Endpoint Protection - Non-persistent Virtualization Best Practices
Last Updated February 27, 2019
What are the best practices for preparing Symantec Endpoint Protection (SEP) clients for deployment in non-persistent Virtual Desktop Infrastructure (VDI) environments?
Common characteristics challenges of non-persistent VDI environments Characteristic
State information for the SEP client and environments Characteristics refresh
Optimizations dependent on client state to minimize management traffic are defeated
Base images become increasingly out of date as time passes
Update overhead increases with time
VDI environments use available resources more efficiently, which leaves less overhead for increased loads
Configurations must be optimized to generate minimal input-output (I/O) and network load
Disk I/O becomes much more scarce compared to network I/O
SEP 12.x and 14.x
This document contains best practices specific to Symantec Endpoint Protection (SEP) that clients installed in non-persistent VDI environments and the Symantec Endpoint Protection Manager (SEPM) servers that service them. Before following the steps, see the following documents depending on the build of SEP being used:
The following configuration recommendations ensure that SEP clients, in non-persistent VDI environments, generate no network or disk I/O from advanced SEP features that do not benefit non-persistent clients.
Make these changes to the Communications Settings policy:
Configure clients to download policies and content in Pull mode
Disable the option to Learn applications that run on the client computers
Set the Heartbeat Interval to no less than one hour
Enable Download Randomization, set the Randomization window for 4 hours
Make these changes to the Virus and Spyware Protection policy:
Disable all scheduled scans
Disable the option to "Allow startup scans to run when users log on" (This is disabled by default)
Disable the option to "Run an Active Scan when new definitions Arrive"
Avoid features like application learning, which send information to the SEPM and rely on client state to optimize traffic flow
Add these steps to the routine maintenance schedule for base images. Symantec recommends that you perform these maintenance tasks at least once a week.
Update all applicable definitions and security content on the base image with the latest content available
Confirm the SEP client on the base image is able to communicate with its SEPM server(s)
Confirm the SEP client is using the correct VDI-specific policies
Before you redistribute the image:
Remove any temporary files associated with the SEP client, including
Ensure that the following registry value exists, and has a value of 1: For 32-bit clients: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Virtualization\IsNPVDIClient For 64-bit clients: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\Virtualization\IsNPVDIClient
Follow the general best practices below for periodic image maintenance and testing.
Manually upgrade the SEP client on the base image rather than using AutoUpgrade for the VM client policy groups
Test performance optimizations. For instance, reduced memory allocated to a VM can cause increased operating system (OS) swapping and defeat hypervisor optimizations like memory page deduplication
Configure VM refreshes to occur on logoff. Set the pool of available VM's large enough so that users can easily access a running image that was updated in the background.
Symantec Endpoint Protection Manager settings
Configure SEPM to keep definitions at least as long as the minimum image refresh frequency. For example, if the maximum image age is 14 days, keep definitions for 30 days.
SEPM will 'remember' all-new images that attach to it, which can build up quickly in a VDI environment. To avoid this, check the Delete non-persistent VDI clients that have not connected for a specified time box in the domain properties.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe