Symantec Endpoint Protection 12.1 & Virtualization


Article ID: 156861


Updated On:


Endpoint Protection


You want to know new features about virtualization within Symantec Endpoint Protection 12.1 (SEP 12.1).


SEP 12.1 has many new features.

It provides advanced virtualization support with the help of following features:

1) Virtual Image Exception – Allows to exclude all the files on a baseline image from scanning.

2) Shared Insight Cache – A stand alone server that enables clients to share scan results.  This allows clients to skip scanning files that have already been scanned by another client.

3) Virtual Client Tagging – Makes the clients virtualization aware and sends back the hypervisor vendor to SEPM.  That data can be used in client searching and reporting.

4) Offline Image Scanner – A stand alone tool to scan offline VMware image (VMDK) files.


Virtual Image Exception


Administrators leverage base images to build virtual machines for their virtual desktop infrastructure (VDI) environment. The Symantec Virtual Image Exception (VIE) tool lets your clients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in your VDI environment.


Virtual Image Exception(VIE) is a tool that gives administrators the ability to easily set exclusions for files in a virtual operating environment.

  • Available only in Enterprise Edition. Not available in Small Business Edition (SBE).
  • Runs as a stand alone application and doesn’t require a traditional install
  • Must be run from within a virtual machine (VMware, Citrix, of Hyper-V)
  • Runs on Windows XP SP2, SP3, Vista, Windows 7, and Windows 2008 R2
  • Command-line options for silent and automated operation
  • Detailed logging/reporting capabilities
  • Provides configurable options in SEPM for Administrators to turn on and off VIE exceptions for auto-protect and administrator defined scans.

Before you enable this feature in Symantec Endpoint Protection Manager (SEPM), first run the Virtual Image Exception tool against the base image files. The Virtual Image Exception tool marks the base image files by adding an attribute. If the file changes, this attribute is removed. Administrators can enable the exclusions or disable the exclusions from being used via the AV Policy for both On-Demand and Auto-Protect.


VIE is found in the /tools/VirtualImageException folder on the Symantec Endpoint Protection product disc. For more information about how to use this tool, see the Symantec Endpoint Protection Virtual Image Exception User Guide, which is located in the same folder or from the following link:

Symantec Endpoint Protection Virtual Image Exception User Guide 12.1

This feature is disabled by default. Enable the feature so that when your client goes to scan a file, it looks for this attribute. If the base image file is marked and remains unchanged, the client skips scanning the file.

Symantec Endpoint Protection supports the Virtual Image Exception tool for both managed clients and unmanaged clients.


Enable the settings through following location:

SEPM --> Policies --> Virus & Spyware Protection Policy --> Edit the policy --> Go to Miscellaneous--> Virtual Images


Shared Insight Cache

Shared Insight Cache (SIC) is a server application which caches known clean files in order to optimize scan performances.  The SIC server is mainly designed for virtual environment but usage on physical system is supported given that network latency is kept at an absolute low. SIC server keeps a record in memory (RAM) of files which are voted clean by the system performing scans 

First SEP client needs to scan a file.  It queries SIC and finds no record.  SEP then scans the file and sends the results to the SIC.

Subsequent SEP clients need to scan the same file.  They query the cache server and find the file has already been scanned with the same version of definitions and the file is clean.  SEP client skips scanning the file.

When a second client run the scan it goes though the same process and since the file is cached on the SIC therefore will skip the scan. 

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans. 

Shared Insight Cache runs independently of Symantec Endpoint Protection. However, you must configure the Symantec Endpoint Protection Manager to specify the location of Shared Insight Cache so that your clients can communicate with Shared Insight Cache. No special license is required to install or run Shared Insight Cache.

  • Enterprise Edition only.  Not available in SBE.
  • Targeted for virtual environments but can be used on physical clients too
  • Applies to all On-Demand Scans (User Initiated, Scheduled, Admin Defined).Does not apply to auto-protect.
  • Scalable to thousands of clients per server
  • Communication between client and SIC is HTTP.   Optional configuration for HTTPS  and authentication is available
  • Applies to all files (Not just Binary Executables)
The tool is located on SEP 12.1 DVD under \Tools\SharedInsightCache

Check this blog for more details about Shared insight cache:

SEPM --> Policies --> Virus & Spyware Protection Policy --> Edit the policy --> Go to Global Scan Options--> Shared Insight Cache

Virtual Client Tagging

Virtual Client Tagging gives administrators the ability to determine if the SEP client is running in a Virtual Environment.

  • The tagging is built into the SEP Client
  • Works with VMware ESX/i, Microsoft Hyper-V, Citrix Xen
  • Client runs the check on Startup and reports the information back to SEPM
  • Virtual Status and Hypervisor Information is provided in reports and client properties and is searchable

Offline Image Scanner

The Symantec Offline Image Scanner (SOIS) gives administrators the ability to scan and detect malware in offline VMware images.

  • Scans offline VMware images (.vmdk files only). Not applicable for Linux .vmdk files.
  • Run on Windows and able to scan FAT32 and NTFS file-systems in the guest OS
  • No dependency on any other Symantec solutions beyond AV definitions. By default it browses to SEP AV definitions location.
  • Command-line options for silent and automated operation
  • Detailed logging/reporting capabilities
  • Doesn’t require a traditional install

This tool is found in the /tools/offlineimagescanner folder on the Symantec Endpoint Protection product disc


Settings tab is as below:

By default it browse to AV definitions location. SEP should be installed.