This article describes the best practices for installing and configuring Symantec Endpoint Protection (SEP) 12.1 clients in Virtual Desktop Infrastructure (VDI) environments, and Symantec Endpoint Protection Manager (SEPM) configuration and policy best practices.
Note: This covers SEP 12.1, 12.1.1 (RU1), and 188.8.131.52 (RU1 MP1). For SEP 12.1.2 (RU2) and later, read Virtualization best practices for Endpoint Protection 12.1.2 (RU2) and later.
Upgrade to the latest version
SEP 12.1 includes features and enhancements that greatly increase performance and security for virtual environments. To take advantage of these improvements, upgrade all virtual clients to SEP 12.1.
Client group considerations
Place VDI clients in VDI-specific client groups to allow for better isolation of virtualization-specific policies and configurations. This also allows client groups to have scheduled scans defined on different days or during the off hours of other groups.
The Virtual Client Tagging feature in SEP 12.1 can be used to search for virtual clients in existing groups. Use the Virtual Client Tagging feature to generate a list of virtual clients. This list can be used to identify the VDI clients in an environment and aid in moving them all to isolated VDI-specific groups.
Isolating VDI client groups from policy changes
Use the following steps to isolate VDI-specific client groups from policy changes made higher up in the client group hierarchy:
- Log in to the SEPM Console
- Select the Clients tab
- Expand the My Company tree in the View Clients pane and select the VDI-specific client group
- Select the Policies tab
- Ensure the Inherit policies and settings from parent group check box is unchecked
Configuring Content Updates
There are two channels available to SEP clients for automatic updates: SEPM and LiveUpdate (LU). Clients update content through the normal SEPM heartbeat process by default. This allows clients to take advantage of newer, direct delta technology built into the SEPM which is not available through LU. Clients can be configured to update content through LU either from a dedicated Internal LiveUpdate server, or from the Internet.
Updating from Symantec Endpoint Protection Manager (SEPM)
The SEP client includes a randomization feature for client-to-SEPM Communications which will optimize performance in a virtual environment. These settings are configured via the communications settings for the group(s).
Recommended communications settings for VDI client groups are as follows:
- Configure clients to use “Pull Mode”
- Configure clients to utilize the "Enable randomization” feature
- Configure the SEPM to keep the last X revisions of defs (where X = # of days desired*3). This is a key best practice to allow out of date clients to update via deltas, rather than full updates.
- Ensure Download Randomization is enabled
Note: Depending on the number of clients in the virtual environment, consider increasing the heartbeat interval as needed. If the time at which clients update virus definitions causes a performance impact, consider increasing the randomization window as needed. Do not increase the randomization window long enough to extend into the morning hours. (e.g., 8 hour randomization window, with a SEPM download schedule ending at 10:00pm= content download finishing at 6:00am, which may interfere with users who work at that time.) LiveUpdate can be scheduled to run within a window as well and if used should not coincide with any scheduled scan randomization windows.
For large scale virtual environments (1000 or more clients) Symantec recommends a heart beat interval of 1 hour and a download randomization window of at least 2 hours.
Updating Virus Definitions Using LiveUpdate Policy
Alternatively, clients can be configured to run LiveUpdate. To prevent many clients from updating Virus Definitions simultaneously, Symantec recommends randomizing the LiveUpdate schedule.
To configure clients to run LiveUpdate with a randomized schedule, configure the LiveUpdate Settings policy as follows:
- Log in to the SEPM Console
- Select the Policies tab
- Select LiveUpdate from the View Policies pane
- Open or create a LiveUpdate Settings policy for editing
- Select the Server Settings tab
- Make sure the Use LiveUpdate Server check box is selected
- Select the Schedule tab
- Ensure the Enable LiveUpdate Scheduling check box is selected
- Configure the Frequency settings for the LiveUpdate schedule for off-peak hours
Scheduled scan types
Scheduled scans can be configured as either Active scans (scanning currently running processes and critical Windows files/folders), or full scans (scanning all physical drives on the client). The increased security capabilities of SEP 12.1 make it possible to utilize Active Scans instead of full scans with minimal impact on security. This reduces the amount and duration of I/O load generated from scheduled scans compared to full scans. Scheduled full scans are not required to secure SEP 12.1 clients.
Enable scan randomization
Configure scheduled scans to run during during windows of low activity (Preferably when user activity is low for virtual clients, or when server load is minimal for virtual servers). Ensure scan start times are randomized over the longest possible window. Create sub-groups with different scheduled scan policies to spread scan loads throughout a larger time period, such as a week.
For virtual environments Symantec recommends at least a 12 hour scan window. For environments where it is critical to minimize the impact of the scan this duration can be configured to run for up to an entire week.
Note: Do not schedule virtual machine restarts, backups, patching, indexing, archival or other maintenance within the same window as scheduled scans. This will prevent contention for resources between these tasks and ensure that Symantec services are running during the scheduled scan window.
Disable Run an Active Scan when new definitions arrive
Running an Active Scan when new definitions arrive places unnecessary load on the virtual environment and is not recommended. Use the following steps to disable Active scans when content is updated:
- Log in to the SEPM console
- Select the Policies tab
- Select Virus and Spyware Protection from the View Policies pane
- Open or create a Virus and Spyware Protection policy for editing.
- Expand Windows Settings and choose Administrator-Defined Scans
- Select the Advanced tab
- Ensure the Run an active scan when new definitions arrive check box is deselected
- Click the OK button to close the policy editor window
Configuring Shared Insight Cache
Install and configure one or more Shared Insight Cache (SIC) servers in environments where clients are required to run scheduled full system scans instead of Active scans. Utilizing a SIC server can reduce the impact of full scans by up to 80%, but does not significantly reduce the impact of Active scans.
Cache Server System Requirements
The Shared Insight Cache Server runs on a dedicated server or virtual machine. Please refer to System Requirements for Shared Insight Cache for more information.
Cache Server Configuration
Communication between the SIC server and its SEP clients occurs over HTTP. The connection can be secured using SSL over HTTPS and/or username/password authentication. Please read the Shared Insight Cache administration guide found in the /Tools/SharedInsightCache folder on the SEP DVD for installation and configuration instructions. Further information on encrypting SIC communications, see Encrypting Shared Insight Cache Server communications.
For more information on sizing and best practices for Shared please refer to the: Shared Insight Cache - Best Practices and Sizing guide article.
Note: The Shared Insight Cache server is only recommended for highly homogeneous virtualized environments. The feature can be used with physical clients but the increase in network usage is often larger than any local I/O reduction.
Excluding Base Images
The Virtual Image Exception tool was created specifically for VDI environments deployed using shared base images. The VIE tool provides the ability to exempt the files in a base image from SEP client scans once the image is deployed. If the files are updated or changed in any way, the updated/changed files will be scanned as usual. VIE is configured using the following four steps:
- Install the SEP client to the image and run a full scan to insure the image is not infected
- Run the Virtual Image Exception tool against the image prior to deployment to the end user
The tool and administration guide can be found on the SEP DVD in the /Tools/VirtualImageException folder
- Remove the tool from the image
- Enable virtual image exception in the SEP AV policy
Create VIE exceptions for all base images deployed to increase the performance of auto-protect, scheduled and on demand scans.
Run the Virtual Image Exception tool with the --hash option when utilizing SIC servers. This will increase the SEP client's initial scan performance.
Note: Changing the Windows SID (a commonly used step when sysprepping systems for deployment) after running the VIE tool will invalidate the Extended File Attribute (EFA) data the tool creates. If the Windows SID is changed, the tool must be re-run against the image.
For more information, please refer to the following knowledge base articles:
- Preparing Symantec Endpoint Protection 12.1 client and above for Image redistribution and repairing clients already installed
- How to prepare Symantec Endpoint Protection clients on virtual disks for use with Citrix Provisioning Server
- How to prepare a Symantec Endpoint Protection 12.1 client for cloning
Monitoring a base image for security threats
It is a best practice to continually monitor any excluded base images for threats that may have gone undetected by previous security signatures. Run one copy of each excluded image in its default state and use a separate SEP policy with virtual image exception disabled to monitor for threats. If any threats are discovered in an excluded image there are two remediation options:
- Run the virtual image exception tool using the --clear option to remove the exclusion for the file in question. This needs to be run on each affected client.
- Disable the virtual image exception feature in the AV policy and scan the systems. After the scan runs and the file is remediated, re-enable the virtual image exception feature in the policy.
SEP configuration for non-persistent VM environments
Please see Symantec Endpoint Protection 12.1 - Non-persistent VDI Environment Best Practices for more information.
VM environment performance monitoring
One goal of virtualization efforts is to increase utilization of hardware resources. Effective management of a VDI environment includes a monitoring strategy to ensure adequate resources exist and to allow for the detection of resource bottlenecks.
- Monitor the overall environment for CPU, I/O, etc. to spot trends and performance issues in advance. Understand how the system responds during peak load periods and what activities contribute to the load during these times.
- Monitor VM instances to find problem VM instances for further diagnosis.
- When investigating specific performance issues, investigate I/O in addition to CPU. Use a tool like process explorer and sort by “I/O bytes total delta” column to investigate I/O usage.
- Determine the top resource usage patterns in the VM environments. Configure to reduce impact of tasks like search indexing, outlook archiving, program updates and other hidden tasks which can consume unexpected amounts of resources.
- Provide adequate hardware and virtual resources. For instance, grant the guest OS as much memory as for a physical system to avoid paging and allow VM technologies like memory page deduplication to operate successfully. An environment which isn’t properly sized to allow for expansion of resource utilization over time will repeatedly encounter performance problems.