Microsoft's Recommended 64-bit Virus Scanning Exclusions for DNS, DHCP and WINS are not Automatically Set by SEP
| Article:TECH131089 | | | Created: 2010-01-19 | | | Updated: 2010-12-13 | | | Article URL http://www.symantec.com/docs/TECH131089 |
Problem
In the document "Virus scanning recommendations for computers that are running currently supported versions of Windows" Microsoft suggests several exclusions that should be configured on 64-bit Domain Controllers. Not all of these are automatically set by Symantec Endpoint Protection.
Symptoms
The exclusions not automatically set:
- Turn off scanning of DHCP files
By default, DHCP files that should be excluded are present in the following folder on the server: %systemroot%\System32\DHCP
Exclude the following files from this folder and all its subfolders:
*.mdb
*.pat
*.log
*.chk
Turn off scanning of DNS files
By default, DNS uses the following folder: %systemroot%\System32\Dns
Exclude the following files from this folder and all its subfolders:
*.log
*.dns
BOOT
Turn off scanning of WINS files
By default, WINS uses the following folder: %systemroot%\System32\Wins
Exclude the following files from this folder and all its subfolders:
*.chk
*.log
*.mdb
Cause
Symantec Endpoint Protection automatically detects the presence of key Domain Controller directories and files and sets exclusions automatically.
Solution
Automatic exclusion of these additional DHCP, DNS and WINS files and directories was introduced in Symantec Endpoint Protection 11 RU6 MP2. Please upgrade to this version or later to take advantage of these exclusions.
Administrators with SEP versions prior to RU6 MP2 who wish to comply completely with Microsoft's document can add the DHCP, DNS and WINS exceptions manually in the Centralized Exceptions policy. For details, see How to Create Scanning Exceptions for both Managed and Unmanaged Symantec Endpoint Protection Clients
References
Microsoft suggested 64-bit exclusions: Virus scanning recommendations for computers that are running currently supported versions of Windows http://support.microsoft.com/kb/822158
Regarding possible variables and wildcards in SEP Centralized Exceptions, see What variables and wildcards does Endpoint Protection allow in Centralized Exception Policies
Also see: Verifying SEP Exceptions for Windows Server 2008 and Windows Server 2003 Domain Controllers
Technical Information
The following 64-bit exclusions are set automatically by SEP:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller]
"HaveExceptionDirs"=dword:00000001
"HaveExceptionFiles"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\FileExceptions]
"C:\\Windows\\NTDS\\EDB.chk"=dword:00000000
"C:\\Windows\\NTDS\\edb.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00001.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00002.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00003.log"=dword:00000000
"C:\\Windows\\NTDS\\ntds.dit"=dword:00000000
"C:\\Windows\\NTDS\\RES1.log"=dword:00000000
"C:\\Windows\\NTDS\\RES2.log"=dword:00000000
"C:\\Windows\\NTDS\\TEMP.edb"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\edb.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\res1.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\res2.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\Ntfrs.jdb"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\sys\\edb.chk"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\NoScanDir]
"C:\\System Volume Information\\DFSR"=dword:00000001
"C:\\Windows\\SYSVOL"=dword:00000000
"c:\\windows\\sysvol\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory"=dword:00000001
"c:\\windows\\sysvol\\staging"=dword:00000001
"C:\\Windows\\SYSVOL\\staging areas"=dword:00000001
"C:\\Windows\\SYSVOL\\sysvol"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileName]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName]
|
|
| Value | 2000574 |
Related Articles
Legacy ID
2010031913175948
Article URL http://www.symantec.com/docs/TECH131089
Terms of use for this information are found in Legal Notices
Thank you.