VDI deployment

Scholar

VDI deployment

Hello everybody,

 

We are preparing to implement an Antivirus Protection of F-Secure (Business suite), to a client that has a Citrix VDI environment. We need to know where to obtain all the necessary documentation to be able to understand well this type of scenarios.

Also Know about:

- Procedure to be followed and components to be used
- Best practices for persistent and non-persistent scenarios
- How the registry works / unregistration for environments with single-image management
- What recommendations are there for the update of virus signatures in non-persistent environments
- What are the recommended exclusions that should be considered in an implementation?

 

I look forward to your comments.

 

FP

1 ACCEPTED SOLUTION

Accepted Solutions
Superuser

Re: VDI deployment

Hi
while documentation explains all the steps needed
(https://help.f-secure.com/product.html#business/fsvs/latest/en/task_A9D53BA712464958B4D6E683AE28731F...)

 

You have to understand the following:
1) The installation is not agent-less
2) The software installed on the VDI will still receive certain updates. So if your "golden image"  becomes old, F-Secure will be somewhat "old". So, if you provide a new image on a daily basis the software will be pretty recent. Still it will download new updates for engines that reside in the Host and are not located on the SRS.

3) The scenario is to start all VDIs from a golden image, but depending on your setup you might trash that VDI in the evening or reuse it until a new image is provided.

The first will also delete all previous information on that client including temp files, logs, errors, events just all forensic history that is needed in case of an incident or for debugging. IMHO resetting a VDI on shutdown as a means to have a "clean environment every day"  is a bad idea from the start, you then better think about why it gets unclean. Restarting a system with the same vulnerabilities every day, having  to patch them after startup (or even leave them unpatched) while also the AV-Software gets reset to the same old egines and modules, creates a dangerous threat vector.

Reusing the same VDI on the next day (at least until the image was rebuild) will counter that threat, but also requires a diffenrent setup and more diskspace to store the engine state.

 

4) SRS is remembering (caching) the hashes it has previously analyzed. If a rebooted client ask an already know hash SRS will quickly return the answer. Usually the Client remembers the answer as well, caching it too, which will speed up the start of the client. After a reset this cache will be clean and the client will need to refetch the information from SRS. Depending on the number of SRSs and the amount of VDIs starting at the same time this might add same additional IO-load.

 

One trick to overcome some of the above problems VDIs can be pre-started. Sowhenever a User logs on, he gets a machine that is "clean" in the means of XEN, but also has updated everything in the background already. Still LOGs, History aso. are gone.

 

Hope this helps.

For a more specific recommendation I would rather ask you to query for a consultatnt. We'd be happy to advise you.

M.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

7 REPLIES 7
Highlighted
Superuser

Re: VDI deployment

Hello,

 

> a client that has a Citrix VDI environment

 

There is a specific F-Secure product, which also supports "Citrix XenServer 6.2, 6.5" to boost the performance of F-Secure virus protection in virtualized environments. Please see:

 

https://www.f-secure.com/en/web/business_global/downloads/virtual-security

 

On that webpage you can find binary downloads and user/admin/implementation PDFs and release notes information.

 

Best Regards: Tamas Feher from Hungary.

 

Scholar

Re: VDI deployment

Hi Tamas,

 

The SRS allows to lower the load to the virtual machine and to the VD, however, that is only a part of what is required for an implementation of a VDI infrastructure

 

Thank you

 

Fernando

Superuser

Re: VDI deployment

Hi
while documentation explains all the steps needed
(https://help.f-secure.com/product.html#business/fsvs/latest/en/task_A9D53BA712464958B4D6E683AE28731F...)

 

You have to understand the following:
1) The installation is not agent-less
2) The software installed on the VDI will still receive certain updates. So if your "golden image"  becomes old, F-Secure will be somewhat "old". So, if you provide a new image on a daily basis the software will be pretty recent. Still it will download new updates for engines that reside in the Host and are not located on the SRS.

3) The scenario is to start all VDIs from a golden image, but depending on your setup you might trash that VDI in the evening or reuse it until a new image is provided.

The first will also delete all previous information on that client including temp files, logs, errors, events just all forensic history that is needed in case of an incident or for debugging. IMHO resetting a VDI on shutdown as a means to have a "clean environment every day"  is a bad idea from the start, you then better think about why it gets unclean. Restarting a system with the same vulnerabilities every day, having  to patch them after startup (or even leave them unpatched) while also the AV-Software gets reset to the same old egines and modules, creates a dangerous threat vector.

Reusing the same VDI on the next day (at least until the image was rebuild) will counter that threat, but also requires a diffenrent setup and more diskspace to store the engine state.

 

4) SRS is remembering (caching) the hashes it has previously analyzed. If a rebooted client ask an already know hash SRS will quickly return the answer. Usually the Client remembers the answer as well, caching it too, which will speed up the start of the client. After a reset this cache will be clean and the client will need to refetch the information from SRS. Depending on the number of SRSs and the amount of VDIs starting at the same time this might add same additional IO-load.

 

One trick to overcome some of the above problems VDIs can be pre-started. Sowhenever a User logs on, he gets a machine that is "clean" in the means of XEN, but also has updated everything in the background already. Still LOGs, History aso. are gone.

 

Hope this helps.

For a more specific recommendation I would rather ask you to query for a consultatnt. We'd be happy to advise you.

M.

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: VDI deployment

Hi Matthias,

 

Thank you for you comments

 

I understand what you are saying, however, where is the ESS function? The ESS where it is installed? In the PVS? Once the ESS is installed, what is its function and how would it work? F-Secure does not delve into any documentation this

 

Regards

 

FP

Superuser

Re: VDI deployment

Sorry, but I have no Idea what you are searching for.
SRS ist installated as a standalone VM next to all VDIs
and Client Security 14+ is installed on the master, being the image for the VDIs.

The functionallity is configured via F-Secure Policy.
enlist the SRS servers (2 reccommended for failover).
and switch the setting on.
grafik.png

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de

Scholar

Re: VDI deployment

Matthias, when I talk about ESS, I mean Email & Server Security. The ESS within a VDI infrastructure, where should it be installed and what role does it have?

Superuser

Re: VDI deployment

Client Security with activated "Offload Scanning Agent" is what you want in VDI.
ESS is a for a Citrix Terminal Server or Exchange Server.
It has the same "role" as Client Security in Windows.

 

Matthias
----------
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de