Why Your System Images Don’t Need Anti-Malware Software Included

Why Your System Images Don’t Need Anti-Malware Software Included

Building standardised operating system images makes it faster to deploy new desktops and new virtual machines. However, while it makes sense to bundle in software that will be used with those images, there’s one big exception: anti-malware and security software.

The reason, as MVP Mikael Nystrom explained in a presentation at last week’s Microsoft Management Summit (MMS), is that it ultimately won’t save you any work:

I wouldn’t put any anti-virus in my reference image It’s old the same minute I install it. It needs to be updated, and the update process normally takes more time than actually installing it. Therefore I don’t gain any time, so it’s pointless.

That same logic can apply in other areas. “I wouldn’t normally put Acrobat Reader in it either,” Nystrom said. “There’s nothing wrong with Acrobat Reader, but they update it very frequently. I wouldn’t put Java on for the same reason.”

Leaving out security software also accords with the general principle that a slimmer image is better. “We fight really hard to keep a thin image,” said MVP Johan Arwidmark during the same presentation. “It will give you the most flexibility. The more stuff you pack in a WIN file, the less flexible it will be when you actually deploy it and the more likely you are to have to update it.”


  • I guess it all depends on if you’ve got the infrastructure in place for automated application deployment vs. automated updates. A lot of smaller companies might not have GPOs in place for application deployment, but they might have a central AV server, same for Adobe updates, if you’ve got automatic updates set up for Reader and Flash is might be easier to just allow the update after the image has been applied than having to manually install additional up-to-date software.

    • If you have to worry about a Reader exploit, then I’d be more worried about your enterprise security.
      Every medium-to-large software package on the planet has security holes, but for what it’s designed to do, Adobe Reader performs reasonably well. It’s not the fastest, or the most feature-packed, but it’s a familiar, recognised standard throughout most industries.
      I have very major problems with someone who makes sweeping condemnations, but we’re all guilty from time to time.

Show more comments

Log in to comment on this story!