Hello,

Our Virtualization team wants to deploy a Citrix based VDI environment with Non-Persistent VM's.  The VM's will basically get reimaged, or refreshed every couple week or months.  With this in mind, we do not want the VM's to request old (big) defination updates every time they are refreshed.

I have already read through the following documents:

Best Practices for Virtualization with SEP

http://www.symantec.com/business/support/index?page=content&id=TECH173650

Symantec Endpoint Protection 12.1 - Non-persistent Virtualization Best Practices

http://www.symantec.com/business/support/index?page=content&id=TECH180229

Virtual Image Exception Tool

http://www.symantec.com/business/support/index?page=content&id=TECH172218

We have actually created a group in SEPM following all the recommendation and assigning the policies, however non of the links above seem to answer one question clearly, how does updates actually gets handled?  Do we assign a GUP to the VDI group, but how often will they ask for defination updates when they are refreshed and will they ask for delta or full updates?  How can we avoid full updates?

check this

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?

http://www.symantec.com/business/support/index?page=content&id=TECH131528

They would likely grab a full update.

You would need to avtively update your VDI with latest defs.

http://www.symantec.com/docs/TECH204910

Using intelligent updater might be an option 

How to update virus definition files using the Intelligent Updater

http://www.symantec.com/business/support/index?page=content&id=TECH102391

So what we eneded up doing was updating to 90 revisions in SEPM service and providing a GUP for the VM pool in the VDI. 

Now one question on configuring the base image. The cloning tool along with SEP VIE should both run ont he base image? before cloning the base to non persistant VM's?

The reg change to mark the image as non-persistent, a full scan to make sure it's clean, the prep tool to clear out the HWID, and the VIE tool should be run before the image is cut.

As part of that all, it's possible to include some defs in the image (up to the date its cut), so you're able to include a baseline level of protection to the new VMs being spawned.  Just make sure you're def retention is sufficient to cover the amount of time between image refreshes and you should be fine.

Also, I've known some companies maintain a pool of up-and-running VM guests ready for a user logon.  Doing it this way means they are able to give the machines in this pool time to update before users log on.  Something to consider...

Thanks.  What is symantec stance on PTP on non persistant VDI?

What registry change are you referring to?

got it.

http://www.symantec.com/business/support/index?page=content&id=HOWTO81134#v75347177

Yarp, that's the reg key, don't forget, you need to use that in conjunction with the non-persistent VM client deletion within the Domain settings on the SEPM console (under Admin -> Domains -> Select relevant domain -> Edit Domain properties).

As far as SONAR goes, it's your last line of defence against the 0day threat, so I'd always suggest enabling it where you can.  I can't recall any Symantec recommendations about SONAR on VDI off the top of my head.

Also, it's best practice to have at least one VM cut from the same imafge as the others, that does not skip the VIE-marked files for Auto-protect.  This is to catch the odd case where a def is released for a file that was previously thought to be clean, that happens to be on your image.  Obviously in this case the malicious file should get caught when you next recut the image (and perform the full scan I mentioned), but this best practice means you'll be aware immediately.

Thank you very much.