How much antivirus do we need for non persistent VDI?

Microsoft's release of a free desktop OS anti-spyware, called Microsoft Security Essentials reminds me of the conversation we had at BriForum Chicago this year.

Microsoft's release of a free desktop OS anti-spyware, called Microsoft Security Essentials reminds me of the conversation we had at BriForum Chicago this year. 

In a session where we threw around ideas about how to build your VDI image, some in the audience expressed the opinion that since the image would be blown away when the user logged off, maybe running without antivirus on the VDI image would be OK.  Their idea seemed to be that you could just scan the saved user information on an offline basis instead. While I’m not likely to recommend going that far, certainly a “lighter” antivirus solution might be reasonable.  And if it’s free, maybe all the better. 

I’ve used Microsoft’s previous antivirus product (now discontinued), OneCare for roughly the last two years on my personal laptop and have only damning praise for it – “It doesn’t suck”!  Which is exactly how I feel about almost all of the other bloated anti-malware/spyware/gummyware products out there.  They are all way to large of resource hogs, whether measured in disk, RAM, or CPU.  So if this product follows along that line, maybe it might be the appropriate solution in a non-persistent VDI scenario, backed up by a “more complete” solution when needed.

What do you think?

PS for those who attended Briforum in Chicago this year:  Several people have pestered me to post the ideas we collected in that session.  I have placed the 53 Ideas up on the site wiki (available only to attendees)  but have been unable to flush out each idea as I intended so far.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I think there could be a decent case made for non-persistent VDI machines foregoing virus protection, perhaps using Windows Firewall for example to block the most well know issue. I think the only caveat is that if there is some sort of wide infection there would need to be some way to prevent a re-infection and that may, in the end, require an AV package to do!!


@ Steve.

If indeed there was a site wide infection in a non persistent enviro, then you only need to patch that attack vector. AV is for after your system gets owned. In standard mode this should not take long to do.

@ Tim

I think the light weight model is a good one. The main reason why I opt for AV in non persistent is due to wanting to protect that logged in session (while it exists, until a reboot), think driveby and user executed malware.

I think you could potentially go without If you had AV at the border. In my environment we don’t have this.

Hey who wants to talk about AV sig redirects in non persistent environments?



@ rahvintzu - Agreed, we had this discussion in the chat room when Brian and Citrix did Geek Speak last week.  Very much along the same lines.  AV is still as important on the desktop as it ever is, in fact more so as your servers and desktops are in the same physical location therefore connected via the same 1 or 10GB network, the propogation of virus's will be quicker than before.

This also bought up the question around anti virus on the thin clients being used for such a scenario (XPe is what I am referring to).  Do u need AV on these, or will the built in firewall suffice?

Again I believe AV is still required, but the only vendors that do AV for XPe are Symantec and McAfee.


Lots of interest from IT to reduce the cost, support and compute load from antivirus/spyware tools.  Looking at the client side, antivirus/spyware updates cost IT (CAPEX & OPEX) and are avoidable with hardware zero clients.  

This along with no need to patch client OS & drivers make hardware zero clients the option to get the lowest operational costs. This also includes avoiding the risk of having to EOL a client early in its life-cycle due to lack of flash memory for these updates.  

Lots of PCoIP hardware zero client options are available in the market including Dell, IBM, Wyse, Samsung, Fujitsu and many more.  They can connect directly to Terminal Services (RDP), VMware View (upcoming and no hardware required in the server) as well as hosted 3D workstations (using hardware acceleration).  

For those who don't know me, I am from Teradici.  


@ rahvintzuy

Good question.  Indeed, redirect of the sigs may make sense.  You can't have the update sigs on the golden image.  

Ideally, the broker should keep ahead of demand and bring up images in advance to be reasonably ready for whatever user shows up.  Certain things will be used by all users, and those parts should be ready before the user attempts to connect.  But portions of those bits will change over time.  So I like the concept of a two part base image.  The golden image contains the parts that rarely change.  Upon booting, the universal (any user) bits that change more often are applied.  (Later, after there is an identified user, other bits may be applied with specific applications and.settings)

This application of general user bits that might more frequently change, might be achieved by a layering or streaming technique, or we might use redirection technique when that makes sense.

Given the performance impact of AV, I would guess that you want to get the sig bits in the running image RAM.  I am unsure if a redirection would do this in the case of AV, but possibly so - probably more dependent on the AV vendor.

This concept, what do you directly layer/stream into the running image, and what do you  redirect to a single shared copy is probably the second level of questions we should be addressing, after we figure out what we really need to start with!


I've been running "antivirusless" virtual desktops for students at a college to remotely access and it has worked out great!

All of the desktops get mapped to the users network folder during login and all of their work is saved there or redirected to their home computers. We save all of the provisioned desktops into a non-persistent hard drive state. After the user logs out, the desktop is shutdown, the connection broker detects this and boots the desktop back up again. And regardless if some sort of malware is installed during the last session, it is wiped away and returned to a pristine state.

There is no need to run AV in this scenario and we save greatly on performance and AV licensing fees!

My view on AV is how many folks have had AV running and somehow malware still gets installed? Most of the time we just rebuild the machine (physical desktops), or issue a new desktop from the golden image (virtual desktops). So why even bother?

This solution may not be the ideal solution for all cases it does work for some.


Even though the images can be reverted to a pristine state quickly, that is not usually the case for the backend boxes (AD, Exchange, etc). If someone plugs something like a USB drive and that one got infected with some Zero-Day threat, there is a big chance the backend protection will NOT detect it and you may be in big trouble.

Of course how paranoid you are about security really depends on the environment. Certain places I work lock pretty much everything you can imagine and things most people do not have any idea! Like Outlook 2007 programmatically access policies. :-) Would I run a hosted solution without AV? Depending on the environment, what people have access to, access to local resources, etc, yes.


Domain less clients with FREE windows firewall get's most of client issues out of the way. No need for $$$$$ custom hardware solutions using crappy protocols like PCoIP that don't work over a WAN without killing bandwidth. Yes I tested the software version too, it sucks even worse.

I also like protecting at the edge and looking for patterns. AV can only get you so far. If we reduce it great. I'd like to see more perimeter defense.


Anyone interested in taking a look at PCoIP WAN performance over low bandwidth networks can watch  A PCoIP case study will be published shortly for a production company that has their creative users in Bangalore, India and the movie servers secured in Los Angeles, USA.  

PCoIP hardware zero clients are very cost effective and support multiple client options (VMware View 3, RDP for Terminal Services and PCoIP to View 4, or a hardware accelerated remote workstation host).  The Samsung SyncMaster 930ND PCoIP Display is about $425 - that is about a $250 adder to regular 19" display.  No additional brick to worry about and the display/PCoIP client share components for an extremely cost effective and elegant client. (see

Don't forget a "free" windows client requires constant patch management for Windows OS, drivers and protocol updates for media CODECs - perpetual cost on top of an extremely cost effective client like the Samsung display.  And hope that these updates do not surpass the flash memory in the client - requiring a doubling down on your client CAPEX costs.  


I think some of you missed the point on the purpose of AV.  Sure, you could reboot a machine and return to a good known state.  The virus is gone!  But what's keeping that machine from becoming re-infected as soon as it's rebooted?  In addition, once that non-persistent machine is infected, there is a windows of opportunity until that machine is restarted.  Anything from capturing/stealing data, corrupting data, infecting other machines, DoS, etc...

Tim's suggestion of a light-weight client is a good one.  A full blown McAfee HIPs or Norton End-point is not required.  But some protection is.

Essentially, condoms for virtual machines.  Don't virtualize without protection.



Running VDI without A/V is even more stupid than thinking you don't need A/V on thin clients because they are stateless.  Most wormable viruses can attack a network and infect every single machine in a given subnet within minutes.  Even if you reboot the machines, the worm will re-infect immediately.  Not to mention the network degredation that will occur from these machines aggressively attacking other hosts.  I've seen it a number of times with Nimda, Nachi, Slammer, etc.  I've seen it bring down a number of large corp networks.  Anyone who's lived through those incidents wouldn't even consider this.  Now, what I would be thinking about long and hard is whether or not my current A/V was effective or a bloated piece of crap.  For those interested in that topic, check out ESET's overhead compared to the other A/V vendors.  Finally, Firewall is critical to leave enabled in your environments, yes it's harder to get everything working, but if you prevent just one mass worm spread, then your work was worth it.



@Shawn - I agree.

Hardware zero clients do not need AV - for those not familiar with HW zero clients.  With a PCoIP hardware zero client the PCoIP protocol is decoded (display, USB, Audio) directly in silicon.  There is no X86, no application OS (linux, winCE, XPe etc), no drivers.  And since the protocol is directly decoded in silicon the client is immune from viruses and spyware etc.

Enterprise IT have complained to me often about client viruses (PC or thin client) where an enterprise infection started at the client and this is independent of whether the VDI session is non-persistent or not.  

PCoIP hardware zero clients prevent this virus threat scenario (of course the VDI session still needs AV) and lower the VDI operational cost at the same time.


A few commenters hit it on the head. I wouldn't dream of running any client VDI or otherwise without some sort of AV protection. Once that non persistent image gets hit with fast moving worm, the rest is history. Servers don't have the luxury of being non persistent so rebooting that client to clear the infection is pointless. The precious assets are still going to get hit with an outbreak.


While I agree with a number of you, Antivirusless VDI is not reality, I would suggest that is it really need in every VDI session or hosted by the Hypervisor on each host?

Think about it, all the traffic is flowing through the hypervisors virtual switch, why not place antivirus scanning there...   Save on the saving in n number of guest running on the host and have the host do it once.


You guys made some valid points, I guess the solution I proposed works in our environment because the users logging into the non persistent machines are really only using them for the applications (Office, Photoshop, Academic  Specific)  from home and if they need to surf the net then they will use their local computer.

I've been using non-persistent images for two years and no widespread outbreak of malware. I like the idea of embedding a AV solution in the hypervisor away from the VMs. I would shoot for a solution like that if users were using the virtual desktops as their primary desktops and they used thin clients to access them.