This topic describes how to install and configure Anti-Virus Mirror for VMware Tanzu. VMware recommends that you install this tile before installing Anti-Virus for VMware Tanzu.


If you do not have an external mirror for Anti-Virus jobs to fetch database updates from, you can deploy a mirror using the Anti-Virus Mirror tile.

This deployed internal mirror, which uses mutual TLS (mTLS), can support both air-gapped environments and Anti-Virus Mirror networked environments:

  • Online Network: You can deploy the internal Anti-Virus Mirror as a proxy. This acts as a database for the virus definitions if the online virus database experiences downtime.
  • Air-gapped Network: Because there is no access to an outside network, the internal Anti-Virus Mirror VM acts as the server for the virus definitions.

If you have already deployed an external mirror, you can use that instead of installing this tile, and continue to Installing and Configuring Anti-Virus for VMware Tanzu.


To install the Anti-Virus Mirror, you must have:

  • A Ops Manager operator user account with admin rights. For more information, see Platform Operators.

  • Operations Manager (Ops Manager). For compatible versions, see the Product Snapshot.

  • At least 1 GB of RAM free for each VM that installs Anti-Virus. This is so that you can install the Anti-Virus for VMware Tanzu tile after deploying this mirror. Anti-Virus installs itself on each tile VM and runs internally. Anti-Virus takes at least 610 MB of RAM on each VM. On Google Cloud Platform (GCP), the recommended minimum VM size is micro.cpu using 2 CPU and 2 GB RAM.

Install Anti-Virus Mirror for VMware Tanzu

To install the Anti-Virus Mirror for VMware Tanzu tile:

  1. Download the product file from VMware Tanzu Network.

    For air-gapped networks, follow your company’s offline installation protocols. For more information, see Installing Ops Manager in Air-gapped Environments.

  2. Navigate to the Ops Manager Installation Dashboard and select Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of Anti-Virus Mirror for VMware Tanzu. This adds the tile to your staging area.

  4. Click the newly added Anti-Virus Mirror for VMware Tanzu tile.

Assign AZs and Networks

To assign availability zones (AZs) and networks:

  1. Select Assign AZs and Networks. Screenshot of the Assign AZs and Networks pane.
The fields are described below.

  2. Configure the fields as follows:

    Field Description
    Place singleton jobs in Select an AZ. If you install only one Anti-Virus Mirror VM, this is the AZ that it is placed in.
    Balance other jobs in Select one or more AZs. If you install more than one Anti-Virus Mirror VM, these are the AZs that the VMs are placed in.
    Network Select a subnet for the antivirus_mirror VM.
    This is typically the same subnet that includes the VMware Tanzu Application Service for VMs (TAS for VMs) component VMs.

  3. Click Save.

Configure Anti-Virus Mirror

To configure Anti-Virus Mirror:

  1. Select Anti-Virus Mirror Configuration. Screenshot of the Anti-Virus Mirror Configuration pane.
The fields are described below.

  2. Configure the fields as follows:

    Field Instructions
    Log output destination
    Select the file descriptor to forward your logs through:
    • stdout: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stdout.log
    • stderr: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stderr.log
    • syslog: sends messages to /var/log/messages
    Anti-Virus Mirror Port
    Enter the port for Anti-Virus Mirror to use. The default value is 6501.

      <p class="note"><strong>Note: </strong> Anti-Virus Mirror uses mTLS. This port must be the same port used in <strong>Anti-Virus Mirror Port</strong> of the <strong>Anti-Virus for VMware Tanzu</strong> tile. If these ports are not the same, Anti-Virus database updates and deployments fail.

    Mirror for Automatic Database Updates
    • No mirror: Select this for air-gapped environments, or to control the database versions available to your environment.
    • Official mirror
    • Existing mirror
    Official mirror
    Select this to have the mirror fetch databases from the official virus database mirror.
    • Number of database checks per day (min: 1, max: 50) : Enter the number of database checks that the mirror performs per day. The default value is 12.
    Existing mirror
    • Comma separated list of mirror hostnames or IPs: Enter a list of hostnames or IPs of mirrors.
    • Number of database checks per day (min: 1, max: 50): Enter the number of database checks the mirror performs per day. The default value is 12.

    Note: Anti-Virus Mirror for VMware Tanzu serves virus definitions to your environment for Anti-Virus for VMware Tanzu to use, but the Anti-Virus mirror needs to get databases itself. You can configure the Anti-Virus mirror to get virus definitions using the supported options in Mirror for Automatic Database Updates above.

  3. Click Save.

  4. (Optional) If you selected Official mirror or Existing mirror in the previous section, you can configure a proxy for the Anti-Virus mirror to retrieve the databases from. To do this:

    1. Select HTTP Proxy Configuration. Screenshot of HTTP Proxy Configuration pane.
Under the HTTP proxy to get database updates heading, the Enabled button is selected.
The fields are described below.

    2. Set HTTP proxy to get database updates to Enabled.

    3. Enter the host, port, username, and password in the fields that appear.

    4. Click Save.

Configure Syslog Forwarding

Follow the steps below to enable system logging for Anti-Virus Mirror for VMware Tanzu.

  1. Select Syslog. Screenshot of the Syslog pane.
The Yes button is selected.
The fields are described below.

  2. Select Yes for Do you want to configure Syslog forwarding?.

  3. Configure the fields as follows:

    Field Instructions
    Address Enter the address or host of the syslog server for sending logs, for example,
    Port Enter the port of the syslog server for sending logs, for example, 29279.
    Transport Protocol Select the transport protocol used to send system logs to the server. VMware recommends using TCP.
    Enable TLS If you select TCP, you can also select to send logs encrypted over TLS.
    Permitted Peer Enter either the accepted fingerprint, in SHA1, or the name of the remote peer, for example, *
    SSL Certificate Enter the SSL or TLS Certificates for the syslog server. This ensures the logs are transported securely.
    Queue Size Enter an integer. This value specifies the number of log entries held in the buffer. The default value is 100000.
    Forward Debug Logs Select this box to forward debug logs to an external source. This option is deselected by default. If you select it, you might generate a large amount of log data.
    Custom rsyslog Configuration Enter configuration details for rsyslog. This field requires RainerScript syntax.

  4. Click Save Syslog Settings.

Scale the Number of Deployed Mirrors

Anti-Virus jobs do load balancing for you.

VMware recommends one Anti-Virus Mirror VM for every 250 VMs with Anti-Virus installed. To scale the number of deployed mirrors:

  1. Select Resource Config.

    An Ops Manager UI showing the Resource Config pane in the Anti-Virus Mirror tile.
The antivirus-mirror job is configured using dropdown lists for the number of instances,
VM type, and persistent disk type. The example configuration shows instances
configured to Automatic: 1, VM Type configured to Automatic: small (cpu: 1, ram: 2 GB),
and the persistent disk type configured to Automatic: 1

  2. For antivirus-mirror, set INSTANCES to the number of mirrors that you want to deploy.

  3. Click Save.

Apply Changes from Your Configuration

Your Anti-Virus Mirror installation is not complete until you apply your configuration changes. To do this:

  1. Return to the Ops Manager Installation Dashboard.

  2. Click Review Pending Changes.

  3. Unselect all products except BOSH Director and Anti-Virus Mirror and click Apply Changes.
  4. After Apply Changes is complete, if you selected No Mirror, upload a set of virus definitions to your deployed antivirus-mirrors. To do this, see Updating Virus Definitions.
check-circle-line exclamation-circle-line close-line
Scroll to top icon