Antivirus Scanning in a VMware View Virtual Desktop Environment That Includes ThinApp Virtualized Applications
By Tina de Benedictis, Technical Marketing Manager, Enterprise Desktop
When you have ThinApp virtualized applications installed in a VMware View virtual desktop environment, what do you need to do to set up antivirus protection?
You may think that ThinApp virtualized applications protect the desktop from viruses and other malware during application use because of the “virtual bubble” created for user activity. Yes, the ThinApp “virtual bubble” can offer a layer of protection against runtime modifications to files and registry keys. But running ThinApp virtualized applications is similar to running native applications on the desktop: you need to protect the desktop.
Configuring the ThinApp package to be fully isolated from the host desktop would give you more of a chance of protection against malware intrusions on the desktop. However, fully isolating a ThinApp package from the host desktop would mean that the package could not even read system files. In general, you configure a ThinApp isolation mode that allows at least some reading of files from the host desktop, and often you allow some writing to the desktop, such as to the My Documents and Desktop folders.
When you set up the isolation mode for a ThinApp package, you are specifying the permissions to read from and write to the host desktop. All writes that cannot go to the host system instead go to the ThinApp application sandbox. The sandbox is a folder on the local desktop system or on a file share and is open to malware as are other files, and you also need to scan the sandbox.
You generally choose a ThinApp isolation mode setting where host system files are protected from writes. But non-system files can be written to, so you need to scan the host desktop system. Even nonpersistent View desktops need scanning so that files do not become corrupted during a View session.
For details on isolation modes, see Configuring Isolation Modes for the File System and Registry in ThinApp (Video Included).
Here is a summary of recommendations regarding ThinApp packages from a recently updated white paper on antivirus protection in a VMware View environment (Antivirus Practices with VMware View 5).
- Desktop where the ThinApp package is running: Run scheduled, on-demand virus scans of the View desktop, including during a user session. This includes scans of nonpersistent View desktops.
- ThinApp packages: When you create ThinApp packages, be sure to use a clean capture machine. Do not install a virus scanner or firewall on the capture machine.
Before you build the ThinApp package (the build machine does not have to be the same as the capture machine), run a virus scan against the ThinApp application project directory.
- ThinApp Repository: Scan the View ThinApp Repository (Windows application share) periodically for viruses and malware. Use on-demand scanning during periods of low usage. If you are required to use on-access scanning, create separate primary data containers for ThinApp packages that are larger than a couple of megabytes. For details, see the white paper.
- Packages destined for the ThinApp Repository: Scan ThinApp packages before you place them in the ThinApp Repository.
- Package vulnerabilities: Consider using the eEye Retina vulnerability management tool to check your ThinApp packages.
- ThinApp application sandbox: Scan the ThinApp application sandbox, whether or not you delete it upon logout. The sandbox is a standard, readable folder in Windows. Exclude the sandbox from on-access scanning, and use on-demand scanning during periods of low usage. If a virus is detected in the sandbox, clean or delete the sandbox. A new sandbox is generated on the next application use.
- Sandbox within Persona Management: If you use View Persona Management with nonpersistent View desktops and do not want to retain the ThinApp application sandbox, exclude the sandbox from roaming.
- External drives: Because ThinApp package users can write to network drives and removable disks, regardless of the ThinApp isolation mode setting, scan these external drives with your virus checker, or guard against writes to these drives by setting Package.ini parameters.
For more detail on the above recommendations, see the longer white paper: Antivirus Practices with VMware View 5.