Anti Virus protection in RDS sessions under server 2012 R2 Standard

normally the guest itself already come with its host AV (if assuming they used free one which is unlikely for enterprise setup), and since this is a VM setup AV VM appliance via hypervisor will be recommended since it does introspection (vi a agent installed) at the Guest while VM appliance is outside of Guest VM. Malware cannot inhibit the VM appliance with such ease compared inside the Guest VM.

For the case of vShield, when a guest VM tries to access a file, the vShield Endpoint Agent running on the VM notifies the Sophos security VM appliance. The security VM scans the file, if the file has changed or if a detection update has occurred since the file was last scanned. If the security VM detects a threat, access to the file is blocked, and the security VM sends an alert to Enterprise Console. Also the security VM can initiate a full scan of all the guest VMs, and schedules scans to balance the various ESXi host so as to avoid unnecessary high load due to concurrent scanning. As per norm, upon security VM detects a threat, it sends an alert to Enterprise Console too.

The SAV is not an all-in-one though has No Web Protection, No Behaviour monitoring, No Boot sectors/Suspicious Files scanning, No Adware and PUAs detection. https://www.sophos.com/en-us/support/knowledgebase/121745.aspx

I do not see RDS or Email either and I suspect they required Sophos vShield or UTM and Email resp.
-For RDS scan, besides the port control and filter via UTM appliance, I do not see SAV covers that or even any Novell and RDP mapped file scanning except Windows shares and Windows mapped network drives. This was also asked in Sophos forum but no specific answer from support.
-For Email attachment scan, these files are subjected to on-access scanning as per SAV file extensions as long as within Guest OS, not certain as per via Outlook plugin though.

Some Notes -
- Only a Sophos security VM is needed on each ESXi host running the Guest VMs.
- Cannot use Sophos AV for VMware vShield to protect Guest VMs that run other AV products, as files might be scanned multiple times (due to the design of VMware vShield).
- Must power on a security VM manually whenever the ESXi host is taken out of maintenance or standby mode. Always do this before you power on the Guest VMs, so that the Guest VMs are protected immediately.
- Under (File) Extension, archive extensions are only scanned if archive scanning is enabled.


Ref - kb using Sophos AV for VMware vShield 1.0
 http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2053275

vsphere 6 drops support for introspection.

Hi Btan and Gheist,

Thanks for your time on this. I was having a problem following some of Btan's comments, but let me offer where I think we should be going now.

From Gheist's comment we can deploy Sophos Endpoint Protection on the RDS VM and AV on demand and on access protection will be provided for all RDS sessions. Now Sophos have versions of End Point Protection that also monitor web access, can I assume this is also covered in each RDS session when deployed at the VM???

Are there any extra exceptions that need/are suggested to be applied in this scenario??

For me, installing in the VM like this is fine, as Gheist points out, this is a small scale solution and even if we needed to introduce a further server if we scaled up further I'd still use this method. Are there any down sides??

Thanks guys, I appreciate your thoughts and time.

REgards

vShield v6 (or they called it NSX 6)  still has introspection - under NSX Guest Introspection that is the next gen of vShield Endpoint capabilities. You need the Guest Introspection Thin Agent component installed with VMware Tools. This feature is not installed by default, hence requires to update VMware Tools installation. This feature was known as the VMware vShield Endpoint Thin Agent prior to the ESXi 5.5 Update 2 release, which is when VMware renamed it the VMware Tools Guest Introspection plugin.

Sophos vShield only perform tasks such as file, memory and process scanning that are offloaded from Guest VM to Sophos security virtual appliance through a thin client agent (in the Guest). It is not RDS or Web specific unless Sophos confirm that. The mapped drive are in the Guest, such scan exclude the remote desktop mapped (shared) drive as compared to normal Windows mapped drive  

As a whole, Sophos security appliance only covers AV and those endpoint capability is not under Sophos security appliance. Even for Sophos Endpoint, see  (pdf) matrix showing as only a virtual machine or the standard installed inside OS. It is not a security appliance supported by Sophos. It is also not vShield Endpoint (pdf) that can manage communication between virtual machines and the secure virtual appliance, using introspection at the hypervisor layer. Sophos is vShield partners in AV scope only

The EPSEC API enables VMware anti-virus partners to integrate with vShield Endpoint by providing introspection into file activity in the hypervisor. Essential anti-virus functions are supported through this API.

However, if you have Sophos security appliance running with Guest installed with another AV engine, it is likely to face inter-operability issues it as I shared previously

Cannot use Sophos AV for VMware vShield to protect Guest VMs that run other AV products, as files might be scanned multiple times (due to the design of VMware vShield).

Endpoint filtering RDS traffic is more from firewalling perspective and for Web it is more of having Endpoint checking on access scan via file, memory and process which include the web browser. Sophos vShield appliance does not have any of a web application firewall capability to inspect web traffic per se.

...Adding on.... under VMWare portfolio, I believe the use case you need, it is more applicable and towards the use of vShield apps (pdf) that is a hypervisor-based application-aware firewall solution

Hypervisor-Level Firewall
•      Inbound/outbound connection control enforced at the virtual NIC level through hypervisor inspection, supporting multihomed virtual machines
•      Ability to enforce based on network, application port, protocol type (TCP, UDP), application type
•      Dynamic protection as virtual machines migrate
•      IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, Sun Remote
Procedure Call (RPC), Microsoft RPC, LDAP and SMTP; ...

You can check out this quick example in a simple config of using the Apps firewalling

Hi
I have recieved the following from Sophos:

Our Web Control module is designed primarily for use on typical endpoints used by a handful of users at any given time at most. With a Terminal Server environment, given the sheer number of lookups that would potentially need to be handled, it would be much more efficient on resources to use a gateway solution such as our Web Appliance or UTM.

Our Anti-Virus product is suitable for use on Terminal Servers with multiple concurrent users and is supported. See the following KBA for optimisations of Sophos Anti-Virus for Terminal Servers: https://www.sophos.com/en-us/support/knowledgebase/28587.aspx


I have confirmation that our initial 8 users will operate fine with standard EndPoint product installed. We will investigate an alternative web access solution, possibly utilising the existing Juniper firewall or deploying a Sophos UTM, etc.

I am so sorry, Btan, I found your description and information difficult to follow. I am awarding points to Gheist as this is the route we believe is most appropriate, certainly at this point.

Thanks each for your time.

REgards
Trevor

I think it will be fair to split evenly as all advices were to the point.

I am happy to split. It is just that I could not follow sufficiently - and did not benefit from the attempt.

noted, the key is AV is to be installed within the server and not using the hypervisor. the lengthy sharing is to apprise that it has capability to scan each guest OS as well and needed the endpoint agent running within that guest OS. However, it does not do those inspection you are looking out for. I was working towards your query

Can I assume that deploying AV for a VM using vShield also then protects any RDS sessions as they run in that VM's context ???

Specifically on whether vShield works or not - it works for scanning but not apparently suited to your use case and likely more work effort but I do see I have shared my part on vShield. Thanks gheist and trevor.

As for the point, I leave it to author good discretion then.

I just juped in when author was grading...

thanks gheist for sharing

We have TS with 50 concurrent office-like users at al times in a VM with local common AV.
Yes, it halves storage throughput, but for the rest no problem at all...

Guys, This is great.
Thanks so much for your continued input it is very helpful.
I now see what btan was driving at.
As stated I'm happy to split 50:50 but have needed to enquire of the admin how to do this - I can't see how to split the points after I have already allocated to Gheist.

Regards

You can "request attention", but sice other participants did not join the motion i think it is not worth moderators time.

Ok We will leave as is unless moderator comes back to me.

REgards

Just dont give me points next time we meet on the site and all are even ;)

no worries :)

You are Gentlemen for sure. Have good weekend when it gets here
Regards