cpetry 4 Posted April 24, 2016 Share Posted April 24, 2016 I've never liked the idea of using a VM or even a host agent to offload scanning of all VMs within an environment. I honestly think a lot of people feel this way and that's why this particular forum is so dead. What happens if the host agent or single VM used for offloading has an issue? Does that mean nothing gets scanned? What happens if it's overloaded, does that mean it's now introducing latency in my VM environment? We were using McAfee EPO years ago and they had this same feature. You could use a single VM appliance to offload all scanning. It slowed everything down considerably and required 16 vCPUs to function correctly. I'd much rather install the agent/endpoint on each server and know that each system is self contained. Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted April 26, 2016 ESET Staff Share Posted April 26, 2016 Thank you for your inputs. Support for agent-less scanning was a demanded feature from the market, especially from the ease of deployment / ease of change point of use perspective. Once you have deployed entire VMware infrastructure and tweaked it properly, switching for another vendor was just a matter of minutes (you exchange one scanning appliance to another one). However, as you have correctly mentioned, it has certain drawbacks. The level of security is limited to the abilities of the API we are integrating with, which is the reason why ESET has chosen dual approach. You have the freedom of choice, whether you install our agents (Endpoints / EFSW) into the guest systems, and connect them with our Shared Local Cache, which prevents duplicate scanning on hosts, where there is a large duplication of files (usually all VMs share the same code). Our you can opt-in for the agent-less approach. VMware was solving the AV storms problem with vShield, not a strengthening of security problem. Link to comment Share on other sites More sharing options...
cpetry 4 Posted April 26, 2016 Author Share Posted April 26, 2016 Yeah, that's what I thought. I fixed the IO blender issue another way - all flash storage and plenty of physical CPU cores. I'll stick to the agent/endpoint on each guest approach for now. It works well with Smart Optimization/Scan enabled. I noticed you guys didn't have the host based scanning for a while. I figured you were pretty much pushed into it. Link to comment Share on other sites More sharing options...
Former ESET Employees Matus 21 Posted May 12, 2016 Former ESET Employees Share Posted May 12, 2016 (edited) Hi, I'd like to point out, that in case you have 10 servers with 10VMs on each, only these 10VMs are offloading scanning to security VM appliance (EVSA), which is deployed on same physical server (in this scenario, you'll have 10 EVSAs in your environment). If you'd install 10 endpoints on each guest VM I'm not sure, whether you'll improve utilization. It's however true, that our Endpoint is safer that VMware vShield solution. It's up to customer, whether he wants more security or better utilization. Edited May 12, 2016 by Matus Link to comment Share on other sites More sharing options...
Recommended Posts