Know which functionalities are available in Agentless (Deep Security Virtual Appliance-based) and in-guest (Deep Security Agent-based) anti-malware protection.
See the table below for the list of available functionalities in Agentless and Agent-based anti-malware protection:
Agentless (DSVA) | In-Guest (DSA) | |
---|---|---|
Feature and Component | ||
Take action upon malware files | Yes | Yes |
Take action upon malware in memory | No | Yes |
Registry cleanup | No | Yes |
Stop malware processes | No | Yes |
Leverage VMware Endpoint | Yes | No |
Security | ||
Firewall functionality | Yes | Yes |
Deep Packet Inspection functionality | Yes | Yes |
Log Inspection functionality | No | Yes |
Integrity Monitoring functionality | File-based Integrity Monitoring only | Yes |
Recommendation scan functionality | No (DS 8.0 and below) | Yes |
Advantages of Deep Security Virtual Appliance (DSVA)-based protection:
- No footprint on protected virtual machines (VMs)
Protection will not result to resource contention on the VMs. - Minimal update-related traffic
The absence of components on the VMs means that only update-related traffic such as virus pattern update, scan engine update, etc. occurs on the DSVA. The VMs are not affected by component updates.
Disadvantages of DSVA-based protection:
- Lack of in-memory scanning
If a Trojan manages to enter the VM, subsequent pattern updates may be able to detect the file component of the malware, but will not be able remove its in-memory components. - No damage cleanup
Because of the absence of an in-guest component, the DSVA does not have the Damage Cleanup Service functionality which addresses changes to the Windows registry and similar malicious alterations. - Limited HIDS capability
The DSVA is only limited to File-based Integrity Monitoring. It does not have the Log Inspection functionality. - Lack of recommendation scan functionality (For DSVA 8.0 and below only)
The DSVA cannot retrieve metadata from the VMs that it protects, so the Deep Security Manager is not able to automatically ascertain the security requirements. Thus, the assignment of Deep Packet Inspection (DPI) and Integrity Monitoring (IM) rules is manual.
These disadvantages can be addressed by installing a DSA on the VM. However, a DSA will negate the DSVA advantages on resource contention and bandwidth conservation. Thus, administrators must assess the security needs of their environment to determine the appropriate combination of DSA-based and DSVA-based protection.