Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

How to stop scanning of NTUSER.dat

  • 1.  How to stop scanning of NTUSER.dat

    Posted Sep 06, 2011 02:39 PM

    Windows often generates a temporary userprofile during logon becasue the ntuser.dat file is locked by another process. Event viewer indiactes its symantec scan. How can I setup a centralized exceptions for this file? My policies all stem from the top of our AD hierarchy. i need to apply this policy to a group below the "My Company" group. Ideas



  • 2.  RE: How to stop scanning of NTUSER.dat

    Trusted Advisor
    Posted Sep 06, 2011 02:42 PM

     

    Hello,

    Could you try and see if an exclusion of the NTUSER.DAT file from scanning helps to temporarily work around the issue?

    http://www.symantec.com/docs/HOWTO18217

    Add the exclusion as follows: %userprofile%\ntuser.dat

    Hope that resolves the Issue.



  • 3.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 06, 2011 02:46 PM

    in the centralization exception try this

     %userprofile%\ntuser.dat 

    this discussion should help u out

    https://www-secure.symantec.com/connect/forums/windows-cannot-load-locally-stored-profile-possible-sep-ru5-related-problem#comment-3074081

     

    http://www.symantec.com/business/support/index?page=content&id=TECH104326



  • 4.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 06, 2011 06:34 PM

    The wildcard % is not valid in SEP 11. Did they fix it?



  • 5.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 06, 2011 06:38 PM

    The use of environmental variables (example: %temp%) in exclusions is not supported either Symantec Endpoint Protection 11 or 12.1.

    This is by design.

    James



  • 6.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 07, 2011 12:38 AM

    That is indeed good security practice, but makes exclusions for user specific folders difficult.

    You simply can't create exclusions for every username in the corporation!

    What other option exists to exclude

    C:\Documents and Settings\UserX\Some random file.
C:\Documents and Settings\UserY\Some random file.
C:\Documents and Settings\UserZ\Some random file.

    Does v12.1 have the option?



  • 7.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 07, 2011 09:22 AM

    I need to make exclusions for every student in our domain, otherwise the temp profile will load occasionally driving my techs crazy. The students lose printers and desktop configurations when this happens.



  • 8.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 07, 2011 01:13 PM

    SEP12.1 changed the storage location of user scheduled scans (out of the user registry) to reduce the occurrence of this kind of issue.

    However the issue can still occur due to other programs like search indexer. 

    Detailed diagnostic steps may be necessary to uncover the root source if the source is not obvious:

    http://blogs.technet.com/b/markrussinovich/archive/2009/08/10/3272210.aspx



  • 9.  RE: How to stop scanning of NTUSER.dat

    Posted Sep 28, 2011 11:26 AM

     USB mouse now seems to be locking up as well when users logoff. Not sure this is related. Does anyboday at Symantec have answers for this?



  • 10.  RE: How to stop scanning of NTUSER.dat

    Posted Oct 10, 2011 05:34 PM

    Good post about 12.1 moving user scheduled scans out of the registry. Maybe other scans should move, too.

    Regards



  • 11.  RE: How to stop scanning of NTUSER.dat

    Posted Oct 10, 2011 05:37 PM

    We have the issue, and there is no direct fix, and there is no practical way to exclude ntuser.dat,

    SO, we will exclude the file extension .DAT.

    Hope this helps.