How to create a Security Risk Exception for a Mac client from the Symantec Endpoint Protection Manager (SEPM)

Article:TECH131707  |  Created: 2010-01-14  |  Updated: 2013-10-13  |  Article URL http://www.symantec.com/docs/TECH131707
Article Type
Technical Solution



Issue



You would like to create a Security Risk Exception for a Symantec Endpoint Protection for Macintosh client from the SEPM.

 


Solution



NOTE: In SEP for Macintosh (as of SEP 11 RU6) Centralized Exceptions are honored only by AutoProtect scans.
See: Centralized Exceptions set for Macintosh clients do not seem to be respected for scheduled or manual scans

Follow the steps below to add a custom Security Risk Exception for a Mac client from the SEPM.

  1. Launch the Symantec Endpoint Protection Manager.
  2. To create a blank Centralized Exceptions policy, under the Policies view, select the Centralized Exceptions option, then click Add a Centralized Exceptions Policy. Enter a name for the policy and then click OK.

    You can also modify a Centralized Exceptions policy currently in use in the group in which your Mac client (or clients) reside.

  3. Under Centralized Exceptions, click Add, select the Mac Exceptions then Security Risk Exception for file and Folder.

  4. Enter the file or folder path and then click OK. Macintosh file paths use forward slash ( / ), not backslash ( \ ). A leading forward slash is not required if a prefix is chosen. As well as the prefix choices, SEP for Macintosh supports a range of wildcard matches:
    * matches zero or more characters (all characters, including slashes in a path)
    ? matches a single character (again, all)
    [ ] matches a single character against a list and/or range of characters
    ^ matches a single character other than character or range following (used with [ ])

    Note that subfolders are automatically part of an excluded folder, but compressed archives won't be excluded unless you add a trailing asterisk.


  5. To save the changes to the policy, click OK, then OK again. If this is a new policy, you will be asked to assign the policy. Assign it to the group/s in which the Mac client/s reside. It will override any Centralized Exception policy already assigned to this group.

To complete this process and exclude this file/location from real time scanning by Auto-Protect, you must also perform the additional step:

  1. While still in the Policies section of the SEPM, click on Antivirus and Antispyware in the left pane, then open the Antivirus and Antispyware policy in use by the group/s in which the Mac clients reside.
  2. In the new window that pops up, in the left pane under Mac Settings, click on File System Auto-Protect.
  3. Under Scan Details, under General Scan Details, click on the button next to Scan everywhere except in specified folders.

  4. To save the changes to the policy, click OK.





Technical Information
 

Debugging:

Debugging Sylink communications with Symantec Endpoint Protection for Macintosh (SEP for Mac)

You can verify receipt of policy at the SEP for Macintosh client by turning on smc debugging, and examining the smc_debug.log, found in /Library/Application Support/Symantec/SMC/debug/

Confirm Macintosh File System AutoProtect general options by searching for ApScanOptions:

<ApScanOptions  WhereToScanFiles="SCAN_EVERWHERE">
<ApScanOptions  WhereToScanFiles="SCAN_EXCEPT_IN">
<ApScanOptions  WhereToScanFiles="SCAN_ONLY_IN">
<ApScanOptions  WhereToScanFiles="DO_NOT_SCAN">

... and confirm Centralized Exception Details by searching for MacGlobalExceptionName

Prefix variables and wildcards:

[HOME] = any user's home directory (/Users/username/); applies also to the root home directory (/var/root/)
[APPLICATION] = the Applications directory = /Applications/
[LIBRARY] = /Library/

As well as the prefix choices, SEP for Macintosh supports a range of wildcard matches:
* matches zero or more characters (all characters, including slashes in a path)
? matches a single character (again, all)
[ ] matches a single character against a list and/or range of characters
^ matches a single character other than character or range following (used with [ ])

For example, the SEP quarantine file is sometimes included in Time Machine backups, and causes undesirable AutoProtect detections on the backup volume. This file  (QuarantineFile.qtn) can be excluded by name, under all paths, with the following exception:

/*QuarantineFile.qtn




Legacy ID



2010041505243448


Article URL http://www.symantec.com/docs/TECH131707


Terms of use for this information are found in Legal Notices