Skip Links

Traditional host-based anti-virus software losing luster?

Virtualization and Web malware dangers mean less enthusiasm for old anti-virus software

By , Network World
June 30, 2011 01:07 PM ET

Network World - Traditional host-based anti-malware packages just aren't that useful anymore, according to some companies that find it either doesn't protect against the main dangers they face from the Web or it simply doesn't run well in virtualized computer environments.

More on cybercrime: Apathy, law enforcement complications keep cybercrime hopping

"We're hovering at 95% virtualized," and the move has necessitated a new approach to security, such as deploying virtual-machine-based intrusion detection and protection says Johnny Hernandez, vice president of information security at PrimeLending in Dallas. But PrimeLending has also found some things that worked fine in the pre-virtualized era, such as traditional host-based anti-virus software, just don't seem to run well in a virtualized environment, he says.

The company has undergone a gradual transformation from traditional physical servers and desktops to virtualized ones based on VMware vSphere. "Today, we don't run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization," Hernandez says. PrimeLending has virtualized its internal financial databases, Exchange and SQL servers and SharePoint. Traditional anti-malware programs running in multiple virtual instances can disrupt application performance.

Perimeter-based malware filtering, in this case using a Cisco-based anti-malware filter, is one line of defense for the company. Physical appliances used for security, however, generally face "blind spots" in terms of VMs. But PrimeLending is now monitoring and inspecting VMs for signs of malware or attack traffic in a way it couldn't before by using the HP TippingPoint Virtual Controller (vController), the version of TippingPoint's intrusion-prevention system (IPS) for VMware-based environments. It works like a software-based extension of the physical HP TippingPoint IPS.

That has worked well at overcoming the VM "blind spot" that was there, Hernandez says, though the unexpectedly high traffic speeds that were an unanticipated impact of virtualization itself meant switching to a more high-speed TippingPoint appliance.

The vController IPS has been able to identify potential problems — like the document that had gotten infected, apparently because it was edited on an infected home PC by an employee and then uploaded to SharePoint. "The document stored internally was trying to gather information from another," Hernandez says. The vController IPS detected and blocked that.

PrimeLending is also using the TippingPoint vController capability to share security event data with the RSA data-loss prevention product it uses and the RSA security and event management product, EnVision.

But in the quest to find the suitable anti-malware defense that could be used for VMs, PrimeLending plans to try Trend Micro's Deep Security, which uses VMware-based vShield APIs to do malware scans. But it doesn't yet have a way to automate removal of malware if it somehow sneaks in. "There will be limitations in the beginning," Hernandez says. "It's new ground, a new effort."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News