Has anybody already tested what is the best amount/mix of maximum licences in VM profiles, to better face high volume requests from Web Gateway?
The handbook states that, for instance, with Windows 7 32 bit the maximum concurrent VMs is 59 on version 3.4.2, but does this mean the appliance would benefit from parallelisation, or the opposite? Also, what mix between Android and Windows would be better, or does this depend only on the clients distribution ratio (the manual doesnt' provide with maximum values for Android)?
Any suggestion is welcome.
have you made any progress with you config?
I am looking for an explanation of why I need to have so many VM profiles. Do I really need an XP profile if I have no XP on my network? Is it really just because XP is faster in processing files? I'm looking for a best practice guide in setting up these VM profiles.
The total number of VMs is going to impact how quickly ATD can process files. The variety of VMs is really up to you. The vast majority of your traffic can be sandboxed in a workstation 32 bit OS. XP is going to be the fastest for that due to its smaller footprint. Most people settle on a majority 32 bit with a few 64 bit VMs. This best fits with a use case of ATD as an additional scanning layer where the desired goal is to determine if something is bad or not. If your use case for ATD skews more towards a malware research view, then having a variety of different flavors of VMs makes more sense since you will want to see how a sample interacts with different operating systems.
Using an ATD-3000 as an example where the maximum number of VMs is 30, most people settle on a mix of 25-26 Win XP 32 bit or Win 7 32 bit, 3 Win 7 64 bit, and 1 Android for the additional scanning layer use case.
Thanks Ryan, that was exactly what we needed.
Do you have any recommendations for Analyzer profile for proxy and mail filters? We created 20 win7 32 bits, and 3 win7 64 bit VM's. Does anyone create a server VM and if so, what value would you get from that?
For the analyzer profiles, the best recommendations I have are to have skip files if previously analyzed enabled and continue to run all engines disabled for general scanning purposes. As for the server VM, I really only see people use that for a malware research use case.