3 Replies Latest reply on Sep 26, 2011 7:49 AM by oaker

    VirusScan Enterprise Running on Virtual Machines

    RealEGT

      I'm seeking some information or “best practices”on installing and configuration of ePO and VirusScan Enterprise on V-Machines?

      We have setup a VMView environment for testing and we’vebeen instructed to make this OS as lean and as FAST as possible. 

       

      Here is some information from VMWARE.

      Whenever possible, do not use on-demand scanning, unless during a very long maintenance window, and only after testing the impact to the storage subsystem of running many concurrent full-system scans.

      On linked clones, On Access Scanning should be limited to write I/O only, because the files that are on the replica image cannot be infected once deployed. For maximum effectiveness, perform a full system scan of all files on the golden master before shutting it down.

       

      We are currently using VirusScan Enterprise 8.8.

        • 1. Re: VirusScan Enterprise Running on Virtual Machines
          oaker

          Well, stripping the VSE to its barebone OnAccess functionality is certainly a good idea. So ScriptScan, AccessProtection and similar stuff be gone. You also want to disable Artemis also called "heuristic network check". Furthermore reducing the OAS to "default and additional file types" instead of "all files" can boost performance although it depends a lot on exterior factors. Heuristics and compressed files can also be disabled for additional speed. Then be sure to check the exclusion recommendations of VMWare and other software providers involved in your solution.

           

          Yeah, all of that significantly reduces security but that's always the tradeoff isn't it. Obviously you might want to take a look at McAfee MOVE if virtualization is involved.

          • 2. Re: VirusScan Enterprise Running on Virtual Machines
            petersimmons

            RealEGT wrote:

             

            On Access Scanning should be limited to write I/O only

             

            Whatever you do, don't follow this advice. It is horribly wrong and will lead to very painful problems. For several years I have been combatting this "advice". On the surface it seems quite logical but it will lead to serious issues. Most viruses today don't start life as files written to disk. Also, without Read scanning turned on, you are completely bypassing the OAS scan cache.

             

            Also, please do not disable self-protection. You can remove most other settings in Access Procetion but please leave the six items relating to the protection of the MFE agent and VSE. If you are going to use VSE please don't disable its core features.

             

            And as mentioned above MOVE-AV provides an offload solution for VDI that you might find helpful. In several customer settings this has provided remarkable boosts to performance (relative to normal VSE).

            • 3. Re: VirusScan Enterprise Running on Virtual Machines
              oaker

              Well, there is no black and white in terms of VSE configuration. Every feature has its uses, risks and performance payload. For example, self protection is disabled in our environment. Our benefit is easier troubleshooting and software deployment (since we are not always allowed to use EPO deployment) and we pay for it with the security risk of yet unknown malware destroying our VSE installations (FakeAV especially). However, we have a fully automated restaging process of clients, that reinstalls the OS and all software within two hours so we can live with this risk quite well.

               

              In my opinion advice is always about options, risks and tradeoffs, never about "whatever you do, don't ...".

               

              Message was edited by: oaker on 26/09/11 13:49:11 IST