This article describes the best practices for installing and configuring Symantec Endpoint Protection (SEP) 12.1 clients in Virtual Desktop Infrastructure (VDI) environments, and Symantec Endpoint Protection Manager (SEPM) configuration and policy best practices.
Note: This covers SEP 12.1, 12.1.1 (RU1), and 188.8.131.52 (RU1 MP1). For SEP 12.1.2 (RU2) and later, read Virtualization best practices for Endpoint Protection 12.1.2 (RU2) and later.
Upgrade to the latest version
SEP 12.1 includes features and enhancements that greatly increase performance and security for virtual environments. To take advantage of these improvements, upgrade all virtual clients to SEP 12.1.
Client group considerations
Place VDI clients in VDI-specific client groups to allow for better isolation of virtualization-specific policies and configurations. This also allows client groups to have scheduled scans defined on different days or during the off hours of other groups.
The Virtual Client Tagging feature in SEP 12.1 can be used to search for virtual clients in existing groups. Use the Virtual Client Tagging feature to generate a list of virtual clients. This list can be used to identify the VDI clients in an environment and aid in moving them all to isolated VDI-specific groups.
Isolating VDI client groups from policy changes
Use the following steps to isolate VDI-specific client groups from policy changes made higher up in the client group hierarchy:
Configuring Content Updates
There are two channels available to SEP clients for automatic updates: SEPM and LiveUpdate (LU). Clients update content through the normal SEPM heartbeat process by default. This allows clients to take advantage of newer, direct delta technology built into the SEPM which is not available through LU. Clients can be configured to update content through LU either from a dedicated Internal LiveUpdate server, or from the Internet.
Updating from Symantec Endpoint Protection Manager (SEPM)
The SEP client includes a randomization feature for client-to-SEPM Communications which will optimize performance in a virtual environment. These settings are configured via the communications settings for the group(s).
Recommended communications settings for VDI client groups are as follows:
Note: Depending on the number of clients in the virtual environment, consider increasing the heartbeat interval as needed. If the time at which clients update virus definitions causes a performance impact, consider increasing the randomization window as needed. Do not increase the randomization window long enough to extend into the morning hours. (e.g., 8 hour randomization window, with a SEPM download schedule ending at 10:00pm= content download finishing at 6:00am, which may interfere with users who work at that time.) LiveUpdate can be scheduled to run within a window as well and if used should not coincide with any scheduled scan randomization windows.
For large scale virtual environments (1000 or more clients) Symantec recommends a heart beat interval of 1 hour and a download randomization window of at least 2 hours.
Updating Virus Definitions Using LiveUpdate Policy
Alternatively, clients can be configured to run LiveUpdate. To prevent many clients from updating Virus Definitions simultaneously, Symantec recommends randomizing the LiveUpdate schedule.
To configure clients to run LiveUpdate with a randomized schedule, configure the LiveUpdate Settings policy as follows:
Scheduled scan types
Scheduled scans can be configured as either Active scans (scanning currently running processes and critical Windows files/folders), or full scans (scanning all physical drives on the client). The increased security capabilities of SEP 12.1 make it possible to utilize Active Scans instead of full scans with minimal impact on security. This reduces the amount and duration of I/O load generated from scheduled scans compared to full scans. Scheduled full scans are not required to secure SEP 12.1 clients.
Enable scan randomization
Configure scheduled scans to run during during windows of low activity (Preferably when user activity is low for virtual clients, or when server load is minimal for virtual servers). Ensure scan start times are randomized over the longest possible window. Create sub-groups with different scheduled scan policies to spread scan loads throughout a larger time period, such as a week.
For virtual environments Symantec recommends at least a 12 hour scan window. For environments where it is critical to minimize the impact of the scan this duration can be configured to run for up to an entire week.
Note: Do not schedule virtual machine restarts, backups, patching, indexing, archival or other maintenance within the same window as scheduled scans. This will prevent contention for resources between these tasks and ensure that Symantec services are running during the scheduled scan window.
Disable Run an Active Scan when new definitions arrive
Running an Active Scan when new definitions arrive places unnecessary load on the virtual environment and is not recommended. Use the following steps to disable Active scans when content is updated:
Configuring Shared Insight Cache
Install and configure one or more Shared Insight Cache (SIC) servers in environments where clients are required to run scheduled full system scans instead of Active scans. Utilizing a SIC server can reduce the impact of full scans by up to 80%, but does not significantly reduce the impact of Active scans.
Cache Server System Requirements
The Shared Insight Cache Server runs on a dedicated server or virtual machine. Please refer to System Requirements for Shared Insight Cache for more information.
Cache Server Configuration
Communication between the SIC server and its SEP clients occurs over HTTP. The connection can be secured using SSL over HTTPS and/or username/password authentication. Please read the Shared Insight Cache administration guide found in the /Tools/SharedInsightCache folder on the SEP DVD for installation and configuration instructions. Further information on encrypting SIC communications, see Encrypting Shared Insight Cache Server communications.
For more information on sizing and best practices for Shared please refer to the: Shared Insight Cache - Best Practices and Sizing guide article.
Note: The Shared Insight Cache server is only recommended for highly homogeneous virtualized environments. The feature can be used with physical clients but the increase in network usage is often larger than any local I/O reduction.
Excluding Base Images
The Virtual Image Exception tool was created specifically for VDI environments deployed using shared base images. The VIE tool provides the ability to exempt the files in a base image from SEP client scans once the image is deployed. If the files are updated or changed in any way, the updated/changed files will be scanned as usual. VIE is configured using the following four steps:
Create VIE exceptions for all base images deployed to increase the performance of auto-protect, scheduled and on demand scans.
Run the Virtual Image Exception tool with the --hash option when utilizing SIC servers. This will increase the SEP client's initial scan performance.
Note: Changing the Windows SID (a commonly used step when sysprepping systems for deployment) after running the VIE tool will invalidate the Extended File Attribute (EFA) data the tool creates. If the Windows SID is changed, the tool must be re-run against the image.
For more information, please refer to the following knowledge base articles:
Monitoring a base image for security threats
It is a best practice to continually monitor any excluded base images for threats that may have gone undetected by previous security signatures. Run one copy of each excluded image in its default state and use a separate SEP policy with virtual image exception disabled to monitor for threats. If any threats are discovered in an excluded image there are two remediation options:
SEP configuration for non-persistent VM environments
Please see Symantec Endpoint Protection 12.1 - Non-persistent VDI Environment Best Practices for more information.
VM environment performance monitoring
One goal of virtualization efforts is to increase utilization of hardware resources. Effective management of a VDI environment includes a monitoring strategy to ensure adequate resources exist and to allow for the detection of resource bottlenecks.