UP L17 Virtualization: Security Without Sacrificing Performance Hands on lab Description In this hands on lab you will learn how to optimize SEP 12 for your virtual desktops to get maximum protection without sacrificing performance. This Lab requires some knowledge of the VMware vsphere technology and console At the end of this lab, you should be able to Configure Shared insight cache with vshield integration Configure Virtual image exception Know the benefit of: o o Shared Insight Cache Virtual Exception Work with counters and reports in vsphere and SEPM Understand Symantec s approach to securing virtual endpoints Notes A brief presentation will introduce this lab session and discuss key concepts. The lab will be directed and provide you with step-by-step walkthroughs of key features. Feel free to follow the lab using the instructions on the following pages. You can optionally perform this lab at your own pace. Be sure to ask your instructor any questions you may have. Thank you for coming to our lab session. Page 1 Of 18
In this lab we will focus on the added benefit of Symantec virtualization tools introduced in SEP 12.1.2. This guide will show you the steps to configure and observe the effects of the configuration on a vsphere 5.1 environment. All steps are made from the VCENTER Virtual machine in vmware workstation; you can expand to full screen this machine for better visibility using the full screen icon: This lab is conducted like a benchmark; ensure to follow instructions about powering on and off VM inside ESX to get the best measure of performance. All accounts are similar for VMware, and windows: User: administrator Password: Symc4now! The account for the SEP Management console is: User: admin Password: Symc4now! Launch Clients A+B Page 2 of 18
Open the vsphere client and navigate to the inventory tab>host and clusters. On the left hand side click on Win7- A then click on the power button. Repeat these steps for Win7- B Open the SEPM VM Click on the SEPM VM and select the console tab. Right click on the SEPM VM as illustrated and select Guest>Send Ctrl+Alt+Del. Click then on the password field for administrator and enter the password: Symc4now! Open the SEPM Console Double click on the desktop shortcut to launch the SEPM console. Enter the following credentials: User name: admin Page 3 of 18
Password: Symc4now! Click Log On. Edit the antivirus and antispyware policy to enable vshield Enabled Shared insight cache Click the Policy tab then select the Virus and Spyware Protection section. Finally click the balanced security policy (1st on the list). Locate and configure the vsic settings in the policy Page 4 of 18
Click on Miscellaneous, Select the shared insight cache tab and enable the feature using VMware vshield. Click OK to save and close the policy. Control the vsic cache content Shared insight cache applies only to scheduled and on- demand scans, therefore the cache should be empty until we trigger a scan on one of the VM hosted on this ESX node. Click Monitor>Security virtual appliance. Highlight the symantec- sva server and click details. All counters should be set to 0. Page 5 of 18
Control the policy serial number on the SEPM Every modification of settings generates a new version of the policy. In order to keep track SEPM assign a unique serial number for the said policy. Click the Clients tab> click the VM group and take note of the policy serial number on the console's top right side. Page 6 of 18
Verify the policy on the win7- A client On the vsphere client, select the win7- A client and click the console view. If prompted for credentials use the followings: User: administrator Password: Symc4now! Double click the Symantec shield on the system tray (beside the clock) to open the SEP client interface. Click help >Troubleshooting and check if the policy serial number matches the one on the SEPM. Page 7 of 18
Launch a manual scan on the Win7- A client Click on Scan for Threats > Run Full Scan. Let the scan complete. While the scan is running look on the bottom right corner of the scan dialogue box for trusted file counter. This counter is an aggregate of scan trusted by our reputation technology, shared insight cache and Virtual image exception. Monitor the disk usage on the ESX host Switch to the vsphere client and click on the ESX Host. Select the performance tab and click advanced. Finally from the dropdown menu select Disk. The graph indicates disk usage over time. This gives you an indication about the intensity of I/O related to the scan, which are running, and the duration of that scan. Going Further (optional): You can also monitor the network usage on the Symantec- SVA by clicking the VM on the left then choose the performance tab and select Networking from the drop down menu. Click then on the Network usage counter. Page 8 of 18
Note the final results from the win7- A client Once the scan is completed on win7- A take note of the number of trusted files. Shutdown win7- A Page 9 of 18
Observe the Shared insight cache counters on the SEPM Open the SEPM console and click on Monitor, Select the Security Virtual Appliance tab. Select Symantec- sva and click details. Note the amount of items in the cache. Note the amount of cache request. Page 10 of 18
Win7- B Virus definitions check Ensure the virus definition date and revision match the one used on win7- A. Shared insight cache only optimize scan for system using the same set of definitions. Open the SEP client interface by double clicking on the SEP shield in the system tray, Scan on Win7- B Launch a scan on the win7- B client and check the progress by monitoring the trusted files counter. Page 11 of 18
Observe the trusted file counter Once the scan on win7- B completed note the amount of scanned files and trusted files. Since Win7- A already cached most of the files Win7- B didn't have to scan most of the files on the drive. Shutdown win7- B and power on Win7- C Page 12 of 18
Observe the Shared insight cache counters on the SEPM The request number should have increased drastically while the number of files in the scan cache remains roughly the same. Page 13 of 18
Looking at the performance counters (Disk & CPU) On the vsphere client click on the ESX host and select the performance tab. Click Advanced and select Disk from the drop down menu. Then on the bottom of the graph looks at the read and write rate. You should see 2 peeks corresponding to the 2 scans. The height indicates the intensity of I/O requests and the horizontal axis represents the duration of these requests. You can notice that the second scan is shorter and less intensive. Switch the dropdown menu to CPU and observe the intensity and duration of CPU usage for the 2 scans. Feel free to explore the performance tab on the VM individually and on the ESX node to see resource usage per VM and overall. Page 14 of 18
Configuring Virtual Image Exception The Win7- C client has been pre- configured with VIETOOL, in order to whitelist all of the files present in the base image: Windows+SEP+all remaining file when the tool ran. We will now enable the SEP policy to use this technology. Select the SEPM VM and click the console tab. Open the SEPM console (if you closed it previously). Login with the credentials: User: admin Password:Symc4now! Click the policy tab and open the balanced Virus and spyware protection policy. Within the policy click Miscellaneous then select the Virtual Image tab. Check the 2 boxes. Click ok to save the policy. Launch a scan on win7- C Page 15 of 18
As in previous tests, look for the trusted file counter. This time the amount of files scanned and the trusted should almost match. Page 16 of 18
Scan duration comparison Using SEPM reporting you will now compare the scan length and numbers of files effectively scanned for each of the tests we ran. Win7- A ==> baseline scan Win7- B ==> vsic optimized scan Win7- C ==> vsic+vie optimizations Switch to the console view for the VM SEPM. Click Monitor and select the log tab. From the first dropdown menu select Scans Click advanced and set a filter for completed scans Click View log to launch the query. Page 17 of 18
This screenshot is for illustration purpose only. Look at the numbers on your lab machine for accurate reporting. This concludes the lab. Thank you for taking the time exploring our product. Do not forget to fill the survey about this session, when instructed. Page 18 of 18