Endpoint Protection

According to https://www-secure.symantec.com/connect/sites/default/files/SEP%2012.1%20Virtualization%20Best%20Practices.pdf, full scans are not necessary.

"With the increased security capabilities of SEP 12.1 Symantec recommends scheduled scans be configured as active scans instead of full scans. Active scans will scan currently running processes as well as critical system areas and result in a small amount of system activity when compared to full scans. Full scans are not required to secure the system."

So all the features like virtual exception tool, shared insight cache, vshield virtual appliance, etc are not necessary if you are not going to be doing full scans?

They would still be needed. An active scan just scan less space than the full scan but would utilise the components above.

And you are still running a regularly scheduled scan which would also utilise the above components.

Hello,

Symantec Endpoint Protection 12.1 RU2 includes the following virtualization improvements:

Also check these Articles:

SEP 12.1 & Virtualization

https://www-secure.symantec.com/connect/articles/sep-121-virtualization

Symantec Endpoint Protection 12.1 - Virtualization Best Practices

http://www.symantec.com/docs/TECH173650

Symantec Endpoint Protection 12.1 - Non-persistent Virtualization Best Practices

http://www.symantec.com/docs/TECH180229

Hope that helps!!

Its not Like that. You need other options, but once u r configuring Schedule Scan as Active scan rather than Full scan means your are only scaaning the known areas of infection thus your memory consuption is under control. But whe you need to scan i filed being downloaded, ot scan other drive, you need custome or full scanning, so you need those features.

The virtual image exception feature in SEP 12.1 includes the ability exclude base image files from scanning.

I suspect and am beginning to see perhaps I am the only one who understands this - and bjohn makes a GREAT point.

Symantec states themselves that full scheduled scans are becomming unnecessary. And indeed they are correct. That being said, the SVA is not needed or necessary. And here's why - right out of their own documents:

You can certify the "gold image" on which all of your VDI clients or guests are based. These files are protected and refreshed to the user each time they log out and log in. You control any changes and updates to the image and recertify it. There's never a need to scan - manual or scheduled - the core image.

Real-time protection, "blood hound", protects files coming and going. Email has protection in SEP, as to the files being created, opened and closed. If the work is all saved to file servers and shares, those are protected by the SEP running on those "servers", virtual or otherwise. You can set those to run full scans at night when no one cares.

The shared insight cache SVA does one thing and one thing only - it shares information about files scanned during ADMINISTRATOR SCHEDULES SCANS and MANUAL SCANS. Once files have been scanned and trusted by SEP on the "computer", the SVA is told "scanned and approved" and as others do the same, the SVA soon says "I've been told these files are ok by xxx number of computers so it is now a fully trusted file." Next time a computer runs a scheduled or manual scan, there's no need to actually scan the file as it has a reputation of being good on the SVA.

So if I an reading the Symantec documents, help files, KB articles and readme files correctly, and have heard the spokespeople right,  that means that your occasional scan of a few files, or real-time protection do not benefit. It means if I get a file via email, or open a file from a share or file server, the SVA has no interaction with it, and I do not benefit. It means that if I don't go into SEPM console and set up an administrator scheduled scan, and do not run manual scans, the SVA does nothing.
Their documents clearly state the shared insight cache is used ONLY by scans you, the administrator set up in the SEPM console and apply administratively, and by scans you launch manually.
The documents state those are the only two times it is ever used.
From that we can safely conclude that if you don't have scheduled scans for the group, and you don't go into the SEPM console and trigger a manual scan, you don't need the SVA since it won't do anything.

Check the help inside the SEPM console for scheduled scans and scan types - an active scan is STILL a scheduled scan - it is simply a scan that happens fast and is very limited - limited to the most likely sources of trouble. But it's still a scheduled scan and is NOT real-time! As such, active scans compared to full scans simply save scan time and power. It doesn't mean it is working as the user works. So in that, it means that the SVA still does nothing while the USER IS USING THE COMPUTER  (or VDI )

Again, Symantec says in the documents and links posted with new technology and methods, the need for scheduled scans has pretty much gone away. The manual scans - how many of you out there do a manual scan - do you hit the console and highlight a computer or group and kick off a manual scan of files or common threat areas?

If you do not have scheduled scans set up in the SEPM console and you do not trigger manual scans, and if your users don't do manual scans, you don't need the SVA - that's how I read what Symantec is telling us.

Here is the description of the type of scheduled scans - once we get to VDI - I suspect we wil no longer schedule scans, and if we do it will be in the off-hours when no one cares.
Types of SCHEDULED SCANS (those that run on a schedule, not all the time, not in the background touching files as you work)

Sooooo, for VDI, I'd recommend running daily Active scans, and using Virtual Image Exception.

The VIE tool can be configured to apply to scans, realtime protection, or both, and so provides general performance benefits across the board.

The Active Scan is then there to scan the common load points, memory, and run the reputation check and is still recommended.

To discuss the combinations available:

• if you have Active Scan but no VIE, then you lose out on the performance benefit of Auto-protect skipping known good files in your golden image.
• If you have VIE without regular scans, then you're at increased risk to malware.

A further recommendation when running VIE, is that you always have at least one VM, spawned from the golden image, that still scans everything.  This is incase something included in the golden image is later identified by newer definitions as malware.

I've not discussed the SIC here, as I'd normally only recommend these for virtual server endpoints, and not VDI.

VIE is a one-time run. It's an exe in SEP - you own it, why not apply it to the VDI image? All it does is says that this image was created by me, is known to be clean, I hereby certify it clean with the VIE scan. It scans and flags the image/files. That's it, it's done and does nothing more than tell SEP that it needn't scan the image files that have been certified by VIE.
You don't "use" VIE except for one time - when you create the image for VDI, then that's it, it does nothing more.

The shared insight cache (SIC) IS the SVA (Security Virtual Appliance) and is the topic of these discussions. SVA is sic and sic is sva. It is aimed at VDI. It could serve servers, and that's one of our goals, but then, all if does is remove the need to have the scheduled scans scan files that some of the servers agree are clean.

So when would you schedule the active scan for? First part of the day? End of the day? Remember, it's STILL a scheduled scan - so you must choose a time of day, day of week, or other frequency as well as a TIME of day. It's not continous, and it's not real-time. If you are going to schedule an active scan, it's only different from a full scan IF you uncheck scanning of all files. In short, once the active scan has run, it's done, if you set it for 8 am, then at 1pm that day, there's no scan other than REAL-TIME, and it does NOT use the SIC or SVA (which are the same thing really as the SIC is ON the SVA)

You said - quote - If you have VIE without regular scans, then you're at increased risk to malware. - unquote.
That's what autoprotect is for. What if you set the "regular scans" for 1pm, what happens when it finishes at 1:30 and malware hits at 3pm? It's the autoprotect that covers that contingency. NOT a regular scan. The regular scan can only hit things that fell through the cracks, or get in when some new stuff comes in that the defs missed earlier, or that some unprotected device brought in. Scheduled scans are getting to be a thing of the past - by Symantec's own words.
Since autoprotect is your BEST defense, along with application and device control, which I use VERY extensively, and autoprotect does NOT use the SVA (SIC), and your image is certified by the VIE tool from day one - what is the point of the SVA or shared insight cache? Your DAILY use of SEP won't even utilize it.
I'm sitting here totally malware/virus free for over 25 months - that is MORE than 2 full years, some of our computers are used by the public, and our counselors surf like mad-men trying to find jobs for our clients, and of course, being non-tekkies, they want to plug in everything but the microwave oven to their computer and bring in CDs someone gave them - with 370 computers/servers - to me that's no small feat - to protect 370 devices always on the Internet, some used by the public - and have NO infections or malware of any shape or form get in - tells me maybe I know what I'm doing......... (or I am very lucky and should thus go out and buy a few lottery tickets??).
As such, I'm asking someone with some valid and real technical knowledge of SEP, SEPM and SVA (SIC), what is the point of the SVA if the world of scheduled scans is going away - or such scheduled scans can run at night at random times?