Release: VMware vShield Endpoint 1.0

At the end of July virtualization.info exposed an upcoming new product, part of the VMware vShield security porftolio called codename Seraph. The company officially unveiled and released it last week at VMworld (see virtualization.info live coverage) under the name of vShield Endpoint.

Endpoint 1.0 (build 287872) is the last piece of the new vShield security family. The other components are Zones 4.1 (the first product, acquired from Blue Lane Technologies in October 2008), App 1.0 (see virtualization.info coverage) and Edge 1.0 (see virtuaization.info coverage). 
The four pieces are all centrally managed by vShield Manager 4.1.

Compared to the others, Endpoint is not a real product. It rather is a security framework that leverages the VMware VMsafe APIs and allows third party anti-virus vendors to scan and remediate infected virtual machines in a new way.
The interaction between the anti-virus solution and the target VMs happens at the hypervisor level, in a transparent way, through a process known as introspection.
In this way 3rd party security engines can be deployed only on a single, dedicated VM, offloading the protected guest operating systems from the execution of resource-demanding endpoint agents.

The only agent that virtual machines have at that point is the vShield Endpoint one, informally called thin agent, which exposes the file system activity to 3rd parties through an API and a library for remediation.
The health status of this VMware agent is monitored inside vCenter Server.
Of course the agent has to support the target guest operating system. The VMware offering is still weak here with the lack of 64bit support for Microsoft client operating systems (where the antivirus really needs):

  • Windows Server 2003 and 2008 (both 32 and 64bit)
  • Windows XP, Vista and 7 (32bit only)

The side benefit of this solution is that the AV signature database is downloaded only once, rather than being replicated for tens or hundreds of VMs.
As out-of-band anti-virus scanning is particularly important in VDI, vShield Endpoint 1.0 integrates with the upcoming View 4.5.

Like Zones and App, every instance of Endpoint only protects the VMs in a specific host through a Loadable Kernel Module (LKM) called EPSEC.
The primary component, a hardened virtual appliance called Security Virtual Machine (SVM), is not delivered directly by VMware but by its security partners.

To control Endpoint and the other new security products announced at VMworld, VMware is using an additional component called vShield Manager. This is a centralized policy management console that doesn’t require any specific license.  
vShield Manager can be accessed through a web interface or the VMware SDK as it offers a specific API.
Such API allows advanced manipulation of all information produced by the other vShield products, like rules and the logs.

vShield Endpoint 1.0 pricing starts at $1,513, which includes protection for 25 virtual machines and 1 year basic support (12×5). Of course this is just the price for the endpoint agent. Customers have to add on top of it the cost for the 3rd party anti-virus solution.

TrendMicro Deep Security 7.5 is the first antivirus product on the market to support vShield Endpoint.