Video Screencast Help

VIEtool versus Shared Insight Cache Server

Created: 28 Jul 2011 • Updated: 28 Jul 2011 | 5 comments
This issue has been solved. See solution.

Do I understand this correctly?   Both the VIETool and the Shared Insight Cache Server affect scheduled scans only.  Neither improve real time anti virus scans.   The benefit of running VIETool in an environment which also has Shared Insight configured is that machines with files marked by VIETool do not have to check with the Shared Insight Server to see if the file is safe or not.  This results in less bandwidth. Right?

Edwin

Comments 5 CommentsJump to latest comment

Rafeeq's picture

Yes ; scheduled scan Only!!

EDIT: I read all those docs again 

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans. Paul explained it better , Thanks to paul..

Paul Murgatroyd's picture

VIETool can be applied to both scheduled, on-demand and manual scans AS WELL AS Auto-Protect.

SIC can be used for scheduled, on-demand and manual scans, but not Auto-Protect.

You are correct on your VIETool and SIC usage - if the file is marked clean, the hash will not be sent to the SIC.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

SOLUTION
PrimeInc's picture

Excellent, thank you.  I could not find anywhere in the documentation that said VIETool also applies to Auto-Protect.   I'd like to suggest expanding the documentation to include this fact. 

I'd also like to suggest including information about when a file marked by the SIC and VIETool as clean could be scanned again.  

Scenerios I am unclear on:  If I remove SEP and reinstall it, are the files still marked as clean?   I assume yes.  

If a pattern file update occurs, these marked files will still go through unscanned, right?  I assume yes.   

If I patch my server, new files are not marked so occasionally I need to scan the server for viruses and re-run the tool.   Defraging doesn't unmark a file, correct?  The attribute stays with the file?

If I run VIETool against an existing server and that server that has "malware" such as cookies or viral JAR files in Java cache, and those files are not deleted by SEP due to policy or whatever reason, am I marking those files as clean and leaving myself without protection from those files?   I know the documentation says to run a full scan before running VIEtool, however a user on Citrix or Terminal Services could get a malicious file on the virtual server inbetween running a full AV scan and VIETool completing.

References

Documentation; www.symantec.com/business/.../en.../sep_virtual_image_exception.pdf

What is auto protect? Auto protect is the real time AV scanner:  http://www.symantec.com/business/support/index?page=content&id=TECH94990

Paul Murgatroyd's picture

thanks, yes.. I noticed that too.. we need to review both the SIC and VIE docs better I think - in the grand scheme of things, they were quite late additions to the product.

If I remove SEP and reinstall it, are the files still marked as clean?   I assume yes.  

No, when you remove SEP, you remove our internal file database too - thats where we have the VIE information.

If a pattern file update occurs, these marked files will still go through unscanned, right?  I assume yes.   

Yes, they will continue to be unscanned.  Content updates do not alter the VIE setting

If I patch my server, new files are not marked so occasionally I need to scan the server for viruses and re-run the tool.   Defraging doesn't unmark a file, correct?  The attribute stays with the file?

Correct, new files would not be whitelisted, defragging doesn'[t change anything

If I run VIETool against an existing server and that server that has "malware" such as cookies or viral JAR files in Java cache, and those files are not deleted by SEP due to policy or whatever reason, am I marking those files as clean and leaving myself without protection from those files? 

Yes, if you whitelist it, then its clean as far as AV is concerned.  SONAR will continue to run against it, but you are definitely exposing yourself.  I would suggest you take the server off the network while you run the VIEtool, then put it back online.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint