Best Practices for Symantec Endpoint Protection in Virtual Environments
Last Updated April 25, 2013
You would like to know how best to configure Symantec Endpoint Protection (SEP) for use with virtualized environments such as VMware.
VMware is a supported platform for Symantec Endpoint Protection 11, but it is not an optimized experience. Optimization will come in future releases as the Symantec Endpoint Protection team works with VMware to provide better integration kits.
Symantec makes the following recommendations for configuring SEP in virtual environments:
Best Practices for Performance Overview
When running SEP in a virtual environment, consider how multiple guest systems can impact hardware resources on a host system. This is especially true when routine tasks happen simultaneously on multiple guest systems. Due to extremely high I/O, the following tasks are examples that can degrade performance if run on multiple guest systems simultaneously:
· Virus Definition Updates
· Scheduled Scans
Symantec recommends using
randomization to minimize the impact on hardware resources when these tasks occur. Randomization ensures each client on a guest system does not run a scheduled scan or update virus definitions at the same time.
Randomizing Virus Definition Updates SEP clients can update their virus definitions either directly from the Symantec Endpoint Protection Management (SEPM) server or by running the LiveUpdate component on the client to download virus definitions.
Updating Virus Definitions directly from the SEPM SEP 11 Maintenance Release (MR) 3 introduced a randomization feature to the Communications Settings for clients which will optimize performance in a virtual environment. These settings are configured via the communications settings within any group.
In the Communication Settings dialog box, make the following changes:
1. Configure clients to use “Pull Mode”
2. Place a check in the “Enable randomization”
Note: Depending on the number of clients in the virtual environment, consider increasing the heartbeat interval as needed. Additionally, if the time at which clients update virus definitions causes a performance impact, consider increasing the randomization window as needed. It is recommended to configure the heartbeat setting no lower than the number of clients connecting to the management server divided by 1,000. (# clients /1000 per minute)
Example: 10,000 clients managed by a SEPM server. Heartbeat should not be set lower than 10 Minutes.
Updating Virus Definitions Using LiveUpdate Alternatively, clients can be configured to run LiveUpdate to download Virus Definitions directly from Symantec. To prevent many clients from updating Virus Definitions simultaneously, Symantec recommends that you randomize the LiveUpdate schedule.
To configure clients to run LiveUpdate with a randomized schedule, configure the LiveUpdate Settings policy as follows:
1. In the SEPM, select the Policy Page and then select LiveUpdate
2. Open or create a LiveUpdate Settings policy for editing.
3. In the Server Settings dialog box uncheck “Download Definitions from management server” unless the randomization setting has been enabled in the client group’s communication settings.
4. Make sure there is a check next to “Use a LiveUpdate Server.”
5. In the Schedule dialogue enable scheduling and configure a schedule during non-peak hours
6. Make sure there is a check box next to “randomize the start time”
Scheduled Scans Scheduled scans require consideration in a virtual environment due to the potential for performance degradation. How often and when scheduled scans should be run will depend on security policies in your organization.