Project Virtual Reality Check (Project VRC) have finally released their 'Phase V' white paper which provides an independent insight into the impact and best practices of various antivirus (AV) solutions on VDI performance VRC was started in 2009 by Dutch IT companies PQR (www.pqr.com) and Login Consultants (www.loginconsultants.com) and focuses on research in the desktop virtualization market. The project has published several white papers on the performance and best practices of different hypervisors, application virtualization solutions and Windows Operating Systems in server hosted desktop solutions. This new white paper contains the test results of the VDI performance impact of the antivirus solutions from three leading vendors: McAfee (Move MultiPlatform 2.0, Agentless 2.5), Microsoft (Forefront EP 2010) and Symantec (Endpoint protection 12.1) in vSphere 5.0 and vSphere 4.1 Anti-virus technologies are evolving to meet the ever increasing deviousness the attackers. Traditional signature-based scanning only detects known malware and may not detect against new attack mechanisms.
Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs. AV is turning to heuristic scanning: instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs. But, technologies like heuristics scanning add considerable weight to the scanning process. With a traditional desktop environment there’s plenty of CPU and disk I/O capacity available exclusively to the end compute device of user. A common and understandable concern for providing VDI environments is "what impact will my AV scanning have?. In his whitepaper on Windows 7 IOPS, Jim Moyle showed that an anti-virus scan to be much more intensive in terms of I/O than even the boot process: with the total I/O consumed being 15x more. The VRC testing shows a performance impact of up to 40% is not unusual after AV is installed. Indeed, in the real world the performance impact of AV solutions can be easily bigger for multiple reasons:
- The scheduled scan and updates are often not properly configured. These activities consume a lot of CPU but most importantly, dramatically increase disk IO leading to serious performance issues when it happens in many desktop VM’s simultaneously.
- From a survey, the Project VRC found that only a small number of organisations perform a pre-scan of a VM image before deployment. The testing demonstrated that undertaking a pre-scan significantly changed the performance impact.
- This was a test environment in controlled conditions - in the real world typical office users would surf many more websites, work with many more documents of all types and review many more emails. This data stream, which continuously needs to be scanned, is consistent, infinite and new every single day.
ProjectVRC's remit for this piece of work wasn't to find "the best" anti-virus solution: the whitepaper doesn't look to comment on the quality of AV solutions. However, it does provide information on best practices to undertake when implementing AV in a VDI environment. One key finding is that antivirus off-loading architectures make a significant difference from a storage IO point of view, but not always from a session density point of view.
All Project VRC tests are performed with Login VSI, an industry standard benchmarking tool for VDI. Login VSI simulates typical user workloads to objectively test the performance of VDI and Server Based Computing environments. Login VSI recently announced the release of v3.7, a newer version than was used in the testing for this whitepaper: v3.7 giving support for Windows 8 and Windows Server 2012.
This and all other Project VRC white papers can be downloaded for free once you've registered at www.projectvrc.com. All are a recommended read.
By all means look out for @RSpruijt (Ruben Spruijt),@TheJeroen (Jeroen van de Kamp) and @ProjectVRC