Appendix

Disabling the Anti-Malware Periodic Scan

"Anti-Malware Scan Storms" can occur when anti-virus scans run at the same time on multiple virtual machines on the same physical server. A degradation of system performance is possible that can affect disk I/O and CPU usage.

We recommend that you disable the Anti-Malware periodic scan in one of these ways:

  • Go to the Policy Page > Web & Files Protection in the right pane.

  • Scroll down to select "Never" in the "Perform periodic scan every" box.

  • Click on the Selected Action option.

  • Choose "Perform periodic anti-malware can every month" to clear the "Perform Periodic Scan" box.

Note - See sk13009.

  1. Disable the scheduled scan in the registry:

    On 64-bit:

    HKLM\SOFTWARE\Wow6432Node\CheckPoint\EndPoint Security\Anti-Malware\AVSchedOf=(DWORD)0x0b

    On 32-bit:

    HKLM\SOFTWARE\CheckPoint\EndPoint Security\Anti-Malware\AVSchedOf=(DWORD)0x0b

  2. Restart the machine to restore Self-Protection.

    Use the ComplianceSoftware Blade to change the registry. See sk132932.

Advanced Settings for Persistent Desktops

This section shows how to configure clients manually for the Persistent VDI solution. Use this approach if the "Policy Approach" is not available.

  1. Disable the periodic scan. See Disabling Anti-Malware Periodic section here in the Appendix.

  2. Enable the Anti-Malware Randomized Scan if you do not disable the Anti-Malware Periodic Scan.

    In R80.40 or higher, use the Database Tool (GuiDBEdit Tool) (sk13009).

Advanced Settings for Configuring Clients for Non-Persistent Desktops

This section shows how to configure clients manually for the Non-Persistent VDI solution in the Signature Server and Signature Server Consumers roles. Use this approach if the "Policy Approach" is not available.

Setting Up the Shared Signatures Server

You can set up the Signature Server as a manual procedure with a script or with a policy.

Create a Shared Folder

  1. Create a folder to store the shared signatures.

  2. Share the folder and grant read access to members of the Domain Computers' group.

Note - On Work-group machines, the SYSTEM account does not have network login rights. This configuration is not supported.

Perform Registry Changes

  1. Set the machine as "Shared Signatures Server".

    On 64-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01

    On 32-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\VdiSignatureServer=(DWORD)0x01

  2. Set path to the shared signatures folder.

    On 64-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"C:\\Folder\\to\\share"

    On 32-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"C:\\Folder\\to\\share"

    Notes:

    • If the path is not specified, the default shared folder is:

      C:\ProgramData\CheckPoint\Endpoint Security\Anti-Malware\bases\shared

    • The folder exists after first successful update.

  3. Reboot the machine to restart the Anti-Malware blade.

  1. Download the Shared Signatures Server Configuration script file.

  2. Execute the script on the Signature Server and follow the instructions.

  3. Make sure the script finishes successfully.

  4. Make sure you reboot the machine to restart the Anti-Malware blade.

Setting Up the Client Machine

You can also set up the client machines (the Golden Image) as a manual procedure.

  1. Disable the periodic scan. See Disabling Anti-Malware Periodic section here in the Appendix.

  2. Enable the "Shared Signatures" scheme.

    On 64-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVBasesScheme=(DWORD)0x01

    On 32-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVBasesScheme=(DWORD)0x01

  3. Setting the "Shared Signatures" path.

    On 64-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"\\server\sharedsignatures"

    On 32-bit:

    HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\Endpoint Security\Anti-Malware\AVSharedBases=(SZ)"\\server\sharedsignatures"

    Important - If the path is not specified, the default shared folder is:

    C:\ProgramData\CheckPoint\EndpointSecurity\Anti-Malware\bases\shared

    The folder exists after the first successful update.

  4. Reboot the machine or restart the Anti-Malware process.

  1. Download the Golden Image Configuration script file.

  2. Execute the script on the Golden Image and follow the instructions.

  3. Make sure the machine is rebooted.