Optimizing SERT for Intel vPro Technology
You may have heard about an intriguing option within the Intel vPro Technology platform called "IDE Redirection" - what I'll call "boot redirection" for the purposes of this article. This allows a technician to boot a remote client from a defined ISO image on the network. It's a little different than PXE boot. With boot redirection the technician can force a reboot of the client, can specify the intended ISO image boot source on the network, and so forth.
Have you heard about Symantec Endpoint Recovery Tool (SERT)? The official release is expected by end-of-year, yet I learned that a few Symantec SEs have already started to use the tool. In short - the tool is a WinPE 2.1 based ISO image with Norton Secure Scan (i.e. Anti-virus), Symantec Endpoint Encryption unlock, LiveUpdate to get the latest virus definitions, and so forth. The idea was discussed online at http://www.symantec.com/connect/idea/antivirusantispyware-scanning-recovery-boot-cd
The default nature of SERT usage is to burn the ISO image to a CD, carry to the desk, boot from the CD, and so forth. With the boot redirection information shared above - this immediately raised a question in my mind "How could SERT be delivered via Intel vPro Technology?"
About a month ago, I had the opportunity to demonstrate an optimized version of SERT to Symantec SEs and Partners. Two slides from that presentation provide a summary how this works.
The first slide shows that a remote client is targeted for the ISO image delivered via boot redirection. Once loaded, the technician is able to interact with the remote system... to clean a rootkit virus or related options.
The second slide shows that the majority of the solution is provided via Symantec. The Intel vPro Technology components provide small improvements which make the overall solution all the more valuable.
I have also posted a video recording of the demonstration for your reference. Take a look at http://www.youtube.com/watch?v=cSxxL5dvp3o (Note: Updated with voice over)
The rest of this article provides insights on how the SERT ISO image was optimized for Intel vPro Technology. Similar steps could be done for Symantec System Recovery Disk (SRD - formerly known as BESR ISO) or other utilities.
Challenges to be Addressed
Here are some the challenges which were quickly uncovered:
- Boot redirection speeds are notoriously slow for a large ISO image. About 2 years ago I provided some brief insights on why and what speeds to expect. See http://www.symantec.com/connect/articles/why-my-ide-redirection-session-so-slow.
- The early preview SERT ISO image I received provided no remote desktop capability. SERT requires interaction via menus and so forth.
- WinPE 2.1 base ISO images do not include the correct and latest network drivers for Intel vPro platforms after the year 2008. Functionalities within SERT such as running LiveUpdate, mapping to a network driver, or other network related requirements would be unavailable.
Accelerating Boot Redirection Speeds
Since the original SERT ISO image was ~281MB in size and boot redirection speeds ranged between the equivalent of a 2x-4x CD-ROM speed, my first tests were latency impacted. Average boot times were about 7 minutes with a few systems failing completely. Although it was impressive to use boot redirection for delivery of the SERT ISO, I desired a faster response.
Fortunately, there is a way to accelerate boot redirection via a 2-stage process. Take a look at http://communities.intel.com/docs/DOC-5552. This tool and approach generates a small Linux ISO image that is delivered via boot redirection with instructions on where to pull the desired ISO image into memory of the client. Once loaded into memory, the tool will then boot using the desired ISO image.
By using this approach, my boot redirection latencies were reduced below 3 minutes. On one test platform, the SERT ISO image boot completed in 1 minute 3 seconds. A huge improvement!
For your reference - The video referenced above has no time slices from when boot redirection is started until SERT ISO is loaded on the remote client. Only brief transitions as I switch between console and client views, and then a time slice occurs so that you don't have to watch the full LiveUpdate and Scan process.
Remote Desktop Capability
Since the SERT ISO was originally built to be run locally on a client system, a remote desktop capability like pcAnywhere was not needed at first. However, if delivered to a remote client without a technician present to select the necessary items, the SERT ISO tool would be less effective. Fortunately, pcAnywhere lite was added to the SERT ISO before release. Unfortunately, the base WinPE 2.1 image does not include network drivers for client platforms built during the year 2008 or later. This will be addressed in the network section.
With the 2010 Intel vPro Technology platform, a different approach can be taken. KVM remote control was introduced into the hardware and Symantec included support in RTSM by July 2010. See the video from Sean Wadell introducing this functionality http://www.youtube.com/watch?v=ivehBsfe3WQ.
At the end of the SERT video referenced in the introduction above shows a KVM remote control session. Using pcAnywhere lite or KVM remote control - the second challenge has been addressed!
Network Drivers for Newer Client Systems
The third challenge impacts the success of SERT ISO if delivered over the network. LiveUpdate would be unable to run and obtain the latest virus definition files. pcAnywhere lite would be unable to run allowing remote desktop connectivity.
The core issue is availability of the correct network drivers within the base WinPE image. For WinPE 2.1 base images, integrated NICs on 2008 or later platforms are affected. This effectively impacts Intel AMT 4.x and higher systems. If the SERT ISO base image is updated to WinPE 3.x, there will still be an issue with missing network drivers. (Note: The last test build of SERT ISO which I had a chance to work with was WinPE 3.x based)
The good news is that regardless of the OEM, the same NIC driver is used across each generation of Intel vPro Technology systems. Even better, the same NIC driver may apply to multiple generations. The basic requirements are to identify the driver, inject into the boot.wim of the WinPE image, and then validate.
The approach I took was to identify the NIC driver used, download from Intel Support site, and follow the Microsoft process for injecting into the boot.wim file.
The screenshot below is from a Dell960 system which failed to load network drivers on my first attempts with the SERT ISO. The screenshot shows the network driver used by the platform.
The files associates to this NIC driver were obtained and injected into the boot.wim. Once completed - the LiveUpdate and pcAnywhere lite portions of SERT ISO were able to connect. Now SERT ISO was ready for use with Intel vPro Technology and boot redirection!
The final version of SERT ISO is expected by end of 2010. If optimizations for Intel vPro Technology usage are not included, the guidance above will help you to make the tool even more powerful and useful. In addition - if you are trying to optimize SRD or other tools - the insights above should be interesting.
On final thought: Should you have a really great idea or solution - I encourage you to share with the community. In fact, I will may even reward you for sharing. See the offer posted at http://www.symantec.com/connect/articles/get-bonus-points-intel-and-symantec-solution-implementations
The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries.