Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

SEP 12.1 Insight cache server - working

Created: 05 Sep 2012 • Updated: 06 Sep 2012 | 11 comments
ThaveshinP's picture
This issue has been solved. See solution.

Has anyone tried installing and setting up an Insight Cache server for a SEP 12.1 environment and is it working?

We have +- 48000 endpoints and client does not want to allow ALL of them to access the internet using SEP 12.1.  What are the prerequisites to
get this going and I have looked at "some" documentation and there is no step by step process.

 

Can anyone help?

Comments 11 CommentsJump to latest comment

SMLatCST's picture

I think you might be getting confused between Insight, and the Shared Insight Cache.

Insight:
This is enabled by default and is controlled via the "External Communciations Settings" section of the POLICIES tab in the CLIENTS view.  This is used by SEP Clients to use the reputation data being collected by Symantec on executable files, and is used by vaious SEP Comoponents (SONAR, Download Insight, Scheduled Scans, etc).  This improves security and performance.

Shared Insight Cache:
This must be manually installed first, then enabled under the Global Scan Settings in an AV Policy.  This option allows the SEP Clients to share their scan results, so that any single file need only be scanned once.  This improves performance only.  Even with this option enabled, a SEP Client will still use normal Insight.

As you mention accessing the Internet, I'm assuming you mean normal Insight (top option):

As above, this is normally enabled by default so will likely already be in use on your SEP12.1 clients.  The below article may help, as it provides some info on the amount of traffic this generates.

http://www.symantec.com/docs/TECH183109

Mithun Sanghavi's picture

Hello,

I agree above.

We have +- 48000 endpoints and client does not want to allow ALL of them to access the internet using SEP 12.1.  What are the prerequisites to get this going and I have looked at "some" documentation and there is no step by step process.

You could block the access to internet via Firewall. Check this Article:

How to block Web access to client with the help of firewall in a Proxy Environment

http://www.symantec.com/docs/TECH188973

Secondly, to understanding "Insight and Deployment Best practices", check this Whitepaper - 

Insight - Deployment Best Practices WhitePaper

In case, you specifically need to know about "Shared Insight Cache", I would recommend you to check these Articles:

Installation and Configuration of Shared Insight Cache

http://www.symantec.com/connect/articles/installation-and-configuration-shared-insight-cache

Shared Insight Cache - Best Practices and Sizing guide

http://www.symantec.com/docs/TECH174123

Symantec Endpoint Protection Shared Insight Cache User Guide 12.1

http://www.symantec.com/docs/DOC4334

About the Symantec Endpoint Protection Shared Insight Cache tool

http://www.symantec.com/docs/HOWTO55311

How Shared Insight Cache works

http://www.symantec.com/docs/HOWTO55318

Troubleshooting issues with Shared Insight Cache

http://www.symantec.com/docs/HOWTO55319

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture

Hi,

I agree with SMLatCST, you might be a little confused here.

To block end users internet access you will have to block it applying the firewall rule.

Blocking a Web site using Symantec Endpoint Protection

How a firewall works

http://www.symantec.com/docs/HOWTO55054 

Shared Insight Cache (SIC) is a server application which caches known clean files in order to optimize scan performances. SIC server is mainly designed for virtual environment but usage on physical system is supported given that network latency is kept at an absolute low. SIC server keeps a record in memory (ram) of files which are voted clean by system performing scans 

Reference: https://www-secure.symantec.com/connect/blogs/shared-inside-cache-sep-121

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

ThaveshinP's picture

Will try to install SIC and check if it works.

ThaveshinP's picture

I dont want to block users, but dont want SONAR to access the internet to Symantec for a lookup . I want to have a server with all cached scanned files that have good reputation that 45000 endpoints can access and not the internet.

SMLatCST's picture

That's the thing.  They way you describe your issue, suggests you may not understand the difference between Insight and the Shared Insight Cache.

Insight:
This is the reputation based technology, and the one that requires access out to the Internet.  As I mentioned yesterday, you can disable this via the "External Coomunications Settings".

Shared Insight Cache:
This is something you set up internally to allow your SEP Clients to share scan results.  This has nothing to do with the reputation information used for normal Insight, and clients configured to use the SIC will still contact Symantec for reputation information (if its not been disabled via the "External Communications Settings").

As far as the SIC goes, it's also worth noting that this only affects scans (either scheduled or on-demand), and is designed for use in a virtual environment.  Are all your 45000 endpoints virtual?

SOLUTION
ThaveshinP's picture

None of the 45000 endpoints are virtual. How would I know to check if the SIC is working or not?

SMLatCST's picture

Once installed, the SIC add a set of perfmon counters that allow you to track the number of files for which it is caching scans results.  You should also see the number of files counted as "Trusted" in the scan results on the clients jump up too (for every scan after the first on each definition revision).

ThaveshinP's picture

Where in the console can I check this? Can this be checked daily- weekly etc..