Is there a good way to manually stagger scans or file updates for virtual platforms? With VMotion or Live migration, I cannot guarantee any one VM will be on a particular host. So simply tagging machines into groups, over the long term, will not be very robust. There is MOVE which I am looking into, but we have a fair number of non-Windows and thus does not get me all of what I need.
Is this just forever a game of whack-a-mole in tagging? Does DataCenter connector for Vsphere have any options which allow tagging or other identifiers to be present which so I can assign a scanning policy?
At least with DAT updates, I can set randomization to a few minutes since it does not seem to be terribly resource intensive.
To cover some of your points one by one.
We are running MOVE-AV for VDI and Servers. If you have any specific questions surrounding MOVE-AV feel free to ask.
Honestly, MOVE AV is confusing. Hopefully you can shed some light.
In an agentfull application (i.e. no vshield) Is Linux supported or not? https://kc.mcafee.com/corporate/index?page=content&id=KB72839 says 2.5 or later. http://www.mcafee.com/us/products/move-anti-virus.aspx#vt=vtab-SystemRequirements says no.
If yes, it is my understanding that MOVE Scheduler is only for Windows?
Other than that, what does the load on the offload scanner appliance look like? When it is down, of course scanning will stop but will clients notice? Does network latency come into play at all?
I have just a a quick look at the Product Guide for MOVE AV Multi-Platform 3.5 (no vShield)
The McAfee MOVE AV client software requires one of these operating systems:
• Windows XP SP3 (32-bit)
• Windows 2003 R2 SP2 (32-bit)
• Windows Vista (32-bit or 64-bit)
• Windows 2008 SP2 (32-bit or 64-bit)
• Windows 7 (32-bit or 64-bit)
• Windows 2008 R2 SP1 (64-bit)
• Windows 8 (32-bit or 64 bit)
• Windows 2012
• Windows 8.1 (32-bit or 64 bit)
• Windows 2012 R2 (64-bit)
Short answer - No Linux Support.
Load on the Offload Scan Server (OSS) - This will depend on the exclusion policies and the on access quantity and number of clients using the OSS, of which their is a hard limit.
OSS Down, the client will time out on the scan request, but best practise is to use a Primary AND secondary OSS, normally configured in the SVA policy.
Network Latency - Yes this will come into play, since the file is 'sent' to the OSS to be scanned by the VirusScan engine at the far end, so the Network latency will have an effect on the time it takes for the file to be sent to the OSS to be scanned.
I hope this helps.
Certified McAfee Product Specialist - ePO
A technique I use is running a scan or update by tag. In order to equally balance the number of virtual devices that get scanned at one time I use the last digit of the mac address. If the mac address ends in digit 0-5 then you are given a tag "group 1", if 6-9 then you are given the tag "group 2", if a-d then "group 3" and so on. This will create a pretty easy and automated way to may equal number of groups. New machines will automatically be placed in to the appropriate group without intervention. Then you can run a scan at 1:00pm on group 1, A scan at 2:00pm on group 2. Dat files can be run the same way.
Hope this make sense. It works really well for me.