AV storm

An AV storm is the demand on computing resources that occurs when antivirus software simultaneously scans multiple guest virtual machines on a single physical host. In this context, the word "storm" means a bombardment or blitz. The result is degradation of service.

Many antivirus programs are still written the same way they were before virtualization: they require an application agent to reside on each guest virtual machine (VM). The application agent makes sure that antivirus software is installed on each guest and verifies that the latest antivirus definition files have been updated and applied. 

The presence of these agents, however, can slow performance -- particularly when regularly scheduled activities take place on multiple guests at the same time.  If you had 100 virtual machines running on the same host, for instance, you would also have 100 application agents running concurrently.  This is what causes the degradation of service, affecting the performance of server applications and virtual desktops and creating an AV storm.

Trend Micro has worked with VMware to prevent AV storms by replacing multiple individual agents with a single light-weight driver located within the physical host’s VMware kernel. Other antivirus vendors are also addressing the problem and are expected to follow suit. 

This was last updated in August 2011

Continue Reading About AV storm

Dig Deeper on Cloud Computing Virtualization: Secure Multitenancy - Hypervisor Protection