Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

VDI Desktops & SEP-12

Created: 03 Jun 2011 • Updated: 21 Jan 2013 | 7 comments
This issue has been solved. See solution.

I’m still researching AV solutions for VDI environments and I was hoping to find anyone who can share their experiences with using all the suggested VDI practices with SEP?

  • How does SEP-12 identify non-persistent VDI desktops?
  • How does SEP-12 keep track of erased or image refreshed VDI desktops?
  • How much HTTP-SSL traffic is being generated when you have several thousand VDI desktops when they connect back to their Insight Cache Server?
  • Is the Client to Insight Cache server a persistent connection while performing full scans?
  • How does SEP-12 handle clients that have stopped receiving their updates?
  • If a persistent client has been offline for several months is suddenly turned on, will SEP-12 fight to updates itself while the OS is getting its own vendor patches?
  • How resource intensive is SEP-12 compared to SEP-11 when it performs an active, auto and full scans?
  • If one or more VDI desktops have become infected, will SEP-12 isolate those VDIs from communicating with non-infected desktops?
  • Will Symantec offer a non-client AV solution for VDI in the near future?

After reading all the best practices I still have one nagging thought. At the end of the day, you're still using the same hammer but trying to swing it differently.

Comments 7 CommentsJump to latest comment

Yahya's picture

I have the same issue, I can't figure out a way to have SEP11 (not SEP12) on non-persistent VDI  templates. I will have a lot of duplicates and all updates are gone.

 

I have found this KB but not really helpful

http://www.symantec.com/docs/TECH123419

glentc's picture

Even with persistent desktops, I think eventually VDI administrators will eventually schedule a wipe and we're back to the tracking issue. I really like the ability of offering pristine non-persistant desktops when a user logs in, but I'm not sure how well SEP-12 handles enviroments like this.

VMWare has an interesting article which I thought was an even handed review of AV options and what environment & policy considerations with the choices.

VMWare: Antivirus Practices with VMWARE View

http://www.vmware.com/files/pdf/VMware-View-AntiVirusDeployment-WP-en.pdf

The article briefly touched on perserving GUID with logon scripts, but that sounds pretty gimmicky.

"A possible workaround is to preserve GUID before shutting down the virtual machine: Use the Power Off script, for example saveGUID.bat, to a network share. The following function is provided in VMware View Administration Console where you can provide a custom script to interact with the VMware View Composer. For more information on how to configure View Composer in VMware View, please refer to the VMware View Administration Guide." 

Mick2009's picture

Hi Glentc,

 

Are you asking about features in the new SEP release that is coming out this summer?  You may find some additional assistance with SEP 12.1 here in its dedicated connect forum: https://www-secure.symantec.com/connect/SEP_12_Beta_Group

 

Hope this helps,

 

Mick

With thanks and best regards,

Mick

glentc's picture

Hello Mick. No none of the posted threads in that section seem to answer any of the questions. Is there a Symantec SEP-12/SEPM-12/VMWARE-VDI expert that can help me find the answers?

Paul Murgatroyd's picture

Hi glentc,

Please find answers to your questions below:

  • How does SEP-12 identify non-persistent VDI desktops?

At this point, SEP12 does not identify non-persistent images - we treat all VM's the same.

  • How does SEP-12 keep track of erased or image refreshed VDI desktops?

VDI images are subject to the same rules as standard clients.  How long they are kept in reports can be controlled with a setting in SEPM, the default is 30 days, the minimum is 1 day.   For large non-persistent VDI environments you could consider using user mode instead of computer mode.   User mode will track the logged in user and not the actual virtual machine.

  • How much HTTP-SSL traffic is being generated when you have several thousand VDI desktops when they connect back to their Insight Cache Server?

Each full scan results in 25-40MB of network traffic spread out across the duration of the scan

  • Is the Client to Insight Cache server a persistent connection while performing full scans?

Yes, its one connection for each scan

  • How does SEP-12 handle clients that have stopped receiving their updates?

The SEP client can be configured to force LiveUpdate to execute if definitions reach a certain age or the client hasnt connected to its management server in a set period of time.

  • If a persistent client has been offline for several months is suddenly turned on, will SEP-12 fight to updates itself while the OS is getting its own vendor patches?

The SEP12 client will update itself, but this can be configured to work in idle time, ensuring that minimal impact to the end user is witnessed.

  • How resource intensive is SEP-12 compared to SEP-11 when it performs an active, auto and full scans?

Active scans are similar duration and intensity in SEP12 and SEP 11.  When using the virtualization features full scans can use up to 80% less disk IO in SEP 12 vs. SEP 11 and scans take less than half the amount of time to complete.

  • If one or more VDI desktops have become infected, will SEP-12 isolate those VDIs from communicating with non-infected desktops?

Not on its own, you could use the Host Integrity feature of SNAC to detect the infected status of the machine and apply a quarantine firewall policy though.

  •  Will Symantec offer a non-client AV solution for VDI in the near future?

We are currently working on our roadmap in this space, but we won't sacrifice protection in order to deliver a non-client solution.

All these questions and answers are fine, but they don't really get across the major improvements we have made in SEP12 - if you haven't tried the virtualisation features for yourself, you really should do!

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

SOLUTION
glentc's picture

Paul, thank you for taking the time to address all my questions. I do have a few more questions that came up since the original posting.

  • If our VMWare admins have setup "Linked Cloned" Desktops, what would be the recommended procedure for installing SEP-12 within this type of environment? My concern is every new or refreshed VDI desktop getting the same SEP-12 identifers which can cause an identity issue with SEPM. We already have the procedures for preparing desktop Ghost type images and installation from SCCM. I was wondering if there are any specific "Linked Cloned" procedures and gotchas since it's a different environment.
  • Are thre any SEP & SEPM procedures for preparing & managing non-persistant VDI desktops? My concern is whenever a user logs off and their desktop gets purged, does that SEP entry within SEPM get purged too or will the management tool start accumulating defunct workstations?
  • If we're using Linked Cloned Desktops, how are the SEP definitions distributed? Is the parent image the only SEP to get updated or will each SEP will need to get updated individually?
  • This question is aimed more at general question for SEP-12 in any environment. I like how you can set a policy to only allow the SEP to get it's def updates only when the system is idol. But does this policy enforced when a new disk image is booted for the first time? We've seen situations where the SEP-11 gets interrupted during it's installation when the OS begins it's patching from SCCM. Once this occurs, the SEP is left in a broken state. Sometimes it can be recovered when some autoudpate files are copied over to the correct directory and the SEP services cycled.
Scott.Barbee's picture

Glentc,

I had some similar questions since we just implemented SEPM 12 recently. Our View 4.6 environment with non-persistent desktops kept pushing us over our licensing limit. I got some help in another thread here: http://www.symantec.com/connect/forums/recompose-view-desktops-when-installing-sep-it-duplicate-computer-name-sepm#comment-5905051

I was previously choosing to "delete desktops after first use" within View. That caused the hardware ID to change, and I got many duplicates in SEPM. After changing the setting to "refresh after first use," the duplicates stopped. This is because the "refresh" operation reverts back to a snapshot of the non-persistent desktop that was taken just after cloning (but after SEP had started and generated a hardware ID). Since the VM goes back to this snapshot with each refresh, the hardware ID stays the same... thus SEPM doesn't see it as a change. I think this answers your first two bullet points.

SEP definitions get distributed to Linked Clones just like any other VM or physical machines running SEP. It will depend on how you have it set up. In our case, each client receives def updates from SEPM. I believe this is set up within the LiveUpdate policy. Now if your parent image is a month old, that means each time a linked clone gets created, it will have old defs until it requests an update. We periodically update the parent image with new defs and re-deploy.

Good luck,
Scott