Microsoft's Recommended 64-bit Virus Scanning Exclusions for DNS, DHCP and WINS are not Automatically Set by SEP

Article:TECH131089  |  Created: 2010-01-19  |  Updated: 2010-12-13  |  Article URL http://www.symantec.com/docs/TECH131089
Article Type
Technical Solution

Product(s)

Environment

Issue



In the document "Virus scanning recommendations for computers that are running currently supported versions of Windows" Microsoft suggests several exclusions that should be configured on 64-bit Domain Controllers. Not all of these are automatically set by Symantec Endpoint Protection.

Symptoms
The exclusions not automatically set:

 

    Turn off scanning of DHCP files
    By default, DHCP files that should be excluded are present in the following folder on the server: %systemroot%\System32\DHCP
    Exclude the following files from this folder and all its subfolders:
    *.mdb
    *.pat
    *.log
    *.chk

    Turn off scanning of DNS files
    By default, DNS uses the following folder: %systemroot%\System32\Dns
    Exclude the following files from this folder and all its subfolders:
    *.log
    *.dns
    BOOT

    Turn off scanning of WINS files
    By default, WINS uses the following folder: %systemroot%\System32\Wins
    Exclude the following files from this folder and all its subfolders:
    *.chk
    *.log
    *.mdb


 


Cause



Symantec Endpoint Protection automatically detects the presence of key Domain Controller directories and files and sets exclusions automatically.


Solution



Automatic exclusion of these additional DHCP, DNS and WINS files and directories was introduced in Symantec Endpoint Protection 11 RU6 MP2.  Please upgrade to this version or later to take advantage of these exclusions.

Administrators with SEP versions prior to RU6 MP2 who wish to comply completely with Microsoft's document can add the DHCP, DNS and WINS exceptions manually in the Centralized Exceptions policy. For details, see How to Create Scanning Exceptions for both Managed and Unmanaged Symantec Endpoint Protection Clients



References
Microsoft suggested 64-bit exclusions: Virus scanning recommendations for computers that are running currently supported versions of Windows http://support.microsoft.com/kb/822158


Regarding possible variables and wildcards in SEP Centralized Exceptions, see What variables and wildcards does Endpoint Protection allow in Centralized Exception Policies

Also see: Verifying SEP Exceptions for Windows Server 2008 and Windows Server 2003 Domain Controllers


Technical Information
The following 64-bit exclusions are set automatically by SEP:


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\AdminRiskExceptions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ClientRiskExceptions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller]
"HaveExceptionDirs"=dword:00000001
"HaveExceptionFiles"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\FileExceptions]
"C:\\Windows\\NTDS\\EDB.chk"=dword:00000000
"C:\\Windows\\NTDS\\edb.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00001.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00002.log"=dword:00000000
"C:\\Windows\\NTDS\\edb00003.log"=dword:00000000
"C:\\Windows\\NTDS\\ntds.dit"=dword:00000000
"C:\\Windows\\NTDS\\RES1.log"=dword:00000000
"C:\\Windows\\NTDS\\RES2.log"=dword:00000000
"C:\\Windows\\NTDS\\TEMP.edb"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\edb.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\res1.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\log\\res2.log"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\Ntfrs.jdb"=dword:00000000
"C:\\Windows\\ntfrs\\jet\\sys\\edb.chk"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\NoScanDir]
"C:\\System Volume Information\\DFSR"=dword:00000001
"C:\\Windows\\SYSVOL"=dword:00000000
"c:\\windows\\sysvol\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory"=dword:00000001
"c:\\windows\\sysvol\\staging"=dword:00000001
"C:\\Windows\\SYSVOL\\staging areas"=dword:00000001
"C:\\Windows\\SYSVOL\\sysvol"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileName]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Extensions]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\FileName]

 


Supplemental Materials

Value2000574


Legacy ID



2010031913175948


Article URL http://www.symantec.com/docs/TECH131089


Terms of use for this information are found in Legal Notices