Endpoint Protection

I am working at deploying a new Citrix VDI solution and I plan to use SEP 12.1.  I have found the Virtual Image Exception Tool to provide the necessary exceptions for my base/gold virtual image.  The tool appears very simple to use and run.  However, I cannot seem to locate in the unmanaged SEP client the location to select the feature for my virtual machines.  I have found how the SEP manager policies can be setup to enable the VIE in the miscellaneous section, but again I am running the SEP 12.1 client in unmanaged mode. 

Are there any registry locations that allow me to enable the SEP unmanaged client to enable the VIE for auto-protect and my defined scans?  I know to run the VIE tool 1st to establish the exceptions but it's my understanding that you must also tell the client somehow to look for the presence of these exception.  I am running 12.1 RU1 MP1, which is the latest.

Thanks for any input.

Ken

do you want unmanaged client install package?

it is available in the CD install package.

hi,

If you want unmange Client,

You can Export Unmange Client package for your SEPM server.

1) Open the Symantec Endpoint Protection Manager >> Go to the admin tab at the bottom

2) Click on Install packages

3) Right click on the 32 bit or 64 bit package accordingly and select export

4) Now under the Export folder, Select a folder where you want to export the package

5) Under installation settings select Default client installation settings and under Security features, select the feature set you would like to install. Full means all available features will be installed, Basic means only Virus and Spyware Protection will be installed

Directly below the Security Features drop down menu is a Select button. When clicked, this will allow you to specify whether you want all available updates to be applied at time of installation, or the client will download updates after installation. The difference in set-up file size is approximately 100-120MB.

6) Under Export settings select - Export an Unmanaged client and uncheck export packages with the policies from the following groups and now it should be grayed out

7) Preferred policy mode - Select Computer mode

Now click ok and the package would be saved on the selected location and you can now install it

I actually already have the SEP 12.1 unmanaged client installed and I did find it on the 12.1 DVD image.  My point is that once installed in an unmanaged setup, the controls for the VIE tool are not available.  And I don't have a 12.1 SEPM.  I have a 11.7 SEPM server for my non-virtual PCs, but 11.7 doesn't have these controls.

Ken

Thanks for the suggestion, but I don't have a 12.1 SEPM installed.  I'm  running 11.7 SEPM for my non-virtual PCs and I don't feel like upgrading my total environment to 12.1 from 11.7.  I simply need to enable the controls for an unmanaged 12.1 client.  I have found other controls that can be enabled using the Windows registry but I don't know the key or locations for this specific control.

Ken

why are you using the SEP 12.1 unmanaged client?

the SEP 12.1 client cannot report to SEPM 11

I'm using SEP 12.1 only in my VDI setup as it has advanced features and controls over SEP 11.7, which I'm using for my standard environment.  I totally understand that a 12.1 client cannot talk to a 11.7 SEPM.  But that's not my point.  I simply want to use an unmanaged SEP 12.1 client on my VDI boxes and hopefully use the new VDI features that are part of 12.1.  One of the suggestions in the Symantec SEP VDI best practices white paper is to use SEP 12.1 clients as unmanaged.

Ken

which are the controls thats missing when you try to attempt VIE tool?

I am not missing any controls for the VIE tool to run from CLI. My problem is that after you run the CLI with the VIE tool, you must tell the SEP 12.1 client to look for the presence of the file/folder attribute that the VIE tool places on the file/folder structure for auto-protect and scheduled scans. The unmanaged SEP 12.1 client doesn't appear to have the same miscellaneous options that the SEPM has with 12.1. But it's my knowledge that most of the options can be enabled and modified with the Windows registry but I don't know the location or subkeys that I need to add or modify.

Ken

Hi,

The tool is located on SEP 12.1 DVD under \Tools\Virtual Image exception

You need to download it from https//fileconnect.symantec.com. You would required serial number for the same.

You don't need to configure anything on the client once you have run the VIETool.  The client machine will automatically pick up the flags on the client and ignore those files.

Are you sure your not getting the Insight Lookup Cache setting and the VIETools mixed up as they are completely separate.  Insight Cache needs to be configured but not VIETool.

Thanks.  It was my understanding that following the running of the VIE tool, you need to tell the SEP 12.1 client to look for the presence of the newly applied file/folder attributes.  As mentioned, this is a policy setting when using SEPM 12.1, which I am not.  Seems like if they made it a policy setting, you'd also need to set it someplace on the unmanaged SEP 12.1 client.  But it's not there in the auto-protect and scheduled scan settings.

Ken

Perfect.  Thanks.

Ken

Argh.. no I was wrong :o(

Argh no I was wrong.. (major DOH!!!) you're right it has to be enabled in the AV policy but there is not option on an unmanaged client to enable it.

Even the Symantec docs advise you can enable it on un-managed clients.

Hmmm... I have raised a support case with Symantec will let you know how it goes.

Thanks.  And as you have found, the Symantec SEP docs do advise that it's possible with an unmanaged SEP 12.1 client.  Based on SID changes and other things related to VDI, being able to run an unmanaged client is better.

There's got to be a location in the Windows registry where the auto-protect and scheduled scans feature can be enabled for the VIE tool because all the policies do with SEPM is to setup and enable this registry entries.

Ken

...there's no specific reg setting for enabling the VIE options locally within a SEP Client (at least not that I can find).  That just leaves the option of installing a SEPM and exporting an unmanaged package with custom policies (as per article below):

http://www.symantec.com/docs/TECH105498

To be fair, the SEPM can be installed on a workstation machine (Win7), so it's not usually a huge impediment (just a bit of a faff), and you can remove it again afterwards as the client is unmanaged.

Aha! I think this is what we did when we were testing and why I thought you didn't have to configure anything.

We must have exported an install file from the SEPM that had the policy to enable the VIETool flags embedded in it.

Will run a quick test to confirm...