Best practices when installing Anti-Virus software inside of an IntelliVM on Malware Analysis Appliance


Article ID: 168305


Updated On:


Malware Analysis Software - MA


You are considering installing Anti-Virus (AV) software in an IntelliVM in Malware Analysis Appliance (MAA).


Symantec recommends not installing AV solutions in iVM profiles that will be used for the majority of samples or automatic processing (Tasks created by the Content Analysis System (CA) and Symantec Data Center Security: Server Advanced SA appliances).

While it is possible to install a client anti-virus (AV) solution inside an IntelliVM (iVM), there are multiple reasons this is not recommended:

  1. Client AV interferes with the analysis process:
    • The client AV scanning engine will likely remove the sample from analysis process, preventing any events from being recorded as the sample cannot be executed. Potentially giving a dangerous file a safe Riskscore.
  2. Client AV solutions must be updated frequently (daily or more often).
    • To enable updates, an iVM will need to be put into Customize mode, the AV will have to be updated, and the rebuilding the Profile will have to be completed.  This process can take a substantial amount of time.
  3. Auto-update of the AV solution mechanisms inside the iVM will result in unwanted events and network traffic.

When the iVM starts, the update mechanism of the AV solution tries to contact the Update Servers during the time of analysis. The resulting network traffic may create additional events in the analysis process and create unwanted and unnecessary network traffic repeatedly. This leads to a lot of unnecessary change events that will have to be acknowledged and handled.

The filtering/detection of known bad files should be done by the aforementioned appliances, not the iVMs.  This will allow the MAA to focus on the detection of unknown malicious files.

When prospectively installing AV solutions to monitor if malware attacks said AV programs, be aware of the fact that some Malware will simply not execute if AV tools are running. Both updates and on access scanning components of AV programs need to be deactivated.  

Additionally firewall, registry protection and HIPS components that come with some AV suites should be disabled.