This blog post was written by Teresa Wingfield.
The use of traditional security practices in virtualized environments causes everyone headaches. What works for older architectures may not apply for newer ones. Can you imagine pouring gasoline into the engine of an electric car?
In our first blog, we explained why traditional security is too taxing for virtual systems. Now, we’ll discuss how to choose which deployment option for McAfee MOVE AntiVirus is right for you, multiplatform or agentless. Hopefully you’re ready to MOVE toward a better security solution.
The core idea of McAfee MOVE AntiVirus is that security can be ensured across the whole network without draining the computing power of individual virtual machines (VMs). By offloading scanning from guest images onto a Security Virtual Machine (SVM) so that machines are always protected by up-to-date content such as virus signatures, we can have the best of both worlds.
This is true for multiplatform and agentless deployment. How they differ is in the communication method between file requests at the virtual machine level to the SVM which operates outside any particular VM. Since this is the crucial starting point, we’ll be detailing the mechanics of this process shortly. However, a useful prior step is to see which versions are compatible with your hypervisor platform.
You should know that agentless deployment of McAfee AntiVirus for VMWare vShield and VMware NSX is only compatible with VMware vSphere. True to its name, agentless doesn’t require any agent to be installed on guest images. Multiplatform, on the other hand, does require agent installation on each guest image, but has the luxury of working on any hypervisor platform. In a nutshell, our deployment options are really straight-forward because this is the way we like it!
Now let’s take a look at the mechanics of how each deployment option works.
How Agentless Works
At a high level, MOVE for agentless deployment uses hypervisors as communication hubs. The conversation doesn’t occur between endpoints and the Offload Scan Server. Instead, communication between individual VMs and the SVM are handled through VMware Virtual Machine Communication Interface (VMCI), which is within the ESX hypervisor. In these cases, vShield Endpoint or NSX integrations to send scanned files. One major advantage of agentless is that clients are immune to any network configurations made on them since they do not communicate with the SVM over the network.
Management is also similarly integrated. From the McAfee ePO console, you can install and upgrade MOVE Agentless deployments using the MOVE Deployment Wizard, as well as run automatic EICAR tests. For NSX users, McAfee ePO allows security administrators to view instant policy synchronization between the ePO and NSX consoles. Additionally, specific assignment rules in VMWare NSX are passed down to virtual machines through McAfee ePO. Think of the console as one ring to rule them all.
How Multiplatform Works
McAfee MOVE AntiVirus in multi-platform installations uses a communication model that starts at the endpoints. On each guest image, a McAfee AntiVirus Agent brokers communication between individual file requests and the Offload Scan Server. Like agentless deployment, multiplatform management is conducted through McAfee ePO. The difference is that the McAfee ePO agent manages policies and scanning functions on each guest image. In multiplatform deployment, think of McAfee ePO as a workload manager over the whole network, while the McAfee AV Agent on each virtual machine communicates to the endpoints
There are some other features worth pointing out as well:
- MOVE multiplatform installations offer better exclusion capabilities. You can define scan avoidance by pathname, process, and publisher. In contrast, agentless only allows path-based exclusions, due to lack of vShield and NSX driver support.
- Multiplatform deployment also has faster boot-up time and load balancing. For example, users can designate and scan golden images to keep a clean master in the local cache.
- In-guest malware notification is only supported in multiplatform deployment.
- Finally, in agentless NSX deployment, automatic tagging allows virtual machines to be quarantined when malware is detected or anti-malware is absent.
Cost and Decision
At the end of the day, all MOVE AntiVirus deployment options are based on a common principle: offloading security scans in virtual environments. Their biggest difference is simply in how communications are sent to and from the SVM which does the offloaded scanning. So the pros and cons will depend on your particular business operations and existing technologies.
You don’t have to think about price. McAfee MOVE is licensed by the total number of endpoints, so the cost is the same for any version. Your decision making priority should be finding the best way for your business to update its security. But one thing’s for sure. It’s time for solutions that fit your environment. For that to happen, you need to get out of your chair and MOVE.