Home / Blog / General / The problem with signature-based antivirus in a VDI environment

March 26, 2019

We’ve reached a point where we expect to be able to work literally anywhere – a practice made possible by virtual desktop infrastructure (VDI). We can now easily access everything we need, whichever device we’re on. Great for the typical user – not so great for IT security professionals.

But why?

VDI offers users more flexibility. It’s simple to manage and it is cost efficient. Accommodating many simultaneous application sessions on as few virtual server resources as possible creates significant savings.

But all these benefits can be overshadowed by an incompatibility with signature-based antivirus, rendering the solution ineffective – unable to detect the numerous and evolving types of malware at the endpoint.

Problem with signature-based antivirus

Why are traditional antivirus solutions are a poor fit with VDI?

Traditional antivirus focuses on recognising known (bad) files on the basis of their external characteristics (‘file hashes’). Given the quantity of “bad” files that have been found over the years, any antivirus solution relies on an enormous database that lists both bad and reliable files.

Naturally, such a database is only of value if it remains up to date – and therein lies the problem.

› The problem of (non-persistent) VDI-sessions

Every time a new VDI session starts, the database is effectively obsolete and should therefore be updated. Typically, while this is happening, the user can’t do anything else, wasting time and resources.

When the (non-persistent) VDI session is closed at the end of the day, the updated antivirus database is discarded again. The next day, of course, this process repeats again. For each session. Every day.

Though it may only be half a minute of time wasted per session, that time adds up to a huge waste of resources and a great deal of frustration.

› Cutting corners on security

Naturally, this level of inconvenience leads people to cut corners. CISOs regularly choose to reduce the security measures on their VDI servers to avoid going way over budget buying extra server capacity to enable users to simply get on with their work.

But it’s not just the ‘nice to have’ security features that are being dropped, either.

People are knowingly lowering their organisation’s level of protection because these updates are so problematic – giving attackers an easier route in.

Some people even turn off the entire antivirus solution! A high-risk move. While others just buy more server capacity – a high-cost option which undermines the cost-saving benefits of VDI.

Neither is a good option.

› Antivirus fails to protect from the unknown

Add to this the fact that traditional antivirus solutions fail to protect from unknown threats. What good is a solution that tracks only known threats, when so many attacks come from unknown sources?

You naturally have to question the benefit of keeping a database of “bad” files, when the majority of attacks are file-less!

The shift to Endpoint Protection (EPP)

So today, there has been a rapid shift towards Endpoint Protection Platforms (EPP) – a solution to cope with the ‘next generation’ of endpoint security threats – and the new ways in which we use and access information systems.

› Benefits of EPP vs. traditional antivirus

A true ‘next generation’ endpoint security solution doesn’t rely on a list of known files to assess threats. Instead, EPP focuses on recognising suspicious behaviours on the system, providing protection against both file-based and file-free threats, regardless of whether or not they have been seen before.

Endpoint security solutions don’t require a database; so they’re always up-to-date.

So there’s no need to sit impatiently drumming your fingers while updates load at the start of each VDI session. Instead you can bask in the glow of:

  • Endpoint security solutions deal with today’s known and unknown threats.
  • Saves time in a VDI environment, reducing user frustration.
  • Provides assurance of best security levels, with no additional spend on server space.

It’s a win-win for users and CISOs alike, with no need to compromise.


About SentinelOne

› Autonomous Endpoint Protection

SentinelOne’s Endpoint Protection Platform (EPP) provides organisations real-time, unified endpoint protection, unifying prevention, detection and response – in one platform.

SentinelOne EPP leverages advanced machine learning and intelligent automation to prevent and detect attacks across all major vectors, with rapid elimination of threats, fully automated policy-driven response, and complete visibility into the endpoint with real-time forensics.

› Certified AV replacement

The independent anti-virus research institute (AV-TEST) has awarded SentinelOne EPP the Approved Corporate Endpoint Protection certification for both Windows and OS X, which validates its effectiveness for detecting both advanced malware and blocking known threats – the only next generation endpoint protection vendor to obtain this certification on both platforms.

Related articles:

Comtact's UK Security Operation Centre (SOC)

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.