How to exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection
| Article:TECH140062 | | | Created: 2010-09-16 | | | Updated: 2011-07-21 | | | Article URL http://www.symantec.com/docs/TECH140062 |
Problem
How do you exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection?
File and folder exclusions do not appear to be effective--Endpoint Protection still scans files on the Cluster Shared Volumes.
Error
For example--Risk detected
9/16/2010 11:43:04 AM Anomaly Found Auto-Protect scan SYSTEM EICAR Test String \Device\HarddiskVolume9\... Cleaned by deletion Deleted Clean security risk Quarantine
Cause
Cluster Shared Volumes are a new technology available only on 2008 R2 clusters. This type of storage does not have an assigned drive letter; it is accessed through a reparse point on each node under %systemdrive%\ClusterStorage\. This reparse point appears as a normal directory, e.g. C:\ClusterStorage\Volume1\, but actually refers to a location on a different volume. Even though C:\ClusterStorage\ can be selected when specifying a file or folder exclusion, Endpoint Protection tries to follow reparse points to their original drive letter and directory. Since there is no drive letter, the original location is returned as a device pathname like "\Device\HarddiskVolume9\..." which cannot be specified as a matching exclusion for Endpoint Protection.
Symantec is aware of this issue and is investigating.
Solution
This document will be updated as new information becomes available.
A partial workaround may be implemented by excluding files based on extension--these types of exclusions are still effective. The Cluster Shared Volumes feature of failover clustering is supported by Microsoft only for use with the Hyper-V server role, so you should be fairly sure of the file types that will be on these volumes:
.vhd
.avhd
.vsv
.xml
.bin
.iso
.vfd
.exp
For further reference, see Cluster Shared Volumes Support for Hyper-V.
|
|
| Source | ETrack |
| Value | 2149424 |
| Description | SEP AutoProtect exclusions are ignored for Cluster Shared Volumes |
Article URL http://www.symantec.com/docs/TECH140062
Terms of use for this information are found in Legal Notices
Thank you.