Recommended exceptions for Endpoint Protection on Hyper-V

Article:TECH133846  |  Created: 2010-01-10  |  Updated: 2015-02-18  |  Article URL
Article Type
Technical Solution



You want to know what files and folders to exclude from scanning on your Windows 2008-based server that has the Hyper-V role installed or a Microsoft Hyper-V Server 2008 or on a Microsoft Hyper-V Server 2008 R2 computer.



Exclude files and folders

  • Default virtual machine configuration directory (C:\ProgramData\Microsoft\Windows\Hyper-V)
  • Custom virtual machine configuration directories
  • Default virtual hard disk drive directory (C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks)
  • Custom virtual hard disk drive directories
  • Snapshot directories
  • Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
  • Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
  • If you use Live Migration together with Cluster Shared Volumes on Windows Server 2008 R2, exclude the CSV path "C:\Clusterstorage" and all its subdirectories.


How to set up exclusions

Note: Security Risk Exceptions are global, and apply to all Scheduled Scans as well as real-time Auto-Protect.

  1. Log into the SEPM and click Policies.
  2. Under Policies click Exceptions.
  3. Under Tasks click Add an Exceptions policy. This will create and open a new Centralized Exceptions Policy.
  4. In the left pane, click Exceptions policy and select Edit the policy under Tasks.
  5. In the policy, select Exceptions.
  6. Click the Add button to open a drop-down menu. Move the cursor over Windows Exceptions to open a second drop-down menu.
  7. Select one of the nine options: Application, Application to Monitor, Application Control, Extensions, File, Folder, Known Risks, Trusted Web Domain, Tamper Protection Exception.

    Note: Wildcard variables such as * and ? are not supported for Known Risks, File, or Folder exceptions. The ? wildcard is supported for Extension exceptions. The Folder exceptions screen will accept * and ? but they will be treated as literal characters not wildcard variables.

    For File and Folder-based exclusions, the Full Path to the file must be specified, unless a "Prefix Variable" is selected. If a "Prefix Variable" is selected, the path specified should be relative to the selected "Prefix Variable"

    If you are unsure about what type of exception to make please see the chapter entitled "Configuring Centralized Exceptions Policies" in the pdf "Administration Guide for Symantec™ Endpoint Protection and Symantec Network Access Control".
  8. Enter the appropriate information for the item to be excluded. For Extensions, File, and Folder exclusions, specify the type of scans that will be excluded from the drop down menu or menus.
  9. (Optional) Repeat steps 6 through 8 to add any other Security Risk Exceptions to the policy.
  10. Click OK.
  11. Assign the policy to a group within the SEPM.

For more information, please see

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices