Video Screencast Help

Configuring SEP 12.1 in Virtual Environments

Created: 01 May 2011 • Updated: 06 Jun 2011 • 20 comments
dschrader's picture
+8 8 Votes
Login to vote

 

This week Symantec introduced the concept of V-Ray – tools that provide visibility into virtual environments.  SEP itself has been enhanced to seamlessly support virtualization.  Today’s blog is a checklist for configuring Symantec Endpoint Protection to play nicely in a virtual space.  Optimizing a new product is a work in progress, so if you have suggestions on addition steps/settings to better allow SEP to run in VDI, let me know.  (My thanks to Anthony Flaviani for much of this material).

1.       Ensure that Insight is enabled. 

Insight determines a file's security rating by examining the following characteristics of the file and its context:

•      The source of the file

•      How new the file is

•      How common the file is in the community

•      Other security metrics, such as how the file might be associated with malware

Insight does more than just improve security.  Files with a high Insight rating need not be rescanned.  This significantly reduces scan overhead in the form of shorter scan times, reduced disk I/O, lower CPU utilization, etc.

2.       Prevent scan and update contention with resource leveling

The update process is critical to providing up to the minute protection.  A few simple configuration settings can help ensure that your virtual clients have the latest updates without using unnecessary bandwidth or creating resource contention.   A few suggestions:

·         Use pull mode heartbeat with download randomization 

·         Set the download randomization to between one and three times the heartbeat interval.

For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval. For large scale virtual environments (1000 or more clients) we recommend a heart beat interval of 1 hour and a download randomization window of at least 2 hours

3.       Prevent known-clean files from being rescanned

The Shared Insight Cache introduces the concept of a scan cache – sort of the de-duplication of scanning.  It keeps track of which files are known to be clean and prevents unnecessary rescanning.  Shared Insight Cache is a separate service installed on a dedicated server or on a virtual server – though it usually should only be used within a VM host. After you install and configure Shared Insight Cache, you must configure your clients to communicate with Shared Insight Cache.  Shared Insight Cache will show the greatest performance gains where full scans are in use. 

To reduce network traffic, install the cache server on the same host as the VMs being protected or at least within the same local cluster. 

Only one cache server IP address or hostname can be configured for each SEP policy.   If you require multiple cache servers you can either split the SEP policy groups or use DNS or other load balancing methods

4.       Use the Virtual Image Exception tool

The Virtual Image Exception tool allows you to pre-scan base image files to reduce client scan times The Symantec Endpoint Protection virtual exception tool lets you safely remove base image files from the scanning process, saving time and easing processor loads.  It is essentially a white-list built from your virtual base image.  Use the exception tool to identify safe files from your standard images.  Don’t forget to thoroughly scan the image and delete any questionable files from the image’s quarantine before running the tool. 

5.       Continue to monitor and scan base images for latent threats.  A separate policy can be created to accomplish this.

6.       Use active scans instead of full scan, since any threats stored in archives will be picked up on execution by Auto-Protect and SONAR

7.       Enable Scan Randomization - the scan start time should be randomized over the longest possible window.   For virtual environments Symantec recommends at least a 12 hour scan window.   For environments where it is critical to minimize the impact of the scan this duration can be configured to run for up to an entire week.

 

In recent months both Trend Micro and McAfee introduced security solutions for vitual environments.  Here at Symantec we've been curious about how well those solutions actually detect threats.  My next post will take a look at the effectiveness of virtualiztion security solutions. 

Comments 20 CommentsJump to latest comment

ekwang's picture

Unless I just completely missed it in SEP 11, the creation of firewall rules specific to certain applications in SEP 12.1 B is much better (or easier) to do.

 

There used to be a document which had best practices for the settings in SEP 11: Does such a document exist for SEP 12.1 B? Or will it have to wait until it goes GA?

 

Eric

0
Login to vote
dschrader's picture

We do have a best practices guide for virtualiation - see the attached document.

AttachmentSize
SEP 12.1 Virtualization Best Practices.pdf 488.91 KB
+2
Login to vote
glentc's picture

Where can I find the answers for the following?

 

I’m still researching AV solutions for VDI environments and I was hoping to find anyone who can share their experiences with using all the suggested VDI practices with SEP?

  • How does SEP-12 identify non-persistent VDI desktops?
  • How does SEP-12 keep track of erased or image refreshed VDI desktops?
  • How much HTTP-SSL traffic is being generated when you have several thousand VDI desktops when they connect back to their Insight Cache Server?
  • Is the Client to Insight Cache server a persistent connection while performing full scans?
  • How does SEP-12 handle clients that have stopped receiving their updates?
  • If a persistent client has been offline for several months is suddenly turned on, will SEP-12 fight to updates itself while the OS is getting its own vendor patches?
  • How resource intensive is SEP-12 compared to SEP-11 when it performs an active, auto and full scans?
  • If one or more VDI desktops have become infected, will SEP-12 isolate those VDIs from communicating with non-infected desktops?
  • Will Symantec offer a non-client AV solution for VDI in the near future?

After reading all the best practices I still have one nagging thought. At the end of the day, you're still using the same hammer but trying to swing it differently.

0
Login to vote
Nate Brogan's picture

I hope this helps ...

> How does SEP-12 identify non-persistent VDI desktops?

I am not 100% sure of the question.  However, it does not distinguish between persistent vs non-persistent desktops.

> How does SEP-12 keep track of erased or image refreshed VDI desktops?

Is this with regard to SEPM keeping track of them?  If so, this is no different than a non-VDI desktop.

> How much HTTP-SSL traffic is being generated when you have several thousand VDI desktops when they connect back to their Insight Cache Server?

I don't have the numbers on hand.  However, I think each request is only is something like 200 bytes.

> Is the Client to Insight Cache server a persistent connection while performing full scans?

Yes

> How does SEP-12 handle clients that have stopped receiving their updates?

What kind of updates are you referring to?  Information from the insight cache?  If so, it will scan the file if information cannot be retrieved from the cache.

> How resource intensive is SEP-12 compared to SEP-11 when it performs an active, auto and full scans?

I do not know the official numbers.  But they are night and day on resource usage (SEP-12 using a lot less).

> If one or more VDI desktops have become infected, will SEP-12 isolate those VDIs from communicating with non-infected desktops?

Behavior is no different than infections of "regular" desktops.

> Will Symantec offer a non-client AV solution for VDI in the near future?

Completely clientless?  Probably not.  This is more dependent on virtualization vendors providing the correct mechanisms to offer clientless AV.  Symantec would probably ruin its security reputation if it attempted to go completely clientless right now.  Virtualization vendors do not offer enough inside into the guest OS to properly handle all attacks.

0
Login to vote
Admin76's picture

 

 

Before I finally shutdown the gold image I reset the installed applications IDs (such as SEP or Altiris agent) and also finally I run the Sysprep to reset windows SID and etc. Cloned images are then unique and it eliminates ID sharing problem (duplicite GIUD). It is Microsoft best practise how to clone images.

In the SEP 12.1 Virtualization Best Practices.pdf article chapter 5 - Excluding Base Image is following:

“Note: Changing the Windows SID after running the tool will invalidate the data. If you change the Windows SID you must run the tool after changing the value.”

Does it mean that my cloned images with the new generated SID will not be able to use Virtual image exception?

0
Login to vote
NDinev's picture

Does it mean that my cloned images with the new generated SID will not be able to use Virtual image exception?

I want to know too...

+3
Login to vote
John Cooperfield's picture

My understanding is:  Your cloned images with the new generated SID are not meant to use Virtual Image exception tool.  You run the tool only on the base image.  You put your cloned user machines are in a different SEP group(s), one(s) in which VIE is disabled.

 

It is a bit hard to make out, but see this under section 5.1 in that Best Practices PDF:

"To do this you should run one copy of each excluded image in its default state and use a separate SEP policy with virtual image exception disabled to monitor for threats."

HTH

John

If this helped/answered, please mark as solution.

0
Login to vote
Srikanth_Subra's picture

Hi,

Iam having one doubt that, whether we need to install symantec on each VM ware or installing in physical machine is ok?

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

-2
Login to vote
bjohn's picture

I have the same question about:

 

Note: Changing the Windows SID after running the tool will invalidate the data. If you change the Windows SID you must run the tool after changing the value.”

Does it mean that my cloned images with the new generated SID will not be able to use Virtual image exception?

 

Can someone from Symantec respond, should we use quickprep?

+2
Login to vote
Admin76's picture

 

We use VMWare and VDI 5. 

For cloning VMWare use minisysprep which doesn't affect main Microsoft computer SID.

So the SID of the cloned virtual machines is the same as for prescaned goldimage.

So discussing problem actually doesn't exist.

-2
Login to vote
Dushan Gomez's picture

Many thanks for posting this guideline mate !

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

0
Login to vote
Ch@gGynelL_12's picture

How to install SEP 12.1 client in a virtual machine/environment? Is it the same procedures of installing SEP client on windows computers? Can you provide some documentations of step by step procedures of How to deploy or Install SEP client on a virtual machine?

 

Many thanks,

JM

-1
Login to vote
DGLMike's picture

Hi JM,

Installing on VM's is exactly the same as on a physical computer however there are several options available to you depending on the role / number of computers you want to deploy to:

  • Manual install
  • Deploy from SEPM console via 'Common Tasks'
  • Deploy using Altiris/SEPIC
  • Deploy using SEPPrep
  • Deploy via any other software deployment tool you may have e.g. SCCM
  • Pre-installed in a disk image
  • Pre-installed on a 'gold' image for cloning

The process for each option above is in 'Installation_and_Administration_Guide_SEP12.1.2' (or in their own manual in the case of SEPIC/SEPPrep) but there are also loads of KB's available on Connect.

-2
Login to vote
hforman's picture

In a virtual environment, you have to protect BOTH the virtual (host) OS and the individual VMs.  Protecting the host never protects the individual virtual guests.

0
Login to vote
s.raghavendra1979@gmail.com's picture

I would like to know about Symantec vshield endpoint after installing Virtual appliance of vshield .

My question , we need install SEP client all VM when we configured Symantec vshield endpoint appliance  ?

 

 

 

 

0
Login to vote
s.raghavendra1979@gmail.com's picture

Do we have any video how to integrate Symantec vshield endpoint with Vmware Vsphere Esxi 5.0 or 5.1

0
Login to vote
bjohn's picture

Yes, you still need the SEP client on your VM.

Symantec's vshield integration is just a gimmick.

+2
Login to vote
hforman's picture

At this time you will need both.  From my security classes in virtualization security, you need to protect BOTH the indvidual guests and you need to protect the host OS (ESXi).  From my notes at a recent Symantec roundtable, clientless support in VMware is coming in a future release.

 

Howie

 

-1
Login to vote