Symantec Endpoint Protection 12.1 - Non-persistent Virtualization Best Practices

Article:TECH180229  |  Created: 2012-01-30  |  Updated: 2014-06-25  |  Article URL
Article Type
Technical Solution


What are the best practices for preparing Symantec Endpoint Protection (SEP) 12.1 clients for deployment in non-persistent Virtual Desktop Infrastructure (VDI) environments?

Common characteristics/challenges of non-persistent VDI environments
Characteristic Challenge(s)
State information for The SEP client and other applications is lost on refresh
  • Optimizations dependent on client state to minimize management traffic are defeated
  • Base images become increasingly out of date as time passes
  • Update overhead increases with time

VDI environments utilize available rescources more efficiently, leaving less overhead for increased loads

  • Configurations must be optimized to generate minimal IO and network load
  • Disk IO becomes much more scarce compared to nework IO


This document contains best practices specific to Symantec Endpoint Protection (SEP) clients installed in non-persistent VDI environments and the Symantec Endpoint Protection Manager (SEPM) servers that service them. See Symantec Endpoint Protection 12.1 - Virtualization Best Practices for general VM recommendations before following the steps below.


Client Recommendations

The following configuration recommendations will ensure that SEP client installations in non-persistent VDI environments do not generate network and disk IO from advanced SEP client features which they will not benefit from.

  1. Make the following changes to the Communications Settings policy:
    1. Configure clients to download policies and content in Pull mode
    2. Disable the option to Learn applications that run on the client computers
    3. Set the Heartbeat Interval to no less than one hour
    4. Enable Download Randomization, set the Randomization window for 4 hours
  2. Make the following changes to the Virus and Spyware Protection policy:
    1. Disable all scheduled scans
    2. Disable the option to "Allow startup scans to run when users log on" (This is disabled by default)
    3. Disable the option to "Run an ActiveScan when new definitions Arrive"
  3. Avoid using features like application learning which send information to the SEPM and rely on client state to optimize traffic flow


Image Maintenance

Add the following steps to the routine maintenance schedule for base images. Symantec recommends performing these maintenance tasks at least once a week.

  1. Update all applicable definitions and security content on the base image with the latest content available
  2. Confirm the SEP client on the base image is able to communicate with its SEPM server(s)
  3. Confirm the SEP client is using the correct VDI-specific policies
  4. Before redistributing the image:
    1. Remove any temporary files associated with the SEP client, including 
    2. Remove hardware key information from the base image using  How to prepare a Symantec Endpoint Protection 12.1 client for cloning

Follow the general best practices below for periodic image maintenance and testing.

  1. Manually upgrade the SEP client on the base image rather than using auto-upgrade for the VM client policy groups
  2. Test performance optimizations.  For instance, reducing memory allocated to a VM can cause increased OS swapping and defeat hypervisor optimizations like memory page deduplication
  3. To minimize the size of the base VM image, disable client install caching and set content cache revisions to 1.  See
  4. Configure VM refreshes to occur on logoff.   Set the pool of available VM’s large enough so that users can easily access a running image which was updated in the background


Symantec Endpoint Protection Manager settings

  1. Configure SEPM to keep definitions at least as long as the minimum image refresh frequency.   E.g. Keep 30 days if the maximum image age is 14 days
  2. SEPM will ‘remember’ all new images attaching, which can build up quickly in a VDI environment.  An admin can either reduce the interval required for clients to age out of SEPM or periodically run a cleanup script which purges the old client records. 

Article URL

Terms of use for this information are found in Legal Notices