Three considerations for protection against malware in the vdi Environment

In a VDI environment, administrators need to protect organizations against malware, but this process does not include antivirus software that may cause problems.

There are no universally accepted standards for malware protection in virtual desktop infrastructure (VDI. Each VDI supplier uses its own method to implement the protection plan. Therefore, there is no clear and detailed tutorial in the VDI environment to explain how to deploy malware protection solutions. However, in general, there are three aspects to be protected-VDI servers, virtual desktop images, and user configuration folders.

VDI Server Protection

In most cases, you can use methods and technologies to protect other servers to protect VDI servers. However, the biggest exception to this criterion is that special consideration is required for hypervisor running virtual desktops.

In addition, the actual situation varies depending on the suppliers and products used. Even so, some processes and folders need to be excluded from the malware scan process. For example, in Microsoft, you must exclude all virtual hard disks that constitute virtual desktops. Some specific system folders need to be excluded. Query documents based on the specific hypervisor type used to determine your malware protection requirements.

Protect virtual desktop Images

In addition, the image protection method depends on the product you are using, but the simplest way is to directly install anti-virus software into a virtual desktop image. Even so, this method is not always the best solution. First, the scanning process will affect the performance of the virtual desktop. Second, you need to keep the anti-virus software updated in real time.

Generally, virtual desktop images are static in a VDI environment. Each independent virtual desktop uses a differential disk that is connected to a static virtual desktop image. In this case, virtual desktop images are at risk of being infected because they are read-only. Therefore, you need to scan the image before it is put into the production environment, rather than trying to monitor it during running.

Protect user configuration folders

For Malware Protection, user-configured directories are the most difficult part so far. These directories store all the files and folders created by end users. Generally, the user's personal configuration directory is stored on a differential disk.

There are usually two main sources of potential malware problems in the user configuration directory. First, it contains your own documents. Second, users' browser cache may also become the source of infection.

You can use a variety of technologies to protect your personal configuration directories, but there is one of the best ways. In this way, the data file is redirected to the file server or the Sharepoint Server of the user's storage device (the server contains its own malware protection measures. This prevents any actual data from being stored in the user configuration file.

Because no data is stored in the user configuration directory, the user configuration files stored on the differential disk are cleared at the end of all VDI sessions. In this way, any malicious files that may be downloaded from the Internet will be cleared together with other content in the browser cache at the end of the session. Therefore, each time a user establishes a connection, the user obtains the initial status.

Remember that this is only a way to protect user configuration files, and it does not apply to all situations. For organizations that require higher security levels, performance factors should be ignored and anti-malware should be run in a separate virtual machine.

Protecting virtual machines from malicious software attacks is an art of balance. Balance between security and performance. In short, you must implement malware protection in a certain way to avoid the impact of underlying virtualization hosts.