This topic gives you an overview of Anti-Virus for VMware Tanzu.
Anti-Virus for VMware Tanzu might be necessary for regulatory purposes if your compliance auditor requires antivirus protection within your Tanzu Operations Manager environment.
For example, auditors sometimes expect that antivirus protection is present in an environment that must comply with standards such as the Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA).
Anti-Virus for VMware Tanzu complies with the U.S. Department of Defense STIG rule SV-92701r1_rule, version UBTU-16-030900, which belongs to group SRG-OS-000480-GPOS-00227.
Product Snapshot for Anti-Virus for VMware Tanzu
The following table provides version and version-support information about Anti-Virus for VMware Tanzu.
| Element | Details |
|---|---|
| Version | 2.3.68 |
| Release date | May 13, 2024 |
| Software component version | Open Source ClamAV 1.0.3 |
| Compatible Tanzu Operations Manager versions | 3.0 and 2.10 |
| Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions | 6.0, 5.0, 4.0, 2.13 and 2.11 |
| Compatible Tanzu Kubernetes Grid Integrated Edition (TKGI) versions | 1.7 and later |
| Compatible BOSH stemcells | Ubuntu Jammy, Ubuntu Xenial and Windows (2019, 1803, and 2016) |
| IaaS support | vSphere, GCP, AWS, Azure, and OpenStack |
Product Snapshot for Anti-Virus Mirror for VMware Tanzu
The following table provides version and version-support information about Anti-Virus Mirror for VMware Tanzu.
| Element | Details |
|---|---|
| Version | 2.3.68 |
| Release date | May 13, 2024 |
| Compatible Tanzu Operations Manager versions | 3.0 and 2.10 |
| Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions | 6.0, 5.0, 4.0, 2.13 and 2.11 |
| Compatible Tanzu Kubernetes Grid Integrated Edition (TKGI) versions | 1.7 and later |
| Compatible BOSH stemcells | Ubuntu Jammy and Windows (2019, 1803, and 2016) |
| IaaS support | vSphere, GCP, AWS, Azure, and OpenStack |
Features
- Includes open source ClamAV packaged as part of the tile for installation.
- Contains a private Anti-Virus Mirror for Tanzu tile for deployment and providing VMs to the foundation.
- Anti-Virus Mirror for Tanzu serves both air-gapped and non-air-gapped environments.
- The tile authenticates and validates publicly downloaded database definition files for added security.
- Ability to scan VMs and containers for foundations with TAS for VMs and Enterprise TKGI.
- Supports scheduled scans to reduce workload during peak operation hours.
- Permits adding known signatures to an allowlist.
- Allows you to configure CPU and memory usage limits on VMs of the foundation.
Known Issues
On-access scanning on Linux may cause performance degradation. For the moment, the workaround is to enable the VM Resurrector Plugin in the BOSH tile. See troubleshooting for more details.
Anti-Virus for Tanzu Architecture
How Virus Definitions Propagate to VMs
Virus definitions on the internal Anti-Virus Mirror for Tanzu update automatically or manually depending on whether your Tanzu Operations Manager is on an online or air-gapped network, as described in Updating Virus Definitions on an Anti-Virus Mirror for Tanzu. The automatic and manual processes store new virus definitions to the Anti-Virus Mirror for Tanzu VM’s database of unverified viruses as follows:
- Automatic update: The
freshclamdaemon process on the Anti-Virus Mirror for Tanzu VM downloads the virus definitions and stores them in the internal mirror VM’s unverified database. - Manual update: The operator runs
bosh scpto directly copy the virus definitions to the internal mirror’s database of unverified viruses.
From the unverified internal mirror database, virus definitions then propagate to BOSH VMs as follows:
-
The database verifier process on the Anti-Virus Mirror for Tanzu verifies the date, format, and integrity of the new virus definitions.
- To verify integrity, the verifier checks bytecode signatures against signatures in the external ClamAV database, using the external database public key.
- If verification fails or if the virus definitions are not new, the mirror VM generates an error. See Virus Database Update Issues.
-
The internal Anti-Virus Mirror for Tanzu VM saves verified virus definitions to its verified database and serves them to the
freshclamprocesses of BOSH VMs. -
On each BOSH-managed VM:
-
The
go-clam-tlsdaemon process regularly queries the internal Anti-Virus Mirror for Tanzu for new virus definitions.- You can configure the query frequency in the Anti-Virus for VMware Tanzu tile > ClamAV Configuration > Number of database checks per day field.
-
When
go-clam-tlsretrieves new definitions, it:- Notifies the
clamddaemon process that there are new definitions, and - Saves the virus definitions in the BOSH VM’s own virus database.
- Notifies the
-
The
clamdprocess loads the new virus definitions into active memory to enable fast scanning by theclamscanprocess.
-
The following diagrams illustrates how new virus definitions propagate from an external ClamAV database to Tanzu Operations Manager managed BOSH VMs, in online and air-gapped installations.
Online Network Diagram
This diagram illustrates how virus definitions propagate to BOSH VMs with Anti-Virus Mirror for Tanzu using mutual TLS (mTLS):
Air-Gapped Network Diagram
This diagram illustrates how virus definitions propagate to BOSH VMs with Anti-Virus Mirror for Tanzu using mTLS:
