SEP Best Practices for Virtualization

Just last week someone commented on a very old post asking if my problems with virtualization with Symantec Endpoint Protection (SEP) were ever solved.   That was a addressed in an early maintenance release for SEP11.  That was a very specific specific issue.

This week Symantec released an updated Best practices for virtualization with Symantec Endpoint Protection 12.1.2.   Originally it had an August date, because documents are often written before the code is finalized.  I’m going to have to read closely and if anything has changed other than the date on the cover.  If you are using any virtualization, I would suggest you check it out.

1.  The first thing they suggest is upgrading to SEP12.1.2   (aka SEP12.1 ru2).  They don’t specify why other than “includes increased performance and security for virtual environments.”

2.  Create a group called virtual clients.   It is the virtual hosts that need a special configuration, not all your servers.  You’ll have to search for clients of each virtualization platform separately and move them.   I would suggest creating a separate installation package so you don’t have to keep checking for virtual hosts and moving them to the correct configuration.

3.  Change updates to Pull and use randomization.   Larger environments would already be doing this to avoid hammering the Symantec Endpoint Manager (SEPM) server.

4.  I wouldn’t buy into this if it wasn’t my antivirus company telling me to do it, but they recommend using “active scans” schedule scans rather than “full”.  ActiveScans scan currently running processes and critical system areas.  Symantec feels this is secure enough.   This lowers the amount of things you’re scanning.   Additonally make sure randomization is used.  Otherwise the I/O of all the virtual servers scanning at the same time could be troublesome.

5.  The Shared Insight cache is still there.

6.  Virtual Image Exception still exists as well.   I’ll have to read into this one further.   With VIE, a blessed image is scanned.   Every file has an attribute added.   The image is deployed.   Systems enabled for VIE will skip scanning files with this attribute.   So the question I’m left with is can this attribute be spoofed?   At some point, I’m going to have to read further and see exactly what this attribute is.

There are challenges for antivirus scanners in virtualization.    Virus definition updates and scans can impair the performance of virtual systems.   Each antivirus vender has to provide means to lessen this without reducing security below an acceptable level.   This document from Symantec helps with the proper configuration of SEP.   You’ll still need to consult other knowledgebase documents from the vender and from Symantec for proper exclusions with VMWare, Hyper-V or Citrix.