As Aaron P. mentioned, we run Trend OfficeScan at NCSU. We have a rather elaborate setup to overcome some issues with the university's AV solution that are particularly problematic to a VCL environment. We switched from Symantec to Trend a few years ago. As a result, Symantec had to be uninstalled and replaced with OfficeScan in all of our images. This is a huge deal since we had > 1,000 images at that time and a large number of image creators of varying skills. Uninstalling Symantec can be problematic and takes a couple reboots. We wrote a custom module to do this. It gets invoked during image capture to replace the software. It also gets invoked when an image is loaded to "fix" OfficeScan by making sure it is configured to our liking -- bypass our central software group's forced configuration which causes problems such as regular pop-ups appearing from the system tray/notification area, forced reboots, as well as scheduled scans.
> Michael – the overhead on the images is my concern. Especially since most > enterprise AV products I’m aware of attempt to update almost immediately > upon startup or login which is when the users would notice it the most. > > > For everyone – if you do have AV in your images, are you updating the images > often to get the latest definition files? Have you configured the AV to not > update automatically? Forgive these seemingly simple questions, but on our > normal desktops we just let the AV auto-update so it’s not an issue. But > there is a performance hit to Windows upon startup or login. We’re just > looking for the best experience for our users. These are good questions. There are several details regarding AV software which may cause performance problems or failed reservations. Our images get configured to install AV definition updates when an image is loaded. I have not noticed any performance issues because of this. Our AV product seems to behave pretty well regarding definition updates. It usually takes 30 seconds or less. The AV software version does not get updated, only the definitions. If your update mechanism updates the actual AV software version I'd guess performance issues would be more likely. You also have to make sure nothing will automatically reboot the computer. This will cause VCL reservation failures depending on when the reboot occurs. > From: Aaron Coburn [mailto:[email protected]] > > We do not run anti-virus software in our VMs. > > The main reason we don't is that we felt there are negligible security > benefits while there are significant performance gains. I'd agree with this. The security benefits of the AV software are severely diminished in a VCL environment where users have full root/Administrator access within the images. There is very little you can do to prevent a savvy user from disabling or uninstalling the AV software if it gets in the way of more alluring and dangerous actions. Some AV products (including ours) have mechanisms which are supposed to prevent this by requiring a password. This is easily circumvented. -Andy
