Endpoint Protection

Hello all,

I am a software developer working...for a software editor (how original !).

We are having problems with rtvscan.exe, and after analysis, it all boils down to centralized exception handling within EndPoint.

Here's the problem :

1. We install our package in, say, "C:\installdir". Our main executable "main.exe", is in this directory.

2. When our package is used, the main executable is copied "locally" in the user's working directory. This local  executable is also renamed. Let us call it "D:\userdir\local.exe".
The operation we do is thus : "copy c:\installdir\main.exe d:\userdir\local.exe"

Note that this copy can take place across the network. The user has access to the package installed on a server.


SO : My question is : "Is there any way to register our main executable as "not to be scanned" and maintain this exception status for our copies ?" ... or, "how can avoid rtvscan scanning my local copies ?" will also do.


Thank you for any suggestions...


Andy

 Centralized exception works mainly on location basis
So what you can do is put a centralised exception policy for both these locations:
C:\installdir\* or main.exe
D:\userdir\local.exe
this would work great only if main.exe remains main.exe and local.exe remains local.exe and these names are not always diffrent in each deployment.

Thank you Vikram.

"c:\installdir\main.exe" remains there, and is not renamed.

However, the local copy changes depending on the user's project directory. It is always named local.exe, but the "userdir" changes at every copy.
I gather I can only identify an exe by its location. No way to identify a "trusted editor" or some sort of  "signature" ? If not, we have to exclude static exceptions.

Is there a way I can create one dynamically (command line, script, ...?), right after the copy is made ?

Thanks again,

Andres

How about using application and device control? We've used that to block applications. It also has an allow option.

How do I do that ... ? Sorry for my incompetence, I really am a newcomer

@Mon_raralio
Application and device control exceptions are diffrent and exclusion for File system autoprotect is diffrent.
so allowing there wont work

@Andres
Are these executables getting detected as something or just rtvscan is making this process slow.

if it is getting detected then you can submit the file to symantec as false positive detection
https://submit.symantec.com/false_positive/index.html 

 I dont have much expereince with scripting
however see if this help you to put it in your script

As you create a centralised exception it creates a registry entry over there
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Admin\554735716 ( on 32 bit) and below it is the details about this exception.
So if you could test out few things and make a script gfrom this that will resolve your issue..

Thank you all.

The registry idea is nice. Think I'll give it a shot, but it's HKEY_LOCAL_MACHINE (so users need admin privileges).


I'll look if HKEY_CURRENT_USER works too.


Andy

Before we get to far ahead of ourselves and start giving users admin rights and scripting reg values lets take a step back. What exactly is happening. This is going back to Vikrams question which was "Are these executables getting detected as something or just rtvscan is making this process slow." Also it would be helpful if you could post what OS are on these machines as well as any relative system info. Also post what version of SEP you are running. One more thing to post, that helps answer Vikrams question, is what is the CPU usage and the Mem usage of Rtvscan.exe?

Cheers
Grant

Hi Grant,

Thank you for butting in. I would be glad to learn that all this is a support problem, and not have to develop anything.
I think it is sound for rtvscan to scan unknown exes, but this should not make them unusable.

I will gather more info later on, for the moment, this is what I know

- rtvscan is taking up 100% CPU on one of the two cores of one user's machine
- SEP version 11.0.780.1109
- OS is XP


Andy

Grant,

I myself am now experiencing the problem. RtvScan is taking one of my two cpus, and using 109 to 133 Mb of memory.

The very first thing i would suggest you to do is..Get rid of that version 11/0/780 was RTM (release to market ) version that is full of bugs and hundreds of known issues.More than 1000 issues have been fixed from the version you are using and the current version 11.0.4202.xxx
As you Migrate from 11.0.780 to new version i think 90 % of your issues will be solved.

Thanks Vikram. That's great news. I consider the case closed (for the moment, at least)