Endpoint Protection

 View Only

SEP 12.1 & Virtualization 

Jul 31, 2012 08:12 AM


Administrators leverage base images to build virtual machines for their virtual desktop infrastructure (VDI) environment. The Symantec Virtual Image Exception tool lets your clients bypass scanning base image files for threats, which reduces the resource load on disk I/O. It also improves CPU scanning process performance in your VDI environment.

Before you enable this feature in Symantec Endpoint Protection Manager, first run the Virtual Image Exception tool against the base image files. The Virtual Image Exception tool marks the base image files by adding an attribute. If the file changes, this attribute is removed. This tool is found in the /tools/VirtualImageException folder on the Symantec Endpoint Protection product disc. For more information about how to use this tool, see the Symantec Endpoint Protection Virtual Image Exception User Guide, which is located in the same folder.

Symantec Endpoint Protection Virtual Image Exception User Guide 12.1


This feature is disabled by default. Enable the feature so that when your client goes to scan a file, it looks for this attribute. If the base image file is marked and remains unchanged, the client skips scanning the file.

Symantec Endpoint Protection supports the Virtual Image Exception tool for both managed clients and unmanaged clients.

SEP 12.1 has many new features.

It supports advance virtualization support with the help of following features.

1) Virtual Image Exception - Allows to exclude all the files on a baseline image from scanning.

2) Shared Insight Cache - A stand alone server that enables clients to share scan results.  This allows clients to skip scanning files that have already been scanned by another client.

3) Virtual Client Tagging - Makes the clients virtualization aware and sends back the hypervisor vendor to SEPM.  That data can be used in client searching and reporting.

4) Offline Image Scanner - A stand alone tool to scan offline VMware image (VMDK )files.

5) Resource Leveling - SEP randamizes scans and updates between virtual machines to prevent resource utilization spikes.

Virtual Image Exception

Virtual Image Exception(VIE) is a tool that gives administrators the ability to easily set exclusions for files in a virtual operating environment.

  • Available only in Enterprise Edition. Not available in SBE.
  • Runs as a stand alone application and doesn’t require a traditional install
  • Must be run from within a virtual machine (VMware, Citrix, of Hyper-V)
  • Runs on Windows XP SP2, SP3, Vista, Windows 7, and Windows 2008 R2
  • Command-line options for silent and automated operation
  • Detailed logging/reporting capabilities
  • Provides configurable options in SEPM for Administrators to turn on and off VIE exceptions for auto-protect and administrator defined scans.

How does tool runs:

        Tool Scans the files. Tool collects the list of all files found on the SEP client. Administrators can enable the exclusions or disable the exclusions from being used via the AV Policy for both On-Demand and Auto-Protect .Skips any file that were identified with the VIE tool

Enable the settings through following location:

SEPM --> Policies --> Virus & Spyware Protection Policy --> Edit the policy --> Go to Miscellaneous--> Virtual Images

Shared Insight Cache

Shared Insight Cache (SIC) is a server application which caches known clean files in order to optimize scan performances.SIC server is mainly designed for virtual environment but usage on physical system is supported given that network latency is kept at an absolute low.SIC server keeps a record in memory (ram) of files which are voted clean by system performing scans 

First SEP client needs to scan a file.  Queries SIC and finds no record.  SEP scans the file and sends the results to the SIC.

Subsequent SEP clients need to scan the same file.  They query the cache server and find the file has already been scanned with the same version of defs and the file is clean.  SEP client skips scanning the file.

When a second client run the scan it goes though the same process and since the file is cached on the SIC therefore will skip the scan. 

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans. 

Shared Insight Cache runs independently of Symantec Endpoint Protection. However, you must configure Symantec Endpoint Protection Manager to specify the location of Shared Insight Cache so that your clients can communicate with Shared Insight Cache. No special license is required to install or run Shared Insight Cache.

  • Enterprise Edition only.  Not available in SBE.
  • Targeted for virtual environments but can be used on physical clients too
  • Applies to all On-Demand Scans (User Initiated, Scheduled, Admin Defined).Does not apply to auto-protect.
  • Scalable to thousands of clients per server
  • Communication between client and SIC is HTTP.   Optional configuration for HTTPS  and authentication is available
  • Applies to all files (Not just Binary Executables)
The tool is located on SEP 12.1 DVD under \Tools\SharedInsightCache

Check this blog for more details about Shared insight cache:  http://bit.ly/KLI6vZ

SEPM --> Policies --> Virus & Spyware Protection Policy --> Edit the policy --> Go to Global Scan Options--> Shared Insight Cache

Virtual Client Tagging

Virtual Client Tagging gives administrators the ability to determine if the SEP client is running in a Virtual Environment.Virtual clients can be automatically identified

  • The tagging is built into the SEP Client
  • Works with VMware ESX/i, Microsoft Hyper-V, Citrix Xen
  • Client runs the check on Startup and reports the information back to SEPM
  • Virtual Status and Hypervisor Information is provided in reports and client properties and is searchable

Offline Image Scanner

The Symantec Offline Image Scanner gives administrators the ability to scan and detect malware in offline VMware images.

  • Scans offline VMware images (.vmdk files only). Not applicable for Linum .vmdk files.
  • run on Windows and able to scan FAT32 and NTFS file-systems in the guest OS
  • No dependency on any other Symantec solutions beyond AV defs. By default it browse to SEP AV definitions location.
  • Command-line options for silent and automated operation
  • Detailed logging/reporting capabilities
  • Doesn’t require a traditional install

Settings tab is as below:

By default it browse to AV definitions location.

Helpful links:

Supported virtual installations and virtualization products


Randomizing scans to improve computer performance in virtualized environments


Using the Virtual Image Exception tool on a base image


Running the Virtual Image Exception tool


Managing Symantec Endpoint Protection in virtual environments



0 Favorited
0 Files

Tags and Keywords


Oct 08, 2012 02:01 AM

Great Article. Very Helpful!


Oct 08, 2012 01:15 AM

Many thanks Chetan for the artcile :-)

Related Entries and Links

No Related Resource entered.