We have several Windows VMs (all user editions, no server editions). We install virus scanners inside the VMs to protect them from users. The real-time file scanning kills I/O performance inside the VM though (I see disk access times spike to 2000ms while it runs). Multiply that by 50x and you get a lot of I/O churn. We can disable real-time file scanning, but that defeats the purpose of having it there in the first place.

I think creating snapshots every few hours is a better solution, but I wanted to ask if anyone else has found a better solution for this.

The virus scanner is Symantec Endpoint and the VMs are running on top of vSphere 4.1.

  • 1,708
  • 3
  • 18
  • 36

3 Answers3


If it's Windows it should have antivirus protection, regardless of whether it's a VM or a physical machine. Your comments regarding performance tells me 2 things.

  1. You don't have enough resources to properly run all those VMs on the same host.
  2. You need to optimize your scanning settings and/or use something that isn't such a massive resource hog.

I also must point out that your comment

We install virus scanners inside the VMs to protect them from users

is either extremely poorly worded or you don't understand what antivirus software is for.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108

1 word. YES. Using something like the "xp-mode" in windows 7... or most other desktop-based VMs will use a NAT for sharing the network adapter... and makes that machine vulnerable to anything your desktop machine doesn't pick up. If it isn't NAT'ed... then it has a dedicated IP... and is fully vulnerable... and even more likely to pick up a nasty bug. The only time I would say go ahead without some AV... is if you were running without any form of network access at all. Even then... you could still inadvertently transfer something over (through some sort of shared directory setup... or through shared drives)

  • 7,349
  • 16
  • 23
  • 1
    Agreed on the AV thing, but why in the world did you drag NAT and IP addressing and "xp-mode" into this? – EEAA Jul 07 '11 at 21:57
  • aggreed ErikA since most attacks are not network attacks, mostly pdf/flv based malware or social attacks so nats don't protect a thing – tony roth Jul 08 '11 at 04:23
  • @ErikA NAT'ing is most commonly used in *most* desktop-VM environments. The easiest DIRECT attack vector for a hacker is through a network connection (through free-wifi connections, your home network, other offices... etc.). And since this was the concern... it makes sense to mention it. Also, since Microsoft decided to include a VM framework option into their desktop OS (xp-mode)... it also seems likely that an inexperienced user would turn to it before looking at paid options like vmware. – TheCompWiz Jul 08 '11 at 13:41

In a Windows VM, I would run Microsoft Security Essentials as the virus program. The reason is obvious: most people "playing" with a non-production VM wouldn't afford the license for any sort of costly anti-virus solution.

  • 4,172
  • 10
  • 45
  • 59