I suspect and am beginning to see perhaps I am the only one who understands this - and bjohn makes a GREAT point.
Symantec states themselves that full scheduled scans are becomming unnecessary. And indeed they are correct. That being said, the SVA is not needed or necessary. And here's why - right out of their own documents:
You can certify the "gold image" on which all of your VDI clients or guests are based. These files are protected and refreshed to the user each time they log out and log in. You control any changes and updates to the image and recertify it. There's never a need to scan - manual or scheduled - the core image.
Real-time protection, "blood hound", protects files coming and going. Email has protection in SEP, as to the files being created, opened and closed. If the work is all saved to file servers and shares, those are protected by the SEP running on those "servers", virtual or otherwise. You can set those to run full scans at night when no one cares.
The shared insight cache SVA does one thing and one thing only - it shares information about files scanned during ADMINISTRATOR SCHEDULES SCANS and MANUAL SCANS. Once files have been scanned and trusted by SEP on the "computer", the SVA is told "scanned and approved" and as others do the same, the SVA soon says "I've been told these files are ok by xxx number of computers so it is now a fully trusted file." Next time a computer runs a scheduled or manual scan, there's no need to actually scan the file as it has a reputation of being good on the SVA.
So if I an reading the Symantec documents, help files, KB articles and readme files correctly, and have heard the spokespeople right, that means that your occasional scan of a few files, or real-time protection do not benefit. It means if I get a file via email, or open a file from a share or file server, the SVA has no interaction with it, and I do not benefit. It means that if I don't go into SEPM console and set up an administrator scheduled scan, and do not run manual scans, the SVA does nothing.
Their documents clearly state the shared insight cache is used ONLY by scans you, the administrator set up in the SEPM console and apply administratively, and by scans you launch manually.
The documents state those are the only two times it is ever used.
From that we can safely conclude that if you don't have scheduled scans for the group, and you don't go into the SEPM console and trigger a manual scan, you don't need the SVA since it won't do anything.
Check the help inside the SEPM console for scheduled scans and scan types - an active scan is STILL a scheduled scan - it is simply a scan that happens fast and is very limited - limited to the most likely sources of trouble. But it's still a scheduled scan and is NOT real-time! As such, active scans compared to full scans simply save scan time and power. It doesn't mean it is working as the user works. So in that, it means that the SVA still does nothing while the USER IS USING THE COMPUTER (or VDI )
Again, Symantec says in the documents and links posted with new technology and methods, the need for scheduled scans has pretty much gone away. The manual scans - how many of you out there do a manual scan - do you hit the console and highlight a computer or group and kick off a manual scan of files or common threat areas?
If you do not have scheduled scans set up in the SEPM console and you do not trigger manual scans, and if your users don't do manual scans, you don't need the SVA - that's how I read what Symantec is telling us.
Here is the description of the type of scheduled scans - once we get to VDI - I suspect we wil no longer schedule scans, and if we do it will be in the off-hours when no one cares.
Types of SCHEDULED SCANS (those that run on a schedule, not all the time, not in the background touching files as you work)
|
Specifies the type of scan to run.
For Administrator on-demand scans, there is no scan type.
For all other scans, you can select from the following options:
-
Active Scan
Scans the system memory and all the common virus and security risk locations on the computer very quickly. The scan includes all processes that run in memory, important registry files, and files like config.sys and windows.ini. It also includes some critical operating system folders.
-
Full Scan
Scans the entire computer for viruses and security risks, including the boot sector and system memory. This scan includes all folders and files. You cannot change the settings for this scan.
-
Custom Scan
Scans the files and folders that you select for viruses and security risks. You can specify which folders and files to scan for custom scans.
|