Lawrence
Enthusiast
Enthusiast

Symantec Endpoint Protection SEP11

I'm using a fresh ESX 4.0U1 View 4 environment for a proof of concept.

Our older XP SP3 desktop image with SAVCE (Symantec) v10 works as a linked clone just fine

We created a fresh XP image and used SEP11 instead, and it fails to create linked clones. It appears that SEP11 keeps some files open in the \All users folder that prevents the creation of the User Data re-directed folders\drives.

We tried to stop the SEP11 service and couldn't. The Symantec Mgmt team is separate and due to a recent spin-off, actually a separate company (and will remain that way for a while). So I can't play with the Symantec settings at the SAV console, and they may not be cooperative to my requests.

With that said - anyone succesfully created linked clones with user data redirection using SEP11?

did you have to do anything special?

Lawrence

0 Kudos
14 Replies
aaronb123
Contributor
Contributor

Hi Lawrence,

While this is not directly related to your issue..

I had issues with SEP also. In my case the SEP client was preventing the proper Sysprep process form completing properly. I had to uninstall the SEP client, make all my changes, View Client, etc and then reinstall SEP.

It was a nightmare...

Perhaps you can "test" removing the SEP client for your PoC.

Good Luck

0 Kudos
thomsit
Enthusiast
Enthusiast

Hi all,

I had also a problem with linked clones with SEP 11. With the latest release 11.0.5 it seems to work now. The quickprep does work correct now. What version of SEP 11 do you use? With 11.0.4 it does not work.

Regards Alexander

0 Kudos
Lawrence
Enthusiast
Enthusiast

Yes, quickprep does finish with 11.0.5 - however, SviDataDisk and SviInternalDisk disks are both visible to the end user - so better but not there yet

0 Kudos
acerbisvm
Enthusiast
Enthusiast

avoid SEP if possible for vdi deployment... it's big, low performance and quite picky when cloned.

There are better alternatives on the market for vdi deployment.

0 Kudos
Grimzan
Contributor
Contributor

Out of curiosity what issues have seen with SEP and cloned machines? Also which other solutions would you recommend for a vdi deployment?

Thanks.

0 Kudos
acerbisvm
Enthusiast
Enthusiast

I would consider ie nod32 / eset for basic and low impact antivirus.

anyway I think that 1:1 antivirus mapping for vdi deployments it is such a waste... we must wait for something production ready for VMSafe....

0 Kudos
acerbisvm
Enthusiast
Enthusiast

for issue: ie. versions priori 11.0.5 stopped sysprep... with current ver it exposes drives...

definitely a product built not for vdi deployments in mind...

0 Kudos
Lawrence
Enthusiast
Enthusiast

I recommend pushing both VMware and Symantec for a fix. I've got our local Vmware Sys Eng looking into this. Real soon I'll create official support cases with both companies. Hopefully they are both working on it, and a work-around of fix will be forthcoming soon.

Symantec is having trouble with SEP 11 as 11.0.5 apparently has a know issue impact MS cluster as well. The challenge of providing security for MS with LOTS of different scenarios to consider

0 Kudos
acerbisvm
Enthusiast
Enthusiast

Sincerely, since the first SEP release, I've had countless problems... The first version was a rushed out product and lost credibility in the market.

My opinion is that it is not a product for environments with complex interactions or lightweight processing (ie VDI) in mind .

0 Kudos
ChrisKubiak
Enthusiast
Enthusiast

We have SEP 11 on our pools and havnt seen that issue. Though what we do is install the standalone client on the gold image and during the post-sync it runs a script that runs the sylink utility to register it with the server. Maybe doing that would help.

0 Kudos
dturner71
Contributor
Contributor

Hi Chris,

Could you describe a bit more what your script does and maybe post it? My organization is going to be using SEP with View 4 based VMs and I've heard that, among the other problems people have described here, when doing a recompose or refresh the VMs appear with new names (usually messed up) in the SEP management console.

Thanks.

0 Kudos
ChrisKubiak
Enthusiast
Enthusiast

I can't comment about "messed up" names in the console after a refresh\recompose as we have not experienced that (maybe due to our process perhaps?). I can’t post the script at the moment because its been compiled (WinBatch) and I am having trouble locating the source files. Even without that its a pretty simple process.

Basically our script downloads the Symantec SylinkDrop.exe app and the sylink.xml file (config file) for our specially configured group. In our case it downloads the config file for a particular group that has limited scanning configured so as not to overload the storage with multiple scans. Once both of those components are downloaded to the client PC it’s a simple command line “Sylinkdrop.exe –silent VDI_sylink.xml”. That tells the client to go from being unmanaged to managed and to join the appropriate group so it gets the custom settings. Once this process is complete we force a restart.

To kick off this script we have a .Bat file saved on the gold image(s) which is then invoked by the post-synchronization process. You could further simplify this by simply having both the Sylinkdrop.exe and config file in the gold image and execute it directly with the post-synchronization process.

Hopefully that helps.

0 Kudos
Titziko
Contributor
Contributor

Hello,

i spend a lot of time to resolve the issue and found a working solution.

the problem with view 4.0 is, that the linked clone do not generate a new SID and so the SEP Management Agent generates by himself no new hostGUID with wich it registrates to the Management Server,,,, so you have always the same "name" of the Client....

Solution: remove the exsting hostGUID from the SEP Management Agent... the SMC (SEP Mangement Agent) regenerate a new one, when he starts (after provisioning the clone... new IP-Address and new MAC-Address...)

You can install a managed SEP-Client, when all is done in the gold image, you have to do the following:

1.) Shutdown the SMC: "SMC- stop -p YourPassword

2.) empty following registry-keys:

     [HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink]
          "HardwareID"=""
           "HostGUID"= ""

3.) delete following file (Windows 7) :

     C:\Program Files\Common Files\Symantec Shared\HWID\sephwid.xml

4.) replace the syLink.xml with your "preconfigured" settings

5.) Shutdown

6.) make SnapShot

7.) make your Clones...

Point 1.) to 5.) can be done within a batch. (This batch can also be place in the view quickprep-settings (without point 5.) :-). I tried it but the script was not executed... when the script in the quickprep-settings is working you do not need to make the steps manually before make the snapshot !!!!)

When using wihout scripting with view quickprep and you start your gold-image to make changes, the VM registers also new and you have to do steps 1.) to 5.) again before 6.)....

When the linked clones are ready, they are registered with their name in the configured group. To here... it works fine.

One Issues is not solved:

When you use the linked clone technology with always refreshing the workstation from the gold image after a User has end his session you will get at every refresh a new entry in the Management Console 12 x "view-w7-1" and so on....

One possibility to resolve the problem is to configure the SEP Management Server to delete Clients that are not connected for 3 or 1 days (default 30 days) but in the moment you can only configure this for all clients not only for one group. (another possibility would be a own Management Server for the Clones....)

A Utility that deletes the WS from the server at shutdown would be nice to get from Symantec.... and a utility "SylinDrop advanced" that makes this all for us would also be nice.... 🙂

If anyone tries and get some further experiences, let us know....

Sorry for my poor English, but i hope all understand what i mean...

Frank

0 Kudos
smiler1
Contributor
Contributor

I just wanted to add a comment to this evolving post. I agree with acerbisvm who stated that 1:1 antivirus on VDI is a waste (of resources). I have been watching the VMsafe area for a while now and there is not much happening in terms of a true on access virus scanning engine at the hypervisor layer. However I am looking at McAfee's MOVE environment, it claims to be exactly what I am looking for.

Regards

Steve

0 Kudos