Endpoint Protection

Hi Experts,

Since our office going to implement VDI structure and all clients with SEP12.1 licenses purchased. So our concerns is whether we need to buy additional or upgrade if we migrate our infra to VDI with Vcenter environment.Please advise me on below:

1) How can we control USB device auto scanning in VDI environment?

2) Do we need to purchase additional license for VDI environment?

Thanks guys.

Hello,

Here are your Answers - 

1) How can we control USB device auto scanning in VDI environment?

No. However, check this Article:

Does Symantec Endpoint Protection or Symantec Antivirus Scan USB flash drives?

http://www.symantec.com/business/support/index?page=content&id=TECH102573&locale=en_US

2) Do we need to purchase additional license for VDI environment?\

Every VM needs to have the SEP client installed, however you can exclude the base image by Running the Virtual Image Exception tool. You could also perform things to enhance performance.

Check these Articles:

Symantec Endpoint Protection 12.1 - Virtualization Best Practices

http://www.symantec.com/docs/TECH173650

Does Symantec Endpoint Protection 12.1 support VMWare vShield?

http://www.symantec.com/docs/TECH175568

and Read the Installation and Administration Guide's Chapter 29 is loaded with information, such as (from p 669): 

http://www.symantec.com/business/support/index?page=content&id=DOC6153

A vShield-enabled Shared Insight Cache runs in a Symantec Endpoint Protection Security Virtual Appliance. You must install the appliance so that Windows-based Guest Virtual Machines (GVMs) can use VMware vShield Endpoint to access the Shared Insight Cache.

Hi,

You need not have to buy any additional License if you are moving in VDI Network. Please see Using Symantec Endpoint Protection in virtual infrastructures

http://www.symantec.com/business/support/index?page=content&id=HOWTO81060&actp=search&viewlocale=en_US&searchid=1362033893688

Also:

Hi Mithun and Ajit,

Thank you so much for your advice. Let me read through those articles and it is really helpful tips. Really appreciated for it.

Another thing that I wanted to check for my knowlege is that we have V7000 storage which is going to use for VDI DB for those profiles.

1) What is VIE tool usage for? ( To use VM without SEP manually?)

2) Can download VIE tool if needed for SEP12.1? ( Is it usable for SEP 11.1 as well?)

3)Is there any software like "Trend Micro Deep Security" or similar from Symantec as well?

Thanks again guys for quick response and help. Fantastic!

Hi, I am an Ex Trend Micro Certified Security Professional  and  currently Symantec ASC. All i can say you, there is no comparision between Trend Micro and Symantec. Whatever Trend Micro has got today, we had it two years ago. Please go ahead with the Implementation. Symantec Support Team is Always with its Customers.

Hello,

Here are the Answers to your Questions - 

1) What is VIE tool usage for? ( To use VM without SEP manually?)

The Virtual Image Exception (VIE) tool was created specifically for VDI environments deployed using shared base images. The VIE tool provides the ability to exempt the files in a base image from SEP client scans once the image is deployed. If the files are updated or changed in any way, the updated/changed files will be scanned as usual.

It is suggested that VM admins either record their VIE exceptions list prior to their VM template machine being added to the domain, or place the computer account for the VM template machine into an OU with no GPOs applied.  Once the VIEtool's exceptions list has been created, GPOs can then be applied to the system as normal. 

Please see the following article for more information on use of the VIE tool:

http://www.symantec.com/business/support/resources/sites/BUSINESS/content/staging/DOCUMENTATION/4000/DOC4335/en_US/2.0/sep_virtual_image_exception.pdf

About the Symantec Virtual Image Exception tool

http://www.symantec.com/docs/TECH172218

Symantec Endpoint Protection Virtual Image Exception User Guide 12.1

http://www.symantec.com/docs/DOC4335

2) Can download VIE tool if needed for SEP12.1? ( Is it usable for SEP 11.1 as well?)

VIE tool was developed for specifically SEP 12.1 and not for SEP 11.x

3) Is there any software like "Trend Micro Deep Security" or similar from Symantec as well?

Check this and decide it for yourself -

Symantec Endpoint Protection 12.1 vs. Trend Micro Deep Security 8 Anti-virus Performance in VMware ESXi Virtual Environments

https://www-secure.symantec.com/connect/downloads/symantec-endpoint-protection-121-vs-trend-micro-deep-security-8-anti-virus-performance-vmw

Hope that helps!!!

I have nothing against Trend products personally, so this isn't in any way a "slam" or dig at them, however, I have over the years found to be true what Ajit says - I fully agree, Symantec is and typically has been for several years, ahead of the others. Check the Gartner Group quadrant. Symantec is high in the upper right quadrant...... leaving others in the dust. Microsoft is a johnny-come-lately and still falling flat on their collective faces. I hope the dirt in Redomd tastes good, they seem to fall face-first into it quite a bit.

Back on the other...... when I worked endpoint security (we called it anti-virus, anti-malware back then) at a very large financial services company, Trend was used in Exchange, I had SAV CE on the servers and endpoints. I can't tell you how often SAV CE caught things that had gotten through otherwise. It was reversed on occasion, but not very often. SAV won the title of most caught most often. It's even more true today, as I see it.

I have used these products since NAV 2.0 (that ages me a bit, doesn't it? And the computer condom Peter Norton had to represent the protection he offered)  I started out a 150% Central Point fan - used and supported CPAV, then CPAV for Netware, and followed it to Symantec when they bought out CPAV and the AV technology they had. I've been through all of the products over the years. every place I've worked, when I evaluated products, these typically came out on top. Now with SEP as my tool, and my use of the technology within, I can state that I have kept the government agency I work for 100% malware and virus free for 25 months. think of it - over 2 full years without a single infection of ANY sort. No adware, no malware, no viruses. We've not had to clean a computer in so long many of us are almost forgetting what it's like. In fact, we recently got together to review what to do in cases of infection, and we had to think a bit. It's almost no fun any more................ LOL.
The enterprise arm of IT here "audited" us - sort of a small pennitration test, although in my opinion, not much of one... anyway, one of the tests was they were to insert a USB device and try to copy files over to it and leave with the files. When they came and asked if I saw their attempt - I said "so, how's that USB device working for you........." of course, it didn't! They could never get to the step in the test where they were to copy the file as they were unable to get the USB device to work. Even on computers in IT! 

They WERE able to get their computer onto our network, but only because I don't have NAC (SNAC) working here.... yet... I really want to do that next. Make it so that only our own can connect and get an IP address. I want it so that if it's not a member of our domain, it can't even get an IP or pass any traffic at all. I've not been able to figure that out yet.

Hi All,

Thanks a lot for all valuable inputs. Aside from Symantec strong points compare to other products, as our experience, Symantec Endpoint Protection V12.1 use agent based updating the Dat file daily and it is one of the issues in VDI environment testing. When we install our user profile image together with SEP.

Each and every time when client access to this image and log off from PC (thin client), SEP goes back to old Dat file. So my point here is need to re-create master image daily in order to update SEP definition file and which is not practical. Whereby other product does not use agent in other word 'agentless' and no issue with VDI environment. So I felt SEP is best when comes to non-virtualization. Please correct me if I am wrongly judged.

I may be incorrect in this - so please feel free if I miss the boat.

It seems to me that one of the "features" of VMware in general is that it can update products in the image. Say some critical Windows patch comes out - instead of using SCCM or other means to "push out patches" at night, I was thinking I had heard or read that the VM hosts would do that for you - in other words, what I am thinking (again, could be incorrectly thinking this) is that VMware did an update just as if you had pushed an update to 100 computers, it did it to the images on the hosts.

If that's the case - could it not push new definitions or policies or such into the images as well?

Can a "Symantec regular" or someone who is already using VDI (VMware client situation) chime in with a knowledgable reply - either confirm, or set me straight?