Endpoint Protection

I am working on upgrading a highly virtualized environment from SEP 11 to SEP 12.  In the document "Best practices for virtualization with Symantec Endpoint Protection 12.1.2" (http://www.symantec.com/business/support/index?page=content&id=TECH197344), it says

• "Use active scans instead of full scan" (p. 8)
• "If you configure your virtual clients to run scheduled full scans then you should install Shared Insight Cache." (p. 10)

So what gives?  How do I determine which is the better approach?

A quick overview of the environment

• About 5000 endpoints that are not virtualized (and thus not the topic of this conversation)
• About 300 virtualized servers running on ESX. The servers are, for the most part, quite different from each other, except the OS
• About 200 non-persistent VDI's, all 100% identical
• About 10 (but probably growing to about 100) persistent VDIs, mostly different from one another, except the OS and common tools.

Theoretically, I like the simplicity of not having to implement a SIC environment, but given the amount of documentation on SIC versus the dearth of documenation on active scans, it seems SIC is more commonly used. Is that true?

Crowd advice much welcomed...

Thanks!

Paul

Shared Insight Cache is only available for the clients that perform scheduled scans and manual scans

If you decicde not to have active scans but full scan, then use SIC.

If you want to have only active scan then there is no need for SIC

Shared Insight Cache can reduce the impact of full scans by up to 80%. The performance gain from the shared cache is not significant for environments where only active scans are run

yeah.  that is all right out of the document I just cited.  The question remains - how to choose which approach?

Hello,

Shared Insight Cache (SIC) -

A stand alone server that enables clients to share scan results.  This allows clients to skip scanning files that have already been scanned by another client.

The SIC tool improves scan performance in virtualized environments by not scanning files that a Symantec Endpoint Protection client has determined are clean. When the client scans a file for threats and determines it is clean, the client submits information about the file to Shared Insight Cache. When any another client subsequently attempts to scan the same file, that client can query Shared Insight Cache to determine if the file is clean. If the file is clean, the client does not scan that particular file. If the file is not clean, the client scans the file for viruses and submits those results to Shared Insight Cache.

Check these Articles:

About the Symantec Endpoint Protection Shared Insight Cache tool

http://www.symantec.com/docs/HOWTO55311

How Shared Insight Cache works

http://www.symantec.com/docs/HOWTO55318

Network-based Shared Insight Cache - Best Practices and Sizing guide

http://www.symantec.com/docs/TECH174123

Installation and Configuration of SEP Shared Insight Cache

http://www.symantec.com/docs/TECH185897

SEP 12.1 & Virtualization

https://www-secure.symantec.com/connect/articles/sep-121-virtualization

Information on Symantec Endpoint Protection Scans

https://www-secure.symantec.com/connect/articles/information-symantec-endpoint-protection-scans

Hope that helps!!

thanks.  All this has been posted in the forums before, eg https://www-secure.symantec.com/connect/forums/insight-cache-use-when-not-running-active-scans and I have perused all the documents listed.

I am still seeking insight (pun intended) into Active Scanning, and how to chose when to use Active Scanning versus Shared Insight.  Surely others have pondered this.

At the risk of beating a dead horse, I am amazed that the virtualization best practices says not to use Shared Insight, but all the documentation is about Shared Insight!