This topic is an overview of Anti-Virus for VMware Tanzu.
Anti-Virus for VMware Tanzu might be necessary for regulatory purposes if your compliance auditor requires antivirus protection within your Ops Manager environment.
For example, auditors sometimes expect that antivirus protection is present in an environment that must comply with standards such as the Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA).
Anti-Virus for VMware Tanzu complies with the U.S. Department of Defense STIG rule SV-92701r1_rule, version UBTU-16-030900, which belongs to group SRG-OS-000480-GPOS-00227.
The following table provides version and version-support information about Anti-Virus for VMware Tanzu.
| Element | Details |
|---|---|
| Version | 2.3.27 |
| Release date | January 26, 2023 |
| Software component version | Open Source ClamAV 0.103.5 |
| Compatible Ops Manager versions | 3.0, 2.10, 2.9, 2.8, and 2.7 |
| Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions | 3.0, 2.13, 2.12, 2.11, 2.10, 2.9, 2.8, and 2.7 |
| Compatible Tanzu Kubernetes Grid Integrated Edition (TKGI) versions | 1.7 and later |
| Compatible BOSH stemcells | Ubuntu Xenial and Windows (2019, 1803, and 2016) |
| IaaS support | vSphere, GCP, AWS, Azure, and OpenStack |
The following table provides version and version-support information about Anti-Virus Mirror for VMware Tanzu.
| Element | Details |
|---|---|
| Version | 2.3.27 |
| Release date | January 26, 2023 |
| Compatible Ops Manager versions | 3.0, 2.10, 2.9, 2.8, and 2.7 |
| Compatible VMware Tanzu Application Service for VMs (TAS for VMs) versions | 3.0, 2.13, 2.12, 2.11, 2.10, 2.9, 2.8, and 2.7 |
| Compatible Tanzu Kubernetes Grid Integrated Edition (TKGI) versions | 1.7 and later |
| Compatible BOSH stemcells | Ubuntu Xenial and Windows (2019, 1803, and 2016) |
| IaaS support | vSphere, GCP, AWS, Azure, and OpenStack |
Virus definitions on the internal Anti-Virus Mirror update automatically or manually depending on whether your Ops Manager is on an online or air-gapped network, as described in Updating Virus Definitions on an Anti-Virus Mirror. The automatic and manual processes store new virus definitions to the Anti-Virus Mirror VM’s database of unverified viruses as follows:
freshclam daemon process on the Anti-Virus Mirror VM downloads the virus definitions and stores them in the internal mirror VM’s unverified database.bosh scp to directly copy the virus definitions to the internal mirror’s database of unverified viruses.From the unverified internal mirror database, virus definitions then propagate to BOSH VMs as follows:
The database verifier process on the Anti-Virus Mirror verifies the date, format, and integrity of the new virus definitions.
The internal Anti-Virus Mirror VM saves verified virus definitions to its verified database and serves them to the freshclam processes of BOSH VMs.
On each BOSH-managed VM:
The go-clam-tls daemon process regularly queries the internal Anti-Virus Mirror for new virus definitions.
When go-clam-tls retrieves new definitions, it:
clamd daemon process that there are new definitions, andThe clamd process loads the new virus definitions into active memory to enable fast scanning by the clamscan process.
The diagrams below illustrate how new virus definitions propagate from an external ClamAV database to Ops Manager managed BOSH VMs, in online and air-gapped installations.
This diagram illustrates how virus definitions propagate to BOSH VMs with Anti-Virus Mirror using mutual TLS (mTLS):
This diagram illustrates how virus definitions propagate to BOSH VMs with Anti-Virus Mirror using mTLS:
