Ask the Architect about the Next-Gen Desktop

Daniel Feller

Subscribe to Daniel Feller: eMailAlertsEmail Alerts
Get Daniel Feller via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Virtualization Magazine, Citrix Virtualization Journal, Desktop Virtualization Journal, Infrastructure 2.0 Journal

Citrix Virtualization: Article

Beware of the Dangers of Anti-Virus

Top 10 mistakes to avoid with virtual desktops

Protection from antivirus.  Are you wondering if you read that correctly?  Yes, it is correct.  Odd isn't it?  Anti-virus is there to protect us, but we also need to be protected from antivirus. Antivirus solutions are critical, even in a virtual desktop environment. Many people believe that because a hosted VM-based virtual desktop image is created from a real-only image that they are immune from virus.  That is only partially true.  When you reboot, the virus goes away because the changes to the base image are destroyed (including the virus), but what about that time period between getting infected and the next reboot? Those few hours are dangerous.

If using hosted shared desktops or hosted VM-based VDI desktops, those virtual desktops are located within the data center with other critical systems.  If a virus made it into the data center, the entire infrastructure is at serious risk.  However, simply adding an antivirus solution to the virtual desktop can protect the environment. So what's the big deal? Just do it right?  Well, nothing is as simple as one expects it to be.  Antivirus can have a major impact on the virtualization infrastructure, and even cause users to experience poor virtual desktop performance, if done improperly.

If the virtual desktops are streamed with Provisioning services, and those desktops start a full system scan at roughly the same time. Provisioning services only streams the portions of the disk image that are required.  However, if a full system scan is done,  those virtual desktops will eventually request the entire vDisk image. This not only overwhelms the network and Provisioning services, but also impacts the storage infrastructure as the write cache is utilized and explodes in size. Overcoming these issues is a fairly easy matter and is based on the following recommendations:

  1. The desktop image must be free from viruses. It is recommended to do a full system scan in private image (read/write) mode. This guarantees the image is clean.
  2. When the desktop image is in standard mode (read-only), the antivirus should be configured as follows:
    1. Only scan create/modify activities of files
    2. Scan on write events only
    3. Scan local drives only
    4. Exclusions
      1. Pagefile
      2. Print Spooler directory
      3. Write cache file
      4. EdgeSight database
      5. ICA client’s bitmap cache directory
    5. Remove the antivirus configurations from the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
      \Current Version\Run registry key
  3. Reconfigure antivirus so that the virus definitions file is stored on a persistent disk so antivirus doens't have to download the entire definition file on each startup.

These will help overcome antivirus headaches.

More Stories By Daniel Feller

Daniel Feller, Lead Architect of Worldwide Consulting Solutions for Citrix, is responsible for providing enterprise-level architectures and recommendations for those interested in desktop virtualization and VDI. He is charged with helping organizations architect the next-generation desktop, including all flavors of desktop virtualization (hosted shared desktops, hosted VM-based desktops, hosted Blade PC desktops, local streamed desktops, and local VM-based desktops). Many of the desktop virtualization architecture decisions also focuses on client hypervisors, and application virtualization.

In his role, Daniel has provided insights and recommendations to many of the world’s largest organizations across the world.

In addition to private, customer-related work, Daniel’s public initiatives includes the creation of best practices, design recommendations, reference architectures and training initiatives focused on the core desktop virtualization concepts. Being the person behind the scenes, you can reach/follow Daniel via Twitter and on the Virtualize My Desktop site.