We help IT Professionals succeed at work.

Symantec Endpoint protection on Vmware View VDI's

Trying to clear up some understanding on Antivirus in a VMware View VDI environment and Vshield integration.

From sifting through lots of documents and literature, here's my understanding.

Vshield integration with Symantec only benefits the VMware VDI's by giving a Shared insight Cache.

A shared insight cache in only used when performing a full file scan, not real time protection.

Vshield and Shared insight cache via the Symantec Virtual appliance with the VMware epsec driver in the VDI only offloads some of the processing of a scheduled file scans and does nothing as far as the real time scanning, nor provide any of the extra features such as Outlook/email protection, web protection that installing the actual Symantec agent in the VDI would provide.  Meaning, going "agentless" with these VDI's and Symantec Virtual Appliance and Vshield would only benefit a scheduled scan and not provide Real time and added feature protection.

Symantec says full scans are fairly unnecessary nowadays if real time is running all the time, making the Active scan the scheduled scan of choice.

If installing the full Symantec Endpoint Agent, it can still be configured to use the Vshield and Shared insight cache, but again this only seems to benefit scheduled file scans.

So my current thought is, for the best protection of my resources and network for a user on a VDI is still to install the full Symantec Endpoint agent, and tweak the types/times of the scans, follow the Symantec best practices for virtual implementation and forego the Vshield/Symantec Virtual Appliance integration.

That's how I'm interpreting it.  Any thoughts/confirmation would be appreciated.  I have to decide what to do in the next couple of days to get the VDI's up and available to users.
Watch Question

You still need to do schedule a full system scan or you will have to do a scan when new definitions arrive then you need to make sure you are setting not to be continuous or you will have some performance issues. see attachment


This is from a Symantec document, which is part of why I'm questioning the Vshield integration and not doing full scans on the VDI's.  I understand that with a full scan after a new definition it may find something lying in wait undetected before, but it sounds like Symantec is pretty much saying unnecessary, I'm interpreting to mean that the file will eventually get found with real time scan access and such after the definitions do update, providing someone tries to access the file at some point.  The scheduled scan would just find it sooner?

Scheduled scan types

Scheduled scans can be configured as either Active scans (scanning currently running processes and critical Windows files/folders), or full scans (scanning all physical drives on the client). The increased security capabilities of SEP 12.1 make it possible to utilize Active Scans instead of full scans with minimal impact on security. This reduces the amount and duration of I/O load generated from scheduled scans compared to full scans. Scheduled full scans are not required to secure SEP 12.1 clients.
"I'm interpreting to mean that the file will eventually get found with real time scan access and such after the definitions do update, providing someone tries to access the file at some point.  The scheduled scan would just find it sooner?"

The schedule scan will find it sooner but for what i understand the active scan does not scan the master boot record i might be wrong, at least this was not the way it was designed on sep 11. I deployed sep 12.1 5 months ago and thats the way i approached it.
Virtualization Expert, Sr B&R, Storage Specialist

Two years ago I implemented SEP v12 on 47k wrk in extremaly hard distributed environment (8600 offices :P) and also on about 400 VDIs (on Citrix XenDesktop), and also I'm VMware expert... and 2 years ago was Symantec expert too...:)
So what I can say, that Symantec don't have any product that truly integrate and use all or almost all vShield features on Client protection, but still SEP working good/fast in VI/VDI environments if deploy with a care and best practices and take care of it on schedule.

One of good best practices of deploying SEP on VI/VDI, also designed partially by me is that one:

You have here everything I know is needed for speedup SEP v12 in VDI and VI environment.

Some you have to know for fast:
- Shared Insight  Cache (Server) is not vShield feature, it's just a web server with information about files scan result (with used SN of AV definitions), MD5 hash and date, that's all, and you have to know that Shared Insight Cache have to be updated, so update is done by Manual Full Scan for minimal 1 per week and for only one VDI client (that representing Golden Image or it's just a similar VDI client to other VDI clients), and that Manual Snac (with most actual AV defs) will update Shared Insight Cache that will inform other VDI while do Manual or Active Scan, but unfortunately not a RealTime Scan...
- To speed up SEP RealTime Scan you have to use Virtual Image Exception tool on a GoldenImage of VDI, sure it's not working fully ok (fast) on old VDI clients that are far more updated from golden image but generally it's a great part of SEP for VDI/VI tuning

p.s. - see also attached PDF files for more information

Also I may offer my remote consultancy hours for this project if your company will accept it, send me private msg on EE or on skype: NTShad0w

best regards


NTShad0w, thank you.  I think you confirmed what I thought and explained the shared insight cache functioning so that it could actually be understood.