Why hasn't Bromium taken over enterprise antivirus and antimalware yet?

When Bromium first released vSentry, you could see the potential even though it was rough around the edges. Today, it looks to be ready for prime time.

I came away from my last conversation with Bromium so excited about their platform that I had to give it a shot. It’s been years since I saw it in action, and in the beginning it was a little rough around the edges. I love the idea of a hardware-level security platform that lets users be users and protects them from themselves, but in addition to the growing pains of a new platform built on the complicated premise of microvirtualization (see how I used “premise” properly?), it was also limited by the fact that only a small percentage of the hardware used in enterprises could support it. To top it all off, since Bromium vSentry required key infrastructure components that only the largest of organizations had, there wasn’t a great way to evaluate the product. Somewhere, buried in a storage closet in TechTarget’s San Francisco office, is a laptop with a super-secret hack on it that allows for testing a very early version of vSentry.

It was that complicated!

Today, things are different, and when I told VP of Services (and former Citrite and BriForum speaker) Dan Allen I would like to take a test drive, he shot the bits right over. Within a few minutes it was running inside a Parallels VM. No management console (they have one, I just didn’t need it to get started), no KMS server, no nothing. There I was, running vSentry on a Parallels virtual machine on my own laptop, in the time it took to make lunch. I never dreamed that was possible five years ago!

All this was the inspiration for today’s article. Years ago, when were first introduced to Bromium, I remember thinking something along the lines of, “Holy crap, this is awesome. Too bad we won’t all be able to use this.” Now it looks like this is available for just about everyone. Here’s why.

Hardware support

We first covered Bromium in July 2012 when co-founder and CTO Simon Crosby posted an article on our site explaining, in his own words, what micro-virtualization was all about. The key takeaway from the concept is that vSentry leverages hardware virtualization, and in 2012 only a small portion of the available endpoint hardware had the capabilities that vSentry required.

Today, it’s safe to say that most typical enterprise PCs have the require capabilities: VT-x and EPT for Intel, and AMD-V with RVI for AMD. In fact, all i3, i5, and i7 processors since 2010 have the necessary feature set to support vSentry. That probably means that even your mom’s computer will work.

In addition to broad endpoint support, hardware virtualization has matured to the point where hypervisors can pass hardware virtualization instructions from the guest OS to the physical hardware, which enables vSentry to work inside virtual machines. The same thing that lets me use vSentry in Parallels means that it can be used in VDI.

Until recently, Bromium recommended 8GB of RAM in order to maintain performance. This is mainly due to the fact that when memory is at a premium (say, less than 8GB), vSentry will suspend the micro-VMs. When you switch to a browser tab that has been suspended, it can take a few seconds to wake up, which is perceived as lag. This 8GB minimum was especially painful in VDI scenarios.

With the help of some advanced scheduling, vSentry implementations on VDI can now work with as little as 4GB of RAM. The suspend/resume happens less often, and when it does, it’s faster. Bromium still recommends 5GB of RAM for VDI for the best possible experience, though. (For physical desktops, the minimum recommended is now 6GB instead of 8GB.)

For a demonstration of vSentry running on older hardware, check out Dan Allen’s blog where he used a 2010- era Lenovo ThinkPad Edge that featured a 1st generation Intel i3, 4GB RAM, and a 250GB SATA hard drive.


Hardware wasn’t the only limiting factor in the earlier days of vSentry. The actual implementation process was difficult, too. Requirements have varied over the years, but what’s clear is that today it’s about as straightforward as any other security platform.

The installer itself comes packaged as an MSI, so you can deploy it any way you want. The only snag I ran into was that on both of the machines I used, I was told that my version of Firefox needed to be replaced with the Extended Support Release (ESR) version as opposed to the normal, personal version, that most people use. I replaced my version with the ESR, and everything proceeded nicely.

When I experienced the Firefox warning, I asked Dan if there were other prerequisites and what a typical cleanup process would be like. This is his response:

“We do have some prerequisites, but we also have PreCheck tool we can run to collect information to get ahead of any issues before we roll out. Our management server also does a good job of collecting information and reporting on potential issues. Our deployment package is just a simple MSI file, so it is easy to deploy us with any tool such as SCCM, BigFix, Altiris, or even via GPO. From an application compatibility perspective the only two things to be aware of is that we protect Office 2010 or later and we only protect the ESR edition of Firefox, which is what most enterprises that officially support Firefox use. We can still run on a system that has Office 2007 or the personal version of Firefox, we simply will not protect those applications if the user runs them.”

Day to day usage

Though I haven’t spent much time talking about the ins and outs of micro-virtualization (you can read Simon’s article for that), it’s important to understand what’s going on behind the scenes at a high level to understand the day-to-day usage of vSentry. When vSentry is first installed, it takes a snapshot of the machine that it then uses as the template for all future micro-VMs. This snapshot process is called “initialization,” and on the physical machine I tried it on it took about 10 minutes to complete.

The catch with the initialization process is that if you install something that vSentry can protect, say, Office, after you install vSentry, it won’t be in the micro-VM template and won’t be protected. Thankfully, vSentry notices this and re-initializes the micro-VM as-needed, and you can kick the process off yourself if you want to.

Other than that, you forget that it’s there. Sometimes if you get a little tab happy, vSentry will shut down a micro-VM or two that will take a second to get started again, but that falls inside the margin of slop already associated with your browser of choice.

Back to the original question…

It looks like all the major problems have been solved. vSentry is way easier to deploy, and it runs faster than ever. So why isn’t everyone running this?

I’ve written before that micro-virtualization and AI-based threat detection and analysis are new enough that they are off the radar of a lot of companies, especially when you factor in that it’s super easy to just keep writing that check to McAfee each year and carry on doing business-as-usual. But as the war against viruses and malware, a.k.a. the “Bad Guys,” wages on it seems like it’s time for something new.

Microsoft has endorsed virtualization-based security in Windows 10 with Credential Guard and Device Guard, followed by Windows Defender Application Guard for Edge. HP has incorporated a slightly watered-down version of vSentry into their latest line of laptops. That is some significant validation from industry heavyweights!

Plus, when you factor in the cost of vSentry and how competitive that is with traditional endpoint security products, you’d have to think that Bromium vSentry is on the verge of mainstream adoption. vSentry yearly subscriptions run $75/device/year with increasing discounts at volumes over 250 devices or with multi-year subscriptions. Perpetual licenses are also available.

So I’ll ask you directly—have you looked into vSentry? If yes, what’s holding you back? If not, well, you should.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Great...now let's find someone that can deploy it to an enterprise. (Actually deploy--not just references customers with CIOs who have friends at A16Z. Same old story: incredibly cool concept; and impressive efficacy on individual basis. Not ready for Enterprise scale.
Sounds like someone hasn't seen Bromium in sometime. It is deployable, it doesn't cause performance problems, its evolved.   
@Louie17 - do you use Bromium?
That was certainly the case until recently, but it appears the dust has settled. I'd love to find independent, real-world examples of customers that have deployed it.

I agree with Louie17 - it might be time to take another look. You definitely have seen them in the past, so I'd be curious about your feelings are after a current demo.
It is garbage and fluff just like Cylance.
That I don't think is a real comparison. MS credential guard is similar. Cylance is entirely different (good or bad, don't know); Bromium vSentry or whatever it is called now is infrastructure which kinda use you physical machine as a server and run supported processes in light weight VMs. Now as every thing is running in a VM; your host will not compromise in case of a breach.
I don't the issue is functionality. Bromium is awesome across the board. It's cost. When you take Bromium at $75 (which seems to have come down from the $100-150 it previously was) and compare it to $6 for McAfee, it's hard to make a business case for Bromium in all but the most high-risk environments.
Perhaps, as some have suggested here, the product has evolved. I inherited a Bromium Enterprise installation back in 2015 and it was a complete disaster. It was gone within two months. The problem is that many early adopters paid for a solution that didn't exist. Bromium certainly has a very mixed reputation, one which they may not be able to overcome absent an acquisition or sale.