How to exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection

Article:TECH140062  |  Created: 2010-09-16  |  Updated: 2013-09-13  |  Article URL
Article Type
Technical Solution


How do you exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection?

File and folder exclusions do not appear to be effective--Endpoint Protection still scans files on the Cluster Shared Volumes.



For example--Risk detected

9/16/2010 11:43:04 AM Anomaly Found Auto-Protect scan SYSTEM EICAR Test String \Device\HarddiskVolume9\... Cleaned by deletion Deleted Clean security risk Quarantine


Cluster Shared Volumes are a new technology available only on 2008 R2 clusters. This type of storage does not have an assigned drive letter; it is accessed through a reparse point on each node under %systemdrive%\ClusterStorage\. This reparse point appears as a normal directory, e.g. C:\ClusterStorage\Volume1\, but actually refers to a location on a different volume. Even though C:\ClusterStorage\ can be selected when specifying a file or folder exclusion, Endpoint Protection tries to follow reparse points to their original drive letter and directory. Since there is no drive letter, the original location is returned as a device pathname like "\Device\HarddiskVolume9\..." which cannot be specified as a matching exclusion for Endpoint Protection


This behavior is a consequence of SEP's current design, which requires file paths that can be resolved to a drive letter. Changing this requirement would be an enhancement for a future release, but not considered to be a defect

A partial workaround may be implemented by excluding files based on extension--these types of exclusions are still effective. The Cluster Shared Volumes feature of failover clustering is supported by Microsoft only for use with the Hyper-V server role, so you should be fairly sure of the file types that will be on these volumes:


For further reference, see Cluster Shared Volumes Support for Hyper-V.

Supplemental Materials


SEP AutoProtect exclusions are ignored for Cluster Shared Volumes

Article URL

Terms of use for this information are found in Legal Notices