Symantec Endpoint Protection Integration with VMware Horizon View – Part3

Thank your for following the Part1 and Part2 of this series. In this part I will be taking you through the configuration changes required at Virtual Machine (Guest) level and in the Symantec Manager.

Add the VMware EPSEC driver on each GVM / Master Image

vShield Endpoint monitors virtual machine file events and notifies the antivirus engine, via VMware EPSEC (Endpoint Security), which scans and returns a disposition. It also supports scheduled full and partial file scans initiated by the antivirus engine in the security virtual machine.

  •     Use the VMware Tools installer to install the EPSEC driver

Note: Perform a custom install and select vShield drivers under VMware device drivers/VMCI drivers, or perform a complete install

Enable Symantec Endpoint Protection clients to use a vShield-enabled Shared Insight Cache

  1. In the Symantec Endpoint Protection Manager console, open the appropriate Virus and Spyware Protection policy and click Miscellaneous
  2. On the Miscellaneous page, click Shared Insight Cache
  3. Check Enable Shared Insight Cache
  4. Click Shared Insight Cache using VMware vShield

Click OKvShield24

Install SEP client on Base image

  1. Copy the SEP agent for VDI clients to the GVM or the master image
  2. Execute Setup.exe in Admin context
  3. Reboot the VDI client after installation and update definition to latest
  4. Confirm from the SEPM that the client is reporting

Run the Virtual Image Exception tool on the base image

You can use the Virtual Image Exception tool on a base image before you build out your virtual machines. The Virtual Image Exception tool lets your clients bypass the scanning of base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in your virtual desktop infrastructure

Process for using the Virtual Image Exception tool on a base image

Step 1: On the base image, perform a full scan on all of the files to ensure that the files are clean

vShield25Step 2: Ensure that the client’s quarantine is empty

vShield26Step 3: Run the Virtual Image Exception tool from the command line to mark the base image files

Running the Virtual Image Exception tool

  1. From the Symantec Endpoint Protection Tools product disc, download the following file to the base image:/Virtualization/VirtualImageException/vietool.exe
  2. Open a command prompt with administrative privileges
  3. Navigate to the directory where the Virtual Image Exception tool is installed
  4. Run the Virtual Image Exception tool with the arguments : vietool.exe c: –generate –hash

vShield27 vShield28 vShield29Step 4: Enable the feature in Symantec Endpoint Protection Manager so that your clients know to look for and bypass the marked files when a scan runs from SEPM > Policies > Virus and Spyware Protection Policy > Miscellaneous> Virtual Images

vShield30Step 5: Remove the Virtual Image Exception tool from the base image

Prepare a Symantec Endpoint Protection 12.1 client for cloning

This tool will remove all Symantec Endpoint Protection client identifiers and leave the Endpoint Protection services stopped. It should be done as the last step in the image preparation process, before running ClientSideClonePrepTool and/or shutting down the system. If the system is rebooted or the Endpoint Protection client services are restarted then new identifiers will be generated and you must re-run the tool before cloning.

Procedure

  1. Install the operating system, applications, and patches
  2. Install the Symantec Endpoint Protection Client and update the definitions
  3. Copy ClientSideClonePrepTool.exe to a folder on this computer
  4. Open a command prompt with administrative privileges
  5. Navigate to the directory where the ClientSideClonePrepTool.exe is copied
  6. Run ClientSideClonePrepTool.exe.
vShield32vShield31Once the ClientSideClonePrepTool is run on the VM, the VM should not be restarted. This will cause the SEP services to turn on and bring back the SEP client to normal state. The VM should be shutdown and used for cloning. In case the VM is rebooted this process should be repeated.

Non-persistent virtual desktop infrastructures

  1. Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures
  2. Setting up the base image for non-persistent guest virtual machines in virtual desktop infrastructures
  3. Creating a registry key to mark the base image Guest Virtual Machines (GVMs) as non-persistent clients
  4. Configuring a separate purge interval for offline non-persistent VDI clients

Using Symantec Endpoint Protection in non-persistent virtual desktop infrastructures

You can configure the Symantec Endpoint Protection client in your base image to indicate that it is a non-persistent virtual client. You can then configure a separate purge interval in Symantec Endpoint Protection for the offline guest virtual machines (GVMs) in non-persistent virtual desktop infrastructures.

Symantec Endpoint Protection Manager removes the non-persistent GVM clients that have been offline longer than the specified time period. This feature makes it simpler to manage the GVMs in Symantec Endpoint Protection Manager.

Creating a registry key to mark the base image Guest

Step 1: In Symantec Endpoint Protection Manager, disable Tamper Protection. This should be done by a SEP Admin.

vShield33 vShield34Step 2: Modify the registry.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\

vShield35

2.    Create a new key named Virtualization
3.    Under Virtualization, create a key of type DWORD named Is        NPVDI Client and set it to a value of 1

vShield36Step 3: In Symantec Endpoint Protection Manager, enable Tamper Protection again.

Configuring a separate purge interval for offline non-persistent VDI clients

Over time, obsolete clients can accumulate in the Symantec Endpoint Protection Manager database. Obsolete clients are those clients that have not connected to Symantec Endpoint Protection Manager for 30 days. Symantec Endpoint Protection Manager purges obsolete clients every 30 days by default.

If you do not want to wait the same number of days to purge obsolete non-persistent clients, you can configure a separate interval for them. If you do not configure a separate interval, then offline non-persistent VDI clients are purged at the same interval that non-virtual obsolete clients are purged.

Online non-persistent clients count toward the number of deployed licenses; offline non-persistent clients do not.

You can also filter the offline non-persistent clients out of the view on the Clients page.

To configure the purge interval for offline non-persistent VDI clients

Step 1: In the Symantec Endpoint Protection Manager console, on the Admin page, click Domains.

Step 2: In the Domains tree, click the desired domain.

Step 3: Under Tasks, click Edit Domain Properties.

Step 4: On the Edit Domain Properties > General tab, check the Delete non-persistent VDI clients that have not connected for specified time checkbox and change the days value to the desired number

Step 5: Click OK.

Weekly Scan Settings

You can select the frequency of the scans by going to the Administrator- Defined Scans and setup the scan with the scheduling details.

vShield37You can also tune your scans and select the options highlighted below , my recommendation is to select “Best Application Performance”. This allows a better end user experience.

vShield38Check if you want to enbale Insight Lookup you can do so from the screen below.

vShield39 vShield40 vShield41 vShield42Advanced Scanning and Monitoring Policies

vShield43Creating a Notification for SVA health status from SEPM

vShield44 vShield45

This concludes the 3rd and the final part on Symantec Endpoint Protection integration with VMware Horizon View. I hope that this is useful and thank you for reading.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*


× eight = 8