This week Symantec introduced the concept of V-Ray – tools that provide visibility into virtual environments. SEP itself has been enhanced to seamlessly support virtualization. Today’s blog is a checklist for configuring Symantec Endpoint Protection to play nicely in a virtual space. Optimizing a new product is a work in progress, so if you have suggestions on addition steps/settings to better allow SEP to run in VDI, let me know. (My thanks to Anthony Flaviani for much of this material).
1. Ensure that Insight is enabled.
Insight determines a file's security rating by examining the following characteristics of the file and its context:
• The source of the file
• How new the file is
• How common the file is in the community
• Other security metrics, such as how the file might be associated with malware
Insight does more than just improve security. Files with a high Insight rating need not be rescanned. This significantly reduces scan overhead in the form of shorter scan times, reduced disk I/O, lower CPU utilization, etc.
2. Prevent scan and update contention with resource leveling
The update process is critical to providing up to the minute protection. A few simple configuration settings can help ensure that your virtual clients have the latest updates without using unnecessary bandwidth or creating resource contention. A few suggestions:
· Use pull mode heartbeat with download randomization
· Set the download randomization to between one and three times the heartbeat interval.
For fewer than 100 clients per server, increase the heartbeat to 15-30 minutes. For 100 to 1,000 clients, increase the heartbeat to 30-60 minutes. Larger environments might need a longer heartbeat interval. For large scale virtual environments (1000 or more clients) we recommend a heart beat interval of 1 hour and a download randomization window of at least 2 hours
3. Prevent known-clean files from being rescanned
The Shared Insight Cache introduces the concept of a scan cache – sort of the de-duplication of scanning. It keeps track of which files are known to be clean and prevents unnecessary rescanning. Shared Insight Cache is a separate service installed on a dedicated server or on a virtual server – though it usually should only be used within a VM host. After you install and configure Shared Insight Cache, you must configure your clients to communicate with Shared Insight Cache. Shared Insight Cache will show the greatest performance gains where full scans are in use.
To reduce network traffic, install the cache server on the same host as the VMs being protected or at least within the same local cluster.
Only one cache server IP address or hostname can be configured for each SEP policy. If you require multiple cache servers you can either split the SEP policy groups or use DNS or other load balancing methods
4. Use the Virtual Image Exception tool
The Virtual Image Exception tool allows you to pre-scan base image files to reduce client scan times The Symantec Endpoint Protection virtual exception tool lets you safely remove base image files from the scanning process, saving time and easing processor loads. It is essentially a white-list built from your virtual base image. Use the exception tool to identify safe files from your standard images. Don’t forget to thoroughly scan the image and delete any questionable files from the image’s quarantine before running the tool.
5. Continue to monitor and scan base images for latent threats. A separate policy can be created to accomplish this.
6. Use active scans instead of full scan, since any threats stored in archives will be picked up on execution by Auto-Protect and SONAR
7. Enable Scan Randomization - the scan start time should be randomized over the longest possible window. For virtual environments Symantec recommends at least a 12 hour scan window. For environments where it is critical to minimize the impact of the scan this duration can be configured to run for up to an entire week.
In recent months both Trend Micro and McAfee introduced security solutions for vitual environments. Here at Symantec we've been curious about how well those solutions actually detect threats. My next post will take a look at the effectiveness of virtualiztion security solutions.