Real time anti-virus for a virtualized environment.

摘要

Despite the pervasive use of anti-virus (AV) software, there has not been a systematic study of the characteristics of the execution of this workload. In this work we begin by presenting a characterization of four commonly used anti-virus software packages. Using the Virtutech Simics toolset, we profile the behavior of four popular anti-virus packages as run on an Intel PentiumIV platform running Microsoft Windows-XP.;In our study, we focus on the overhead introduced by the anti-virus software during on-access execution. The overhead associated with anti-virus execution can dominate overall performance. The AV-Test group has already reported that this overhead can range from 23-129% on live systems running on-access experiments [9].1 The performance impact of the anti-virus execution is clearly an important issue, and we present the first quantitative study of the characteristics of this workload. Our study includes the impact of both operating system execution and system call execution.;Prior work has quantified how much overhead is introduced by the execution of a real-time anti-virus scanner and have indicated that significant amounts of pressure is placed on not only the central processor, but the memory subsystem. Many solutions have been proposed to potentially offset or alleviate this overhead; however few have actually been implemented.;The issue of pressure on the physical system becomes more immense in a virtualization environment, where multiple virtual machines are executed on one physical machine, and each virtual machine running the windows operating system requires its own instance of an anti-virus program.;The purpose of this work is to take one step forward in addressing the growing issue of real time anti-virus execution based overhead in the context of application consolidation. The VMWare ESX architecture provides the ideal environment for a distributed real-time scanning process to be executed amongst all machines, consolidating physical memory consumption and exploiting thread-level parallelism. We implemented a prototype of such a model, and study the performance of the prototype design.;We found that as well as designing a real-time anti-virus system that has scalable performance, we can alleviate up to 78% of the overhead introduced by commercial Anti-Virus packages, and in the worst case, consolidate up to 260 MB of memory consumed by anti-virus packages.;1Comparison tests were done during 2001-02 on earlier versions of the anti-virus packages. We are using more recent versions of these packages.