Is antimalware needed on Vmware ESXi hypervisor?
Crowdstrike vs Vmware debate
In its recent blog, Crowdstrike outlines the long history of Ransomware-as-a-service operators targeting Vmware ESXi infrastructure, subtly arguing it's time for a security or antimalware agent to be deployed on hypervisor level.
The attractivity of Vmware for attackers is obvious: tens or hundreds of servers run on a typical Vmware infrastructure, and market share in SEE region is probably close to 90%. You can hardly find a customer not using at least one ESXi or vCenter server.
Vmware has long been insisting "Antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported" - see here. Yet in its response to Crowdstike, Vmware this time notes their advice "[... ]is outdated and should be considered deprecated". Apparently, they plan to come up with a new advice in the near future.
It remains to be seen what Vmware's position on 3rd party antimalware will be. In the meantime, it's worth noting how frequently ESXi and vCenter servers were offering opportunities for unauthenticated exploitation without user interaction (for the technically minded, CVSS vectors PR:N/UI:N).
See recent timeline below: