This article describes the use of 3rd Party Agents and Anti-virus software on the ESXi Hypervisor.

VMware vSphere ESXi

The VMware Hypervisor, ESXi, uses a range of integrated, “always on” security features alongside configurable options to ensure security and trustworthiness while also ensuring performance and availability.  Because of its role and fundamental position in the SDDC stack, additional approaches to security are necessary, as compared to protecting workloads themselves.  Where configurable, these approaches are outlined in the vSphere Security Configuration & Hardening Guides, including fundamental practices like:

• Using Secure Boot to ensure only software signed by VMware and authorized partners can be loaded by ESXi.
• Using ‘execInstalledOnly’ to prevent execution of binaries from unknown sources.
• Using Lockdown Mode to limit access to ESXi to vCenter Server authenticated users
• Keeping up to date with patch releases. VMware announces updates as part of its security advisory process and necessary patches are also placed on the secure Broadcom Downloads 

The ESXi hypervisor is a specialized, purpose-built solution, similar to a network router’s firmware.  While this approach has several advantages, it also makes ESXi unable to run “off-the-shelf” software, including security tools, designed for general-purpose operating systems as the ESXi runtime environment is dissimilar to other operating systems.

Security tools typically support agentless monitoring and anti-malware tools using remote access through SSH.  Customers should weigh the exposure of enabling SSH access versus the benefit of the monitoring from such tools.  SSH access is not required for day-to-day vSphere operations.

The use of Endpoint Detection and Response (EDR) and other security practices inside third-party guest operating systems is supported and recommended.

The evolution of security in VMware products is an ongoing process that can be seen in every product release.  This process has and will continue to include further integration with third-party security tools, including EDR.

• May 15, 2023: Note added about pending updates.
• June 5, 2023: Revision to improve clarity on VMware's EDR and system hardening stance.