Best Practice for client Scheduled Scans in VMware
search cancel

Best Practice for client Scheduled Scans in VMware

book

Article ID: 177893

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What is the recommendation on implementing Symantec Endpoint Protection Scheduled Scans in a VMware environment?

Resolution

When running Symantec AntiVirus or Symantec Endpoint Protection in a virtual environment, consider how multiple guest systems can affect hardware resources on a host system. This is especially true when routine tasks happen simultaneously on multiple guest systems.

Due to high I/O, the following are examples of the tasks that can degrade performance if run on multiple guest systems simultaneously.

  • Scheduled Scans
  • Virus Definition Updates

Symantec recommends using randomization to minimize the effect on hardware resources when these tasks occur. Randomization that ensures each client on a guest system does not run a scheduled scan or update virus definitions at the same time.

Scheduled Scans
Scheduled scans require consideration in a virtual environment due to the potential for performance degradation. How often and when scheduled scans should be run can depend on security policies in your organizations.

Stagger the scan times so they are not all running scans at the same time.

When VMware is running it makes continuous open, write, and close calls to the sessions hard drive files, which causes real-time to scan these files repeatedly. To improve scan performance exclude VMware files as well as the session disk files.

The following knowledge base articles apply to Scheduled Scan tuning in general and should be considered when configuring scheduled scans for guest systems:

Note: the specific options that are appropriate depending on your environment.

Additionally, Symantec recommends dividing up guest clients in different groups with different scheduled scan times to avoid performance degradation. Also, consider scanning compressed files one or two levels deep (instead of default 3).