Symantec End-user Endpoint Security Review

A few months ago we started getting storage latency alarms coming from vCenter. This would happen every day around 6am, and as we scaled our production environment this became worse and worse. I think the record latency was 19,000ms (no joke…. 19 seconds of storage latency). Now one would immediately think, “Well that’s what you get for using scheduled scanning”…. Hold your horses partner, this has nothing to do with scanning.

We soon learned that SEPM was pushing virus definition updates to our linked clones all at the same time. Obviously, the disk could not keep up with the demand. Many could argue that we should be looking at vShield with TrendMicro. However, when you’re part of an organization with 70,000+ endpoints (non-VDI), changing your antivirus vendor is not a decision you should take lightly. We took the position of, “Hey, Symantec is an industry leader in endpoint protection, they ‘have’ to have a solution!”.

They are “getting there”… Last March, they officially announced that Symantec Endpoint Protection adds vShield Integration & Increases Security Effectiveness. However, this does nothing for your environment in regards to virus definition updates. As a matter of fact, as far as I can tell, the only thing this version does is offload your active scanning from the VM. What about organizations that do not use active scanning, rather use real-time scanning?

If you’re rolling out VDI and you’re seeing extra storage demand due to definition updates, here’s a solution that I believe works well.

1. On your parent image, clean off the client identifiers by running ClientSideClonePrep.exe
2. Exclude your base image from scanning by executing “vietool.exe c: –generate”
3. In conjunction with running vietool.exe, you need to have the “Enable Virtual Image Exception for Auto-Protect” and “Enable Virtual Image Exception for Administrator-Defined Scans” enabled on the SEPM server (see image 1).
4. You should consider placing your linked clones into a different collection on the SEPM console and change the randomization interval. An interval that seems to work well in VDI is 12 hours (see image 2). This setting of course is something that you need to adjust for your environment. Smaller environments may be able to get away with six hours. I personally think that it’s best to be safe and keep this setting at 12 hours.