Symantec Endpoint Protection 11 with XenDesktop and PVS

This blog is what you’re looking for if :

  • You are using SEP 11 with PVS and XenDesktop 4 / 5 / 5.5
  • If your VMs have a “Persona” drive (D: for ex)
  • Windows XP VMs (it should work with Windows 7 as well)
  • If you don’t want or you cannot use PVS Personality Strings
  • The SEP11 administrator is becoming crazy because all the XenDesktop VMs are creating new entries at every reboot.

Using an antivirus software on a VDI plate form is a discussion often see here and there but this time the question wasn’t if I needed to install an antivirus or not, Symantec Endpoint Protection was already installed and running on my customer Citrix XenDesktop 4 / PVS 5.6 sp1 infrastructure. SEP11 (Short name for Symantec EndPoint Protection) was installed and was running well on the PVS distributed pool VMs. Yesterday the SEP administrator came to me and complained about the fact XenDesktop VMs were generating new entry in the SEP11 administration console every time they were rebooted and every morning he was forced to move all the object in the VDI node and delete all the past entries…

But everything was working… I guess this administrator might have fund that a bit boring, he just complained and continued to do this tack every day and when he wasn’t here, no one was taking care of that manual task. XenDesktop VMs needed to be in the VDI node because the exclusion in place were important for VMs performances :

  • PVS cache file
  • Event logs
  • EdgeSight firebird database
  • etc etc…

When no one was doing this task, the Vms were generating new object in the default node where no specific exclusion were done… It did bring some performance issue now and then.

First though was to use personality string (PVS feature) but I didn’t want to bring another feature in the game as people managing this infrastructure weren’t really aware of this PVS feature.

All the Symantec technotes (link) about their antivirus and PVS are based on personality string usage so I needed to figure out another way to personalize each VM with their own GUID.

After many tests and many solutions found over the Internet, nothing was working well, every time a very was rebooted, a new entry appear in the SEP11 administration console. So decided to go all by myself and try to find out an automatic solution that doesn’t require any maintenance and manipulation.

After having a look at Symantec Endpoint Protection Client Registration Flow ( link ) the idea was simple :

Generate an unique GUID for each VM, copy this GUID in the registry before SEP11 services start and that’s it.

First thing first, I needed to build a script to generate a GUID and store it in a file on the persona drive (d:) (So we can use it after every reboot and once it had been generated, this script will be skipped.

Option Explicit
 
'Set Dimension
DIM fso, MyFile, WshShell, theString, strAlphaNumeric, i, strChar, cleanedString
 
'Set Object
Set WshShell = WScript.CreateObject("WScript.Shell")
 
Function CreateGUID
	Dim TypeLib
	Set TypeLib = CreateObject("Scriptlet.TypeLib")
	CreateGUID = Mid(TypeLib.Guid, 2, 36)
End Function
 
'Remove all non numeric characters
theString = CreateGUID 
 
'msgbox "Before - " & theString & vbcr & "After - " & CleanTheString(theString) 

WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\EasyVista\GUID_VDI", CleanTheString(theString), "REG_SZ" 
 
  Function CleanTheString(theString) 
 
'msgbox thestring 

      strAlphaNumeric = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"'Used to check for numeric characters.
      For i = 1 to len(theString)
          strChar = mid(theString,i,1)
          If instr(strAlphaNumeric,strChar) Then
              CleanedString = CleanedString & strChar
          End If
      Next 
 
'      msgbox cleanedstring 

      CleanTheString = CleanedString
  End Function 
 
'wscript.echo theString

 Set fso = CreateObject("Scripting.FileSystemObject")
 
 'Create Condition
If (fso.FileExists("D:\discovery.txt")) Then
 
'Alert User
'WScript.Echo("File exists!")

WScript.Quit()
Else
 
'Alert User
'WScript.Echo("File does not exist!")
Set MyFile = fso.CreateTextFile("D:\discovery.txt", True)
MyFile.WriteLine(cleanedstring)
MyFile.Close
 
End If
 
Exit Script
WScript.Quit()

This GUID generator will generate a file named discovery.txt on the root of the D: drive. Once this GUID is existing, I neede to import it to the registry at the following place : HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID

Option Explicit
 
Dim objFSO, strTextFile, strData, WshShell, objFile, strFile, intLength, strEnd
CONST ForReading = 1
CONST ForWriting = 2
 
'Create a File System Object
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
Set objFile = objFSO.OpenTextFile("d:\discovery.txt", ForReading)
strFile = objFile.ReadAll
objFile.Close
 
intLength = Len(strFile)
strEnd = Right(strFile, 2)
 
If strEnd = vbCrLf Then
    strFile = Left(strFile, intLength - 2)
    Set objFile = objFSO.OpenTextFile("d:\discovery.txt", ForWriting)
    objFile.Write strFile
    objFile.Close
End If
 
'name of the text file
strTextFile = "d:\discovery.txt"
 
'Open the text file - strData now contains the whole file
strData = objFSO.OpenTextFile(strTextFile, 1).ReadAll
 
'Split the text file into lines
'arrLines = Split(strData,vbCrLf)

'Step through the lines
'For Each strLine in arrLines
wscript.echo strData
'Next
WshShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID", strData, "REG_SZ" 
 
'Cleanup
Set objFSO = Nothing

After, I made a batch file to launch the two vbs script, this batch will be the one launch as a service during VMs startup.

cscript.exe C:\localapp\Mgt\Pubtools\Sep11\GUID_Creation.vbs
cscript.exe C:\localapp\Mgt\Pubtools\Sep11\GUID_Symantec_Registry.vbs

Using the start-up script to launch this batch didn’t work because SEP11 services were already started and a new GUID had already been generated. I chose then to create a user-define service to start a service using the previous batch file right after event log startup and before SEP11 services.

To do so, you can follow the step on Microsoft website : link

and download the Windows Resource kit here : link

I used the following command to create a service named SEP11VDI

“%Resource kits path%\tools\Instsrv.exe” Sep11VDI “%Resource kits path%\tools\srvany.exe”

Once the service is created, to be started right after event logs and before SEP11 services, you need to add the follonwing registry entries to the service section : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI]
"Group"="Event Log"
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sep11VDI\Application]
"Application"="c:\\path_to_the_batch_created_above\\sep11.cmd"

 

That’s almost it, to make sure everything is clean, I clear the registry key containing the GUID

HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink\HardwareID

and delete the file  “%ProgramFiles%\Common Files\Symantec Shared\HWID\sephwid.xml”

 

Resources :

Symantec Enpoint Protection : link

Symantec : Configuring Symantec Endpoint Protection for deployment as part of a drive image : link

Symantec : Symantec Endpoint Protection Client Registration Flow : link

Symantec : Configuring Symantec Endpoint Protection client for deployment as part of a drive image : link

Microsoft : How to create a user-define service : link

Microsoft Resource Kits download : link

GenV : Symantec Endpoint Protection on XENDesktop and PVS target devices Blog : link

Citrix PVS Personality String : link

 

Post author