Replacing McAfee VSE with MOVE MP AV

MOVE - McAfee Management for Optimized Virtual Environments
MP - Multi-Platform AV (requires McAfee agents on VMs)
AL - Agentless AV (no software required on VMs)
OSS - Offload Scan Server — provides offloaded scanning support for VMs
SVA - Security Virtual Appliance - delivered as an Open Virtualization Format package
VSE - VirusScan Enterprise 
HIPS - Host Intrusion Prevention

The difference between MOVE MP and AL:

• According to McAfee, there is no difference in performance
• MP supports ePO policies per VM or OU through McAfee agents; AL has only 1 policy per hypervisor
• MP is easier to install, configure and manage than AL
• AL requires dedicated networks/links between the SVA and target VMs
• On-screen pop-up notifications on client VMs are available with MP only
• AL can be deployed on VMware hypervisors only
• AL requires 1 SVA per ESX host, while MP requires 1 or 2 OSS’s per cluster
• AL is slightly lighter; it may be beneficial to lose McAfee agents from VMs in order to achieve higher VM density

As access protection and buffer-overflow protection features are not included in MOVE AV, McAfee recommends deploying HIPS as an additional layer in order to get close to the security level offered by VSE. HIPS can be configured for minimal interference so it doesn’t impact VMs’ performances badly.

OSS VM(s) should not be hosted together with other resource-hungry VMs, so that they don’t compete for resources with important production systems. Each ESX cluster should have its own OSS server(s). It’s recommended to have 2 OSS servers per cluster. If there is more than 1 OSS per cluster, they should be hosted on separate hypervisors.

I could not get official advice or find any info on whether VSE would perform better in certain scenarios, e.g. on file servers, as it could take some time for a big file to be transferred from a host VM to the OSS for scanning. Lots of such files accessed simultaneously could negatively affect all VMs on the cluster. There is no info on how MOVE compares to VSE performance wise.

MOVE uses file caching to boost performances, and it’s available for both on-demand and on-access (real-time) scanning. The size of the cache and time to keep the items are configurable.

Officially, an OSS can manage/scan up to 450 hosts, but in reality probably between 100 and 250, depending how busy these VMs are. The current load of an OSS can be determined by monitoring the OSS server statistics, e.g. the values of Avg request process time and Avg request wait time (C:\Program Files (x86)\McAfee\MOVE AV Server>mvadm stats).

VMware on vShield:

vShield Endpoint improves performance by offloading virus-scanning activities from each virtual machine to a secure virtual appliance that has a virus-scanning engine, as well as the stored antivirus signatures. For antivirus and anti-malware functions, this architecture eliminates the software agent footprint in guest virtual machines, frees up system resources, improves performance and eliminates the risk of antivirus “storms” (overloaded resources during scheduled scans and signature updates). Because the secure virtual appliance - unlike a guest virtual machine – doesn’t go offline, it can continuously update antivirus signatures, giving uninterrupted protection to the virtual machines on the host. Also, new virtual machines (or existing virtual machines that went offline) are immediately protected with the most current antivirus signatures when they come online.

General guidelines (from the MOVE deployment guide):

The number of clients that can connect to a single Offload Scan Server depends on these factors:

• Server hardware
• Network availability
• Workload per client

The optimal configuration is different in every environment. The primary criteria for determining the optimal number of clients a single Offload Scan Server can support is the number of concurrent client scan requests. Performance degrades when it receives more concurrent scan requests than it is configured to handle.

The Offload Scan Server can handle a maximum of 3,000 concurrent active scan connections:

• Heartbeats
• Scan requests
• Server‑side cache requests

If the server has reached its maximum of 3,000 active connections, any new connection is accepted, but queued for handling until one of the 3,000 active connections completes. Each client has a maximum of six active connections to an Offload Scan Server (one connection for a heartbeat and five for scan and cache check requests), limiting the Offload Scan Server to effectively handle a maximum of 500 clients before the connections start to queue. You can increase the number of clients connected to a single Offload Scan Server if the number of concurrent scan requests does not exceed the configured Concurrent Scans value. If this value is exceeded, server performance begins to rapidly decline.

Getting info on MOVE clients and servers:

MOVE client and server policies:

Deploying MOVE clients:

More info:
McAfee in the Data Center -Optimized Security for Virtualization
McAfee MOVE Antivirus joins the vShield Endpoint Family
MOVE Antivirus 2.6 Known Issues
Release Notes - McAfee MOVE AntiVirus 2.6.0 Patch 1
Supported environments for MOVE on Microsoft Windows
To HIPS or not
What are the McAfee MOVE 2.x products?
What is vShield Endpoint?