0

We have a couple servers with a host system, and virtual DB and Web instances. Is it possible to be compliant with PCI if you install the Antivirus only on the host system, or does it need to be installed on all three (host, db instance, web instance)?

By installing it on the host, doesn't it scanning the virtual servers as well (bin, vhv, and vhd files)? Or can the antivirus not scan/get to the details necessary when they are embedded in the virtual machines?

If we can't just install it on the Host OS, could it be installed only on the Web instance since that is the only one that is publicly accessible?

Just trying to avoid the extra CPU/RAM footprint of installing in all 3 instances if possible.

Not sure it makes a difference, but this is in a Windows 2012 Hyper-V environment.

Sam
  • 101
  • 2

1 Answers1

2

If, by installing the anti-virus solution on the host system, you can achieve the same level of protection to the VMs as you would if they had anti-virus installed individually, then the end result is that all systems are protected from malicious software. This would satisfy compliance. There are very few products in the market that can be installed at the host level to provide protection to VMs.

The PCI DSS requires that anti-virus be installed on systems commonly affected by malicious software. This is prescriptive rather than risk based so the fact the db instance is not publicly accessible does not mean it falls outside this requirement. It would still need to have anti-virus installed unless the operating system for that VM is one not commonly affected by malicious software.

AndyMac
  • 3,149
  • 12
  • 21