Sorry if I am asking a dumb question.
Generally We use a physical server and create multiple virtual machines on that.(I am addressing the most simplest scenario) The operating systems and the configurations of the each virtual machine may be different. But the actual "Owner" of the all the resources is the base physical machine. As an example every VM uses the same physical memory attached with the physical server and they just create the virtual disks on Physical server's hard disk.
Now my question is Why can't we implement an antivirus mechanism that runs only on Physical server? If so we don't need to have seperate antivirus programs for each and every VM.. (The physical machine has the access to memory, disk space that the VMs are using)
The main problem is that the host OS does not necessarily understand the internals of the guest OSes - i.e. it does not know what processes are running in the guest OS or even the filesystem layout. Usually, the host OS sees the virtual machines just as a black box using a certain amount of memory, a disk image/partition and a some CPU cycles.
But to implement and effective anti-virus program, you will need to have access to the process details and file information (and that information is only available inside the virtual machine).
Bit late to this particular party but VMWare's vShield Endpoint product when combined with specific third-party virtual appliances (such as Sophos Endpoint) allows for a single central VM to handle all antivirus operations for an entire VM farm.
Antivirus programs operate at the file level, that is, on every filesystem access (open, read, write, etc) they intercede on the request and filter it according to their various rules. For example, checking the contents of the file for viral signatures if it's an executable.
Virtual Machine hosts operate at the cpu level, that is they intercede on their Guest OS's when the OS does something that is very low level and needs to be emulated to preserve the state of the VM. The Host VM software is oblivious to the actual operation of the Guest OS, and operates simply to continue the illusion that the Guest OS is running on real hardware (this isn't strictly true, various tools exists to allow the Guest OS access to the Host OS, VMWare tools drivers for example).
The only way for this to work would be a driver loaded in the Guest OS that delegated control on each access to the Host VM and from there to a user space AV program running on the host. The result of those operations would have to be propagated back into the Guest OS to be applied by it's OS to avoid corruption from the Guest and the Host modifying the disk structures concurrently.
So, at the end of the day you would have one copy of your AV software running external to the Guest OS, but having to communicate with all of them (in a very complicated manor) to achieve what a traditional AV solution would do.
We haven't even touched on dealing with running multiple heterogeneous OS's on the same Host VM, upgrades to this shared AV service, VM migration between physical hosts, etc.
I doubt that the solution above would prove to be as performant as a traditional AV service running inside the Guest OS. What was your motivation for asking this question ?
You didn't mention which VM tech vendor you were using, but this is something that has come up as a product request on the VMware side and I believe it is set to be architected into the next version of their "bare-metal" product, vSphere.
http://www.vmware.com/technology/security/vmsafe.html
That's their main product page for this technology. You can look at the little flashy demo for a little bit more of a high-level view of how it would work, but as you suggested, the hypervisor layer could allow a vmsafe 'appliance' (just another VM in the DataCenter) to monitor all the virtual hardware components (network, CPU, RAM, Disk) for evidence of malware and snuff it out before it becomes a problem.
Pretty cool, but only if you're running VMware, and well, the product isn't fully released yet, anyway!
Good thoughts.
Not sure if this is a theoretical or a practical question...
Theoretically it is possible although there are not any antivirus vendors that offer this functionality. Practically, file-level antivirus applications will cause problems with the ability of the OS to access important files such as the VHDs themselves (this situation is similar with Exchange or SharePoint or many other server applications), and you need to exclude specific files from being scanned by AV.
For an official answer, this question has been answered by Ben Armstrong (one of the Hyper-V developers) here: http://blogs.msdn.com/virtual_pc_guy/archive/2009/03/17/antivirus-and-hyper-v-or-why-can-t-i-start-my-virtual-machine.aspx
Not really a virus scanner but BlockWatch (white list based, memory integrity checker) works like this, by polling your running VM's, snapshotting or saving state then validating the memory allocated to that guest. It works on Windows 32 and 64 bit OS's.