Best Practice for Symantec Endpoint Protection Scheduled Scans in VMWare

Article:TECH95928  |  Created: 2009-01-02  |  Updated: 2010-01-13  |  Article URL http://www.symantec.com/docs/TECH95928
Article Type
Technical Solution


Environment

Issue



What is the recommendation on implementing Symantec Endpoint Protection Scheduled Scans in an VMWare environment


Solution



When running Symantec Antivirus or Symantec Endpoint Protection in a virtual environment, consider how multiple guest systems can impact hardware resources on a host system. This is especially true when routine tasks happen simultaneously on multiple guest systems.

Due to extremely high I/O, the following are examples of tasks that can degrade performance if run on multiple guest systems simultaneously.
  • Scheduled Scans
  • Virus Definition Updates

Symantec recommends using randomization to minimize the impact on hardware resources when these tasks occur. Randomization ensures each client on a guest system does not run a scheduled scan or update virus definitions at the same time.


Scheduled Scans
Scheduled scans require consideration in a virtual environment due to the potential for performance degradation. How often and when scheduled scans should be run will depend on security policies in your organizations.

Stagger the scan times so they are not all running scans at the same time.

When VMWare is running it makes continuous open, write, and close calls to the sessions hard drive files, which causes Realtime to scan these files repeatedly. To improve scan performance exclude VMWare files as well as the session disk files.

The following Knowledge Base articles apply to Scheduled Scan tuning in general and should be considered when configuring scheduled scans for guest systems:

  • Ensure Scan Tuning options are set for “Best Application Performance”:
http://service1.symantec.com/support/ent-security.nsf/docid/2008082509323748
  • Consider using multithreading during scheduled scans:
http://service1.symantec.com/support/ent-security.nsf/docid/2005062813030748
  • Consider utilizing the resumable scan feature:
http://service1.symantec.com/support/ent-security.nsf/docid/2005062806252148


Note: the specific options that are appropriate will depend on your environment.

Additionally, Symantec recommends dividing up guest clients in different groups with different scheduled scan times to avoid performance degradation. Also, consider scanning compressed files one or two levels deep (instead of default 3).





Legacy ID



2009090206565248


Article URL http://www.symantec.com/docs/TECH95928


Terms of use for this information are found in Legal Notices