Garrett Bechler, a Security Solutions Architect at Symantec has put together a valuable list of tips to reduce the impact of SEP in VDI infrastructures. With his permission, I thought I would post them here. These are approaches that have been used in some larger (15-20K node) VDI instances to help ensure that SEP has minimal impact.
1) Upgrade VDI devices (And SEPM) to latest build of SEP in order to take advantage of the new Resource Leveling settings introduced in SEP 11 06, including Scan Randomization and Content Randomization.
2) Use the content randomizer in the client communication settings to randomize definition and signature delivery. Based on client density we have found the following to be a pretty decent guideline based on a 1 hour client pull based heartbeat:
a. 25-30 VDI instances per host – 2 hour randomization
b. 30-50 VDI instances per host – 3 hour randomization
c. 50-75 VDI Instances per host – 4 hour randomization
d. 75-100 VDI Instances per host – 6 hour randomization
e. 100-150 VDI instances per host – 8-12 Hour Randomization based on disk type start with 12 and work backwards until the customer is comfortable with the IOPS level.
It should be noted that this is NOT randomization using the settings within the Live Update Policy. Using randomization within the LU policy has shown to be much more CPU and disk intensive. Best performance has been having clients pull content from the SEPM. And common sense says no VDI should be a GUP (Group Update Provider).
3) For customers using Scheduled Scans
a. Use the randomization option for scans. Set a sufficient randomization window based on density and set a maximum scan run time (typically 1-2 hours)
4) Disable default NTP Logging Policies – this can cause continual disk writes:
a. Would involve disabling the logging function of the “Block all other traffic” default rule.
b. This rule is responsible for the majority of events being logged by NTP.
c. Will result in much less log entries being written to disk, lowering Disk I/O impact.
5) Exclude VMWare Tools Directory from AutoProtect.
a. Due to the heavy use of this directory it could result in a 10-15% performance boost from the end user’s Perspective.
b. Write/Modify Access by users of this directory is limited, lowering chance of being used for infection.
6) Disable Proactive Threat Protection/TruScan
a. TruScan involves an hourly scan of processes and common load points.
b. Will reduce Disk I/O during VDI start and eliminate the hourly impact.
7) Lower the AV File Cache
a. By default SEP Clients retain 5 sets of Virus Definitions.
b. Each Set is 80 to 120 MB.
c. Recommendation is to lower the setting to 3.
d. Allows for a rollback of one or two days if a false positive is introduced.
8) When using Citrix or other profile management tools (Roaming Profiles) within the Antivirus Policy disable network scan. This can cause additional latency when downloading the profile to the local VDI session.