This topic tells you how to install and configure Anti-Virus Mirror for VMware Tanzu. VMware recommends that you install this tile before installing Anti-Virus for VMware Tanzu.

Overview

If you do not have an external mirror for Anti-Virus jobs to fetch database updates from, you can deploy a mirror using the Anti-Virus Mirror for Tanzu tile.

This deployed internal mirror, which uses mutual TLS (mTLS), can support both air-gapped environments and Anti-Virus Mirror for Tanzu networked environments:

  • Online Network: You can deploy the internal Anti-Virus Mirror for Tanzu as a proxy. This acts as a database for the virus definitions if the online virus database experiences downtime.
  • Air-gapped Network: Because there is no access to an outside network, the internal Anti-Virus Mirror for Tanzu VM acts as the server for the virus definitions.

If you have already deployed an external mirror, you can use that instead of installing this tile, and continue to Installing and configuring Anti-Virus for VMware Tanzu.

Prerequisites

To install the Anti-Virus Mirror for Tanzu, you must have:

  • Tanzu Operations Manager operator user account with admin rights. For more information, see Platform Operators.

  • VMware Tanzu Operations Manager. For compatible versions, see the Product Snapshot.

  • At least 4 GB of RAM free for each VM that installs Anti-Virus for Tanzu. This is so that you can install the Anti-Virus for VMware Tanzu tile after deploying this mirror. Anti-Virus for Tanzu installs itself on each tile VM and runs internally. Anti-Virus for Tanzu takes at least 3 GB of RAM on each VM and on each VM in reserve. On Google Cloud Platform (GCP), the recommended minimum VM size is micro.cpu using 2 CPU and 4 GB RAM.

Why Is So Much RAM Required?

Anti-Virus uses upwards of 1.2 GB of RAM just to load the virus definitions. This does not take into account any RAM required to process the files during scanning. Anti-Virus uses upwards of 2.4 GiB of RAM for a short period each day when loading new signature definitions.

After loading, and after all scans that use the old definitions have completed, the old definitions are unloaded. This process is called concurrent reloading and enables scans to continue during the reload. As a consequence, Anti-Virus uses twice the amount of RAM for a brief period.

If your VM does not have enough RAM, the OS can stop the Anti-Virus process. If you observe issues with Anti-Virus failing or becoming unresponsive once a day, it is likely your system does not have enough RAM to run Anti-Virus. Over time you can expect the virus databases to get bigger and so the memory that Anti-Virus requires to increase.

Install Anti-Virus Mirror for VMware Tanzu

To install the Anti-Virus Mirror for VMware Tanzu tile:

  1. Download the product file from VMware Tanzu Network.

    For air-gapped networks, follow your company’s offline installation protocols. For more information, see Installing Tanzu Operations Manager in air-gapped environments in the Tanzu Operations Manager documentation.

  2. Go to the Tanzu Operations Manager Installation Dashboard and select Import a Product to upload the product file.

  3. Under the Import a Product button, click + next to the version number of Anti-Virus Mirror for VMware Tanzu. This adds the tile to your staging area.

  4. Click the newly added Anti-Virus Mirror for VMware Tanzu tile.

Assign AZs and Networks

To assign availability zones (AZs) and networks:

  1. Select Assign AZs and Networks.

    The Assign AZs and Networks pane as described in the following text.

  2. Configure the fields as follows:

    Field Description
    Place singleton jobs in Select an AZ. If you install only one Anti-Virus Mirror for Tanzu VM, this is the AZ that it is placed in.
    Balance other jobs in Select one or more AZs. If you install more than one Anti-Virus Mirror for Tanzu VM, these are the AZs that the VMs are placed in.
    Network Select a subnet for the antivirus_mirror VM.
    This is typically the same subnet that includes the VMware Tanzu Application Service for VMs (TAS for VMs) component VMs.

  3. Click Save.

Configure Anti-Virus Mirror for Tanzu

To configure Anti-Virus Mirror for Tanzu:

  1. Select Anti-Virus Mirror Configuration.

    The Anti-Virus Mirror Configuration pane as described in the following text.

  2. Configure the fields as follows:

    Field Instructions
    Log output destination
    Select the file descriptor to forward your logs through:
    • stdout: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stdout.log
    • stderr: sends messages to /var/vcap/sys/log/antivirus-mirror/antivirus-mirror.stderr.log
    • syslog: sends messages to /var/log/messages
    Anti-Virus Mirror Port
    Enter the port for Anti-Virus Mirror to use. The default value is 6501.

    Caution Anti-Virus Mirror for Tanzu uses mTLS. This port must be the same port used in Anti-Virus Mirror Port of the Anti-Virus for VMware Tanzu tile. If these ports are not the same, Anti-Virus for Tanzu database updates and deployments fail.

    Mirror for Automatic Database Updates
    • No mirror: Select this for air-gapped environments, or to control the database versions available to your environment.
    • Official mirror
    • Existing mirror
    Official mirror
    Select this to have the mirror fetch databases from the official virus database mirror.
    • Number of database checks per day (min: 1, max: 50) : Enter the number of database checks that the mirror performs per day. The default value is 12.
    Existing mirror
    • Comma separated list of mirror host names or IPs: Enter a list of host names or IPs of mirrors.
    • Number of database checks per day (min: 1, max: 50): Enter the number of database checks the mirror performs per day. The default value is 12.

    Note Anti-Virus Mirror for VMware Tanzu serves virus definitions to your environment for Anti-Virus for VMware Tanzu to use, but the Anti-Virus for Tanzu mirror needs to get databases itself. You can configure the Anti-Virus mirror to get virus definitions by using the supported options in the preceding section, Mirror for Automatic Database Updates.

  3. Click Save.

  4. (Optional) If you selected Official mirror or Existing mirror in the previous section, you can configure a proxy for the Anti-Virus for Tanzu mirror to retrieve the databases from. To do this:

    1. Select HTTP Proxy Configuration.

    Under the HTTP proxy to get database updates heading, the Enabled button is selected. The fields are described in following text.

    1. Set HTTP proxy to get database updates to Enabled.

    2. Enter the host, port, username, and password in the fields that appear.

    3. Click Save.

Configure Syslog Forwarding

Follow these steps to enable system logging for Anti-Virus Mirror for VMware Tanzu.

  1. Select Syslog.

    The Yes button is selected. The fields are described in following text.

  2. Select Yes for Do you want to configure Syslog forwarding?.

  3. Configure the fields as follows:

    Field Instructions
    Address Enter the address or host of the syslog server for sending logs, for example, logmanager.example.com.
    Port Enter the port of the syslog server for sending logs, for example, 29279.
    Transport Protocol Select the transport protocol used to send system logs to the server. VMware recommends using TCP.
    Enable TLS If you select TCP, you can also select to send logs encrypted over TLS.
    Permitted Peer Enter either the accepted fingerprint, in SHA1, or the name of the remote peer, for example, *.example.com.
    SSL Certificate Enter the SSL or TLS Certificates for the syslog server. This ensures the logs are transported securely.
    Queue Size Enter an integer. This value specifies the number of log entries held in the buffer. The default value is 100000.
    Forward Debug Logs Select this box to forward debug logs to an external source. This option is deselected by default. If you select it, you might generate a large amount of log data.
    Custom rsyslog Configuration Enter configuration details for rsyslog. This field requires RainerScript syntax.

  4. Click Save Syslog Settings.

Scale the Number of Deployed Mirrors

Anti-Virus jobs do load balancing for you.

VMware recommends one Anti-Virus Mirror for Tanzu VM for every 250 VMs with Anti-Virus for Tanzu installed. To scale the number of deployed mirrors:

  1. Select Resource Config. The Resource Config pane with drop-down lists for the number of instances, VM type, and persistent disk type.

  2. For antivirus-mirror, set INSTANCES to the number of mirrors that you want to deploy.

  3. Click Save.

Apply Changes from Your Configuration

Your Anti-Virus Mirror for Tanzu installation is not complete until you apply your configuration changes. To do this:

  1. Return to the Tanzu Operations Manager Installation Dashboard.

  2. Click Review Pending Changes.

  3. Unselect all products except BOSH Director and Anti-Virus Mirror for Tanzu and click Apply Changes.
  4. After Apply Changes is complete, if you selected No Mirror, upload a set of virus definitions to your deployed antivirus-mirrors. To do this, see Updating Virus Definitions.
check-circle-line exclamation-circle-line close-line
Scroll to top icon