Endpoint Protection

I have a centralized policy for scan exclusions for different server groups, including Exchange servers.
Yes, I've been told about the auto exclude, but every environment is a little different.  Microsoft did publish a document with recommendations regarding scan exclusions for various products.  It is a bit dated.

In any case, I have a centralized exception policy.  How do I confirm these are working on the client?

I'm trying to pull the scan logs up and look for something stating that certain folders or extensions have been skipped in the scheduled scan, but I'm not seeing what I'm expecting.

The sysadmin for that server says he can't see any centralized exceptions listed on the server itself.

So now I'm not sure if it is working or not.

I've tried to look at different monitoring settings from the console, but there isn't much detail.

I tried a detailed view of the logs for that server, but again, I didn't see anything about the exclusions I set.

Is the answer posted somewhere else.

Any help will be appreciated!

Thanks again

One easy way to see if your Centralized Exceptions are applied to your client is to open up the registry and see if they are listed under our exclusions.

This document should show you where to check:

Title: 'How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory'
Document ID: 2008090512574448
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent

Hope that helps!

Thanks for the quick response.  I don't have direct access to the servers so I will have the sysadmin check it out.

Thanks again,






One easy way to see if your Centralized Exceptions are applied to your client is to open up the registry and see if they are listed under our exclusions.

This document should show you where to check:

Title: 'How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory'
Document ID: 2008090512574448
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent

Hope that helps!

http://myitforum.com/cs2/blogs/rtrent/archive/2008/07/07/guidelines-for-anti-virus-exclusions-for-microsoft-applications.aspx 

FWIW,

Ray

Another way to test the exclusions are with an anti-malware test file.
You can download an anti-malware test file (it is inoffensive) from www.eicar.org.
For example download the .zip sample and save it in a folder that should not be scanned, then try to unzip the sample and see if it is allowed or blocked by the AV.
In another folder the sample will be detected and removed.

Cheers,

The registry check showed what the exclusion settings are on the local client.

Shouldn't their be an entry in a scan log that states what folders and files are being excluded?????

Thanks Ray, for the document pointer, but I already have this document.  It was a good place to start when you don't know where to start.  I used some and I had to customize based on how the enviroment was setup.  Different drive letters, different folder locations...etc.

Still working on finding the optimal setup.  We definitely don't want corrupt, crash, or lock anything to do with our databases.  But we also don't want it to take 3 days to scan a server either.

The Eicar file idea should work and I'll keep that in mind.

I really just want the product to tell me what it is or is not doing.

I don't believe that the scan logs say anything about files ommited due to exceptions.  We omit some directories on one of our servers and I remember ever seeing anything to that effect.  I know I was curious as to if it was working correctly and the Symantec tech showed me where to find the registry key which shows what is being excluded.  I just assumed that it was working after seeing the key.  It is odd that it does list the files it can't access as scan omissions though.

We just looked at the registry settings on an Exchange Server which I also created a Centralized exceptions policy to exclude certain folders.

At what point would the settings from the Centralized exception policy be written into the registry?

What if the policy said to exclude R:\  but on that particular server there was no R:  ?  Would the exclusion still be written into the registry?

I stumbled on it.

Here is the locatin in the registry where you can see the centralized exceptions in the local clients registry.  It doesn't validate that they are being used properly, though, but none the less.


HKLM\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines

I stumbled on it.

Here is the locatin in the registry where you can see the centralized exceptions in the local clients registry.  It doesn't validate that they are being used properly, though, but none the less.


HKLM\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines

I think the best way to test whether centralized exceptions are working or not is to download a test malware file from www.eicar.com and then put it in the exception list. Run full scan, if it is ommitted then exception is working.

testing solution is great

You can test it out from the registry it self how ever if you wanna be sure and its just one or two server on which have to make the exceptions (exchange and SQL server)
I would suggest go for User-Defined Exception.

Try if this link can help you.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent

It's really a very good link provided by Ajitjha

Thanks Ajitjha for mthe link.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090512574448?Open&seg=ent


try this link