just aren't that useful anymore, according to some companies that find it either doesn't protect against the main dangers they face from the Web or it simply doesn't run well in virtualized computer environments.
"We're hovering at 95 percent virtualized," and the move has necessitated a new approach to security, such as deploying virtual-machine-based intrusion detection and protection. But PrimeLending has also found some things that worked fine in the previrtualized era, such as traditional host-based antivirus software, just don't seem to run well in a virtualized environment, says Johnny Hernandez, vice president of information security at Dallas financial services firm PrimeLending.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]
[ More on cybercrime: Apathy, law enforcement complications keep cybercrime hopping ]
The company has undergone a gradual transformation from traditional physical servers and desktops to virtualized ones based on VMware vSphere. "Today, we don't run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization," Hernandez says. PrimeLending has virtualized its internal financial databases, Exchange and SQL servers and SharePoint. Traditional anti-malware programs running in multiple virtual instances can disrupt application performance.
Perimeter-based malware filtering, in this case using a Cisco-based antimalware filter, is one line of defense for the company. Physical appliances used for security, however, generally face "blind spots" in terms of VMs. But PrimeLending is now monitoring and inspecting VMs for signs of malware or attack traffic in a way it couldn't before by using the HP TippingPoint Virtual Controller (vController), the version of TippingPoint's IPS (intrusion-prevention system) for VMware-based environments. It works like a software-based extension of the physical HP TippingPoint IPS.
That has worked well at overcoming the VM blind spot that was there, Hernandez says, though the unexpectedly high traffic speeds that were an unanticipated impact of virtualization itself meant switching to a higher-speed TippingPoint appliance.
The vController IPS has been able to identify potential problems, such as the document that had gotten infected, apparently because it was edited on an infected home PC by an employee and then uploaded to SharePoint. "The document stored internally was trying to gather information from another," Hernandez says. The vController IPS detected and blocked that.
PrimeLending is also using the TippingPoint vController capability to share security event data with the RSA data-loss prevention product it uses and the RSA security and event management product, EnVision.
But in the quest to find the suitable antimalware defense that could be used for VMs, PrimeLending plans to try Trend Micro's Deep Security, which uses VMware-based vShield APIs to do malware scans. But it doesn't yet have a way to automate removal of malware if it somehow sneaks in. "There will be limitations in the beginning," Hernandez says. "It's new ground, a new effort."
