We use an agent-less scanner (McAfee Move) but I do understand that you cannot go that route.

How many CPU's do you have? What happens if you try to add some more CPU's? You will need at least 2 vCPU's, otherwise Appvolumes and Symantec are both fighting for resources during logon.

And what exclusions do you have? Did you try adding the c:\snapvolumestemp\Mountpoints as an exclusion??

We use 2 vCPU`s and 4 GB memory. We`ve tested with 4vCPU`s and 8GB memory. No change in login performance.  

We have the following exclusions :

mdf,ndf,ldf

log,jrs,chk,edb,sdb,SHAREDTA

c:\ws\

c:\thinapps\

C:\pagefile.sys

%[USER_PROFILE]%\appdata\roaming\thinstall\

%[PROGRAM_FILES]%VMware\

%[PROGRAM_FILES]%CloudVolumes\

%[COMMON_APPDATA]%VMware UEM\FlexSync\

%[PROGRAM_FILES]%Immidio\Flex Profiles\FlexEngine.exe

%[PROGRAM_FILES]%Immidio\Flex Profiles\FlexService.exe

C:\PROGRAM FILES (X86)\BIGFIX ENTERPRISE\BES CLIENT\BESCLIENT.EXE

C:\PROGRAM FILES\VMWARE\VMWARE VIEW\AGENT\BIN\V4PA_AGENT.EXE

C:\PROGRAM FILES\IMMIDIO\FLEX PROFILES\FLEXSERVICE.EXE

C:\SnapVolumesTemp\

C:\SVROOT\

%[WINDOWS]%SoftwareDistribution\DataStore\

%[COMMON_APPDATA]%NTUser.pol

%[COMMON_APPDATA]%VMware\VDM\Logs\

%[PROGRAM_FILES]%CloudVolumes\Agent\svservice.exe

%[PROGRAM_FILES]%Immidio\Flex Profiles\Flex+ Self-Support.exe

That should be enough looking at the exclusions. I would suggest using more then 4GB for a VDI machines but that has got nothing to do with virusscanning and slow logon times, just a best practice.

To be honest I don't now how to fix this. Would it be an option to try and run Windows Defender just as a reference?? It might be the way Symantec works maybe? You will always receive a logon penalty from virus scanners but it should not be this much.

Hi Scarlito,

What are the case numbers with VMware and Symantec, the customer above is using Windows 8.1 and had similar issues with Windows 10 as far as I know.

Hi sWORDs.

​Here are the cases numbers :

​VMware : 18862278007 and 18997393111

​Symantec : 15162388

​

​Best regards,

​Carlos.

Hi nburton935.

That's what I'm fighting for, but I doubt it will be possible unfortunately.

Just out of curiosity, what did you replace it with ?

It was between Endgame and Defender; we ended up going with Endgame. We also have NSX doing micro-segmentation, which can help if you're in an AV debate with InfoSec.

OK. We unfortunately don't use NSX, and it's not supposed to happen soon...

When you say you were not able to make SEP work well with AppVolumes, what were the paths you went on ? Did you get help from VMware and Symantec, or did you try to solve this by yourself ?

Are there any Support Case that we can refer to ?

Hi, everybody,

I am a little pleased to hear that we are not the only ones with this problem.

After a few months of troubleshooting we have only achieved small results. From the current support calls of Symantec and VMware no rootcause has been found yet. We have delivered many gb of logfiles and videos. Procmon, WPA,XPerf, Wireshark. You name it... 

Both Symantec and VMware indicated that no other support calls are registred with this specific problem. Well that was not true, but maybe difficult to find?  For now the only thing what is seen is there are extremely high CPU spikes and Symantec scans a lot of registry entries. The filter drivers of Symantec, App Volumes and DEM all want to use their resources probably at the same time. Due to the spectre and meltdown patch the performance degradation in this combination is severe. 

By accident we found out that symantec didn't work at all !!  Every thing looked fine. The client was healthy from de management server point of view, but stopping and then starting the smc.exe resulted in a crash. A simple EICAR virus test was not even detected !! Through exceptions in the snapvol.cfg we got symantec working properly.  We want to have these exceptions validated by VMware. There is a PR opened up for this.

Since Symantec is working now we see better (not optimal) startup times of thinapps in an app stack . Login times unfortunately not. We declared all de collected log files to be unreliable, because the symantec client did not work at all. And so the exceptions and exclusions may not have worked at all.  We collected all log files again recently.

I will update you when we hear something back from Symantec or VMware.

Hi Scarlito,

I was wondering what would happen if you tried to stop your SEP client with the smc.exe -stop command and then try to start it again (smc.exe -start)?

When I do this in our environment I see that the SEP client will not start up anymore.

I'm not exactly sure but I think the service was running in service.msc, but the client said something different. The only way to start the client was rebooting.

We also saw that a simple EICAR test virus was not detected even when the SEP client was running and the GUI indicating that the computer was protected. Can you try this as well?

Because of all these behavior we added some exceptions in the snapvol.cfg for the SEP client. These exceptions have solved the problem that the client could be restarted/stopped and also that a test virus was detected again.

As a result of these actions the performance improved when starting applications (30+ to 14~18 seconds) and very minimal when logging in. Maybe it reacts differently for you.

By the way, is your case closed at Symantec or is it still under investigation?

I look forward to your response.

Hi P0yRaZz.

I just did the EICAR test, and indeed, I can download the files without any warning.

I stopped and restarted SEP using smc -stop, and I have the same warning telling me that some services are stopped...

I'm curious about the exceptions you added in the snapvol.cfg !

Here are the current exclusions regarding SEP in the snapvol.cfg :

exclude_path=\ProgramData\Symantec

exclude_path=\Program Files\Symantec

exclude_path=\Program Files\Common Files\Symantec

exclude_path=\Program Files (x86)\Symantec

exclude_path=\Program Files (x86)\Common Files\Symantec

I think it's time for VMware and Symantec to start working on this issue !

Hi, scarlito,

P0yRaZz is a colleague of mine. I would like to respond to your question. We have included the following symantec exclusions in the snapvol.cfg. On top of the exclusions you already mentioned. We simply don't know what exactly is needed and that's why we've excluded everything related to symantec. This is the reason why we want it validated by VMware.

Disclaimer: I would like to warn you and everyone else that this is at your own risk. On the other hand, without these exclusions the virus scanner probably didn't work at all !

>

# Custom Exclusion Symantec Performance Issues

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Symantec

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Symantec

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\BHDrvx64

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\eeCtrl

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\EraserUtilRebootDrv

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IDSVia64

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SepMasterService

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SNAC

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSP

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRTSPX

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SyDvCrtl

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEFASI

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymELAM

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymEvent

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SymIRON

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SYMNETS

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysMain

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SysPlant

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Teefer2

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Antivirus

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Endpoint Protection

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec Network Protection

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Application\Symantec WSS Traffic Redirection

exclude_registry=\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Eventlog\Symantec Endpoint Protection Client

exclude_path=\Program Files\Common Files\Symantec Shared

exclude_path=\Program Files (x86)\Common Files\Symantec Shared

exclude_process_name=ccSvcHst.exe

exclude_process_name=SmcGui.exe

exclude_process_name=SISIDSService.exe

exclude_process_name=SISIPSService.exe

exclude_process_name=SISIPSUtil.exe

exclude_process_name=sepWscSvc64.exe

Hi Hmunning.

Thanks a lot for your reply.

I'm gonna test this on our test desktop pools and let you know.

Hello everyone.

I've made a few tests, but unfortunately, it seems that the exclusions don't help so much in terms of performance. I also had my VMs getting stuck at login when mounting several AppStacks (it did this with 3 stacks, not with 2, and I didn't try with more than 3 stacks).

My security colleague re-opened the case at Symantec. Maybe if some of you have a case number to share so we can ask them to link those cases, it might help.

Regards,

Carlos.