Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP Definition Updates on VDIs

Created: 27 May 2013 • Updated: 28 May 2013 | 6 comments
This issue has been solved. See solution.

Hi All.

Good Day!

I have a query related to content updates on VDIs. We have not yet rolled out SEP client on the VDIs but are in the process of testing the installation, creating exceptions, and configuring live update setting etc on a few VDIs. We need to run around 10K VDI clients from the golden image and we need all of them to be updated. Our clients are running as non-persistent guest virtual machines. 

Moreover, we are alreay following the best practices specified at: http://www.symantec.com/business/support/index?page=content&id=TECH180229

The concern is that we do not have an image refresh policy at the moment. We may not update the golden image for months. Also, it is really cumbersome to recreate 10K clients everytime the golden image is updated. 

So, if we do not update the golden image for say 2 months, how will we manage the content updates. Will it require to download the content updates from the day the golden image was created all the way to the current date whenever the VDI gets connected. Is that how it works?

We also have a Shared Insight Cache in place. But can we consider that as a replacement for latest updates, as it marks files as safe that are already considered clean?

Request you all to please assist me with this. 

We are running SEPM 12.1.1101.401 RU1 MP1.

Thanks in advance.

Faiz

Comments 6 CommentsJump to latest comment

Rafeeq's picture

Yes, it will download the entire missing chunck

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

 

http://www.symantec.com/business/support/index?page=content&id=TECH131528

How are virus definitions distributed from the Symantec Endpoint Protection Manager?

.Brian's picture

The SIC should not be considered as a replacement for latest defs.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

SIC is for scan. the clients needs to be updated.

Mithun Sanghavi's picture

Hello,

In your case, you use the content randomizer in the client communication settings to randomize definition and signature delivery. Based on client density we have found the following to be a pretty decent guideline based on a 1 hour client pull based heartbeat:

a.      25-30 VDI instances per host – 2 hour randomization

b.      30-50 VDI instances per host – 3 hour randomization

c.      50-75 VDI Instances per host – 4 hour randomization

d.      75-100 VDI Instances per host – 6 hour randomization

e.      100-150 VDI instances per host – 8-12 Hour Randomization based on disk type start with 12 and work backwards until the customer is comfortable with the IOPS level.

It should be noted that this is NOT randomization using the settings within the Live Update Policy. Using randomization within the LU policy has shown to be much more CPU and disk intensive. Best performance has been having clients pull content from the SEPM. And common sense says no VDI should be a GUP (Group Update Provider).

Check the White Paper for best-practise configuration.

Secondly, Shared Insight Cache is a stand alone server that enables clients to share scan results.  This allows clients to skip scanning files that have already been scanned by another client.

Check these Articles:

Tips for reducing the impact of SEP in VDI infrastructures

https://www-secure.symantec.com/connect/blogs/tips-reducing-impact-sep-vdi-infrastructures

Best practices for virtualization with Symantec Endpoint Protection 12.1, 12.1 RU1, and 12.1 RU1 MP1

http://www.symantec.com/docs/TECH173650

Symantec Endpoint Protection 12.1 & Virtualization

http://www.symantec.com/docs/TECH194383

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
AjinBabu's picture

Hi,

Clients have to to updated from SEPM / LUA / GUP and SIC is meant to improve the scanning performance by omitting the good files.

Regards

Ajin

fahmed's picture

Hi All,

Thank you for the suggestions.

Hi Rafeeq,

That was really informative.

Hi Mithun,

I now have an idea how to go about this. Thank you for all the details.

I will test these on a bunch of clients. 

Cheers

Faiz