5 Replies Latest reply on Mar 20, 2015 8:26 AM by jmsuper

    Staggering Scanning on Virtual Platforms

    jmsuper

      Is there a good way to manually stagger scans or file updates for virtual platforms? With VMotion or Live migration, I cannot guarantee any one VM will be on a particular host. So simply tagging machines into groups, over the long term, will not be very robust. There is MOVE which I am looking into, but we have a fair number of non-Windows and thus does not get me all of what I need.

       

      Is this just forever a game of whack-a-mole in tagging? Does DataCenter connector for Vsphere have any options which allow tagging or other identifiers to be present which so I can assign a scanning policy?

       

      At least with DAT updates, I can set randomization to a few minutes since it does not seem to be terribly resource intensive.

        • 1. Re: Staggering Scanning on Virtual Platforms
          Richard Carpenter

          Hi jmsuper

           

          To cover some of your points one by one.

          • DataCenter connector for vSphere - You can tag a machine as it is discover/refreshed but this is per Cloud Account (vCentre), so If you operate one vCentre with all you HA's available, it doesn't really help since they all get tagged the same.
          • You cannot auto tag any machine by any of the attributes which are discovered through the vSphere DCC, such as Host name (which would have been nice)
          • If you go down the MOVE-AV route you don't need to do the DAT updates since there is is no scan engine on the guests, but the exclusions/low-risk-process policies are separate from VSE so you end up duplicating your work for the other Endpoint Technologies.

           

          We are running MOVE-AV for VDI and Servers. If you have any specific questions surrounding MOVE-AV feel free to ask.

           

          Regards

           

          Rich

          Volunteer Moderator.

          • 2. Re: Staggering Scanning on Virtual Platforms
            jmsuper

            Hi Artfulbodger

             

            Honestly, MOVE AV is confusing. Hopefully you can shed some light.

             

            In an agentfull application (i.e. no vshield) Is Linux supported or not? https://kc.mcafee.com/corporate/index?page=content&id=KB72839 says 2.5 or later. http://www.mcafee.com/us/products/move-anti-virus.aspx#vt=vtab-SystemRequirement s says no.

             

            If yes, it is my understanding that MOVE Scheduler is only for Windows?

             

            Other than that, what does the load on the offload scanner appliance look like? When it is down, of course scanning will stop but will clients notice? Does network latency come into play at all?

            • 3. Re: Staggering Scanning on Virtual Platforms
              Richard Carpenter

              Hi jmsuper

               

              I have just a a quick look at the Product Guide for MOVE AV Multi-Platform 3.5 (no vShield)

               

              The McAfee MOVE AV client software requires one of these operating systems:

              • Windows XP SP3 (32-bit)

              • Windows 2003 R2 SP2 (32-bit)

              • Windows Vista (32-bit or 64-bit)

              • Windows 2008 SP2 (32-bit or 64-bit)

              • Windows 7 (32-bit or 64-bit)

              • Windows 2008 R2 SP1 (64-bit)

              • Windows 8 (32-bit or 64 bit)

              • Windows 2012

              • Windows 8.1 (32-bit or 64 bit)

              • Windows 2012 R2 (64-bit)

               

              Short answer - No Linux Support.

               

              Load on the Offload Scan Server (OSS) - This will depend on the exclusion policies and the on access quantity and number of clients using the OSS, of which their is a hard limit.

              OSS Down, the client will time out on the scan request, but best practise is to use a Primary AND secondary OSS, normally configured in the SVA policy.

              Network Latency - Yes this will come into play, since the file is 'sent' to the OSS to be scanned by the VirusScan engine at the far end, so the Network latency will have an effect on the time it takes for the file to be sent to the OSS to be scanned.

               

              I hope this helps.

               

              Regards

              Rich

              Volunteer Moderator

              Certified McAfee Product Specialist - ePO

              • 4. Re: Staggering Scanning on Virtual Platforms
                Dvanmeter

                A technique I use is running a scan or update by tag.  In order to equally balance the number of virtual devices that get scanned at one time I use the last digit of the mac address.  If the mac address ends in digit 0-5 then you are given a tag "group 1", if 6-9 then you are given the tag "group 2", if a-d then "group 3" and so on. This will create a pretty easy and automated way to may equal number of groups.  New machines will automatically be placed in to the appropriate group without intervention.  Then you can run a scan at 1:00pm on group 1,  A scan at 2:00pm on group 2.  Dat files can be run the same way.

                 

                Hope this make sense. It works really well for me.

                • 5. Re: Staggering Scanning on Virtual Platforms
                  jmsuper

                  Good points from both. Thanks very much guys. Some good info to get me started.