2 Replies Latest reply on Sep 5, 2015 11:40 AM by Richard Carpenter

    Staggering Full scans

    talby23

      Hello All,

       

      Currently we have 350 clients managed by our EPO and our security policy requires a full daily scan to be performed. All machines start their scan at 6:30PM and this is having serious performance impacts on our ESXi hosts due to excessive CPU utilization, especially since we over-provision.

      Can you please point me to literature that shows how to stagger these full scans, I read that some people use Tags however I'm quite new to EPO.

       

      Thanks in advance for any help.

        • 1. Re: Staggering Full scans
          tkinkead

          Options:

          1) Look into MOVE for your virtualization scanning instead of using traditional VSE.

           

          2) Randomize the start time of the Client Task.  If your scan takes, say, an hour on average, you can randomize across a six-hour window.  In general, only 1/6th of your clients will be scanning at any given time.

           

          3) Create a set of tags (say, "5 PM scan", 6 PM scan", etc.) and apply those tags evenly between your systems.  Create a client task that applies to the group those systems are in and allow that client task to run only on the systems with the correct tag.  The big downside here is that net-new systems will not have a scan task set up unless you manually enable them.

           

          4) Create several subgroups of your current group, and name them "5 PM scan", "6 PM scan", etc.  Distribute your managed clients among those groups and assign each group a client task that runs at the specified time. 

          • 2. Re: Staggering Full scans
            Richard Carpenter

            All great responses from tkinkead 


            We use a mixture of all of the above suggestions. 


            If you have access to MOVE this is a great tool set. It sends all the scan events to a dedicated Offload scan Server and comes in two options, multi platform or agentless. We opted for multi platform due to the Agentless option having less features within the exclusion lists and not having access to the VMWare ESX component required which we were not licensed for. 


            We also use the client task randomisation feature in or On demand Scan tasks and our DAT update tasks all assigned using tags. 


            Regards

            Richard Carpenter

            McAfee Volunteer Moderator

            Certified McAfee Product Specialist - ePO