How to exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection
|Article:TECH140062|||||Created: 2010-09-16|||||Updated: 2011-07-21|||||Article URL http://www.symantec.com/docs/TECH140062|
How do you exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection?
File and folder exclusions do not appear to be effective--Endpoint Protection still scans files on the Cluster Shared Volumes.
For example--Risk detected
9/16/2010 11:43:04 AM Anomaly Found Auto-Protect scan SYSTEM EICAR Test String \Device\HarddiskVolume9\... Cleaned by deletion Deleted Clean security risk Quarantine
Cluster Shared Volumes are a new technology available only on 2008 R2 clusters. This type of storage does not have an assigned drive letter; it is accessed through a reparse point on each node under %systemdrive%\ClusterStorage\. This reparse point appears as a normal directory, e.g. C:\ClusterStorage\Volume1\, but actually refers to a location on a different volume. Even though C:\ClusterStorage\ can be selected when specifying a file or folder exclusion, Endpoint Protection tries to follow reparse points to their original drive letter and directory. Since there is no drive letter, the original location is returned as a device pathname like "\Device\HarddiskVolume9\..." which cannot be specified as a matching exclusion for Endpoint Protection.
Symantec is aware of this issue and is investigating.
This document will be updated as new information becomes available.
A partial workaround may be implemented by excluding files based on extension--these types of exclusions are still effective. The Cluster Shared Volumes feature of failover clustering is supported by Microsoft only for use with the Hyper-V server role, so you should be fairly sure of the file types that will be on these volumes:
For further reference, see Cluster Shared Volumes Support for Hyper-V.
SEP AutoProtect exclusions are ignored for Cluster Shared Volumes
Article URL http://www.symantec.com/docs/TECH140062