Symantec AntiVirus for Linux: How to Configure Scan Exclusions from the Command Line Interface

Article:TECH95274  |  Created: 2009-01-29  |  Updated: 2012-08-20  |  Article URL http://www.symantec.com/docs/TECH95274
Article Type
Technical Solution


Issue



How to Configure Scan Exclusions from the Command Line Interface for SAVFL (Symantec AntiVirus for Linux)


Solution




Scan exclusions in SAVFL are case sensitive, and use forward slashes instead of back slashes as in Windows paths. Wild cards, regular expressions, etc are generally not supported -- but you can specify general exclusions for file extensions like .txt, .html, etc. Exclusions can be configured from the command line in SAVFL by using the symcfg tool. This tool must be run as root. For more documentation on symcfg, please refer to the SAV for Linux Implementation Guide:

ftp://ftp.symantec.com/public/english_us_canada/products/symantec_antivirus/symantec_antivirus_corp/10.1/manuals/SAV_Linux_Impl.pdf

Excluding Directories in Real Time Scans

    To enable directory exclusions -- note that back slashes are used in the configuration key (-k) specification:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionDirs -d 1 -t REG_DWORD
    (use -d 0 instead of -d 1 to disable)

    To add excluded directories:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder1 -d 1 -t REG_DWORD
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2 -d 1 -t REG_DWORD
    etc.

    Be careful to specify directory exclusions using full paths with a leading slash, otherwise the exclusion may be ignored.

    If you want to exclude a directory but not its sub-directories, use -d 0 in the command line. e.g.:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2 -d 0 -t REG_DWORD
    ... will exclude /my/path/to/folder2, but will not exclude sub-folders.

    To remove a single directory exclusion:
    symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2

    To remove all excluded directories:
    symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir'


Excluding Files in Real Time Scans

    To enable file exclusions:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionFiles -d 1 -t REG_DWORD
    (use -d 0 instead of -d 1 to disable)

    WARNING: HaveExceptionFiles=0 will also disable file extension exclusions;
    To disable file exclusions without affection file extension exclusions, delete the HaveExceptionFiles value rather than setting it to zero:
    symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionFiles

    To add excluded files:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file1 -d 1 -t REG_DWORD
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file2 -d 1 -t REG_DWORD
    etc.

    File exclusions require full path including leading forward slash.

    To remove a single file exclusion:
    symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file2

    To remove all excluded files:
    symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions'


Excluding Extensions in Real Time Scans

    To enable extension exclusions:
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ExcludedByExtensions -d 1 -t REG_DWORD
    (use -d 0 instead of -d 1 to disable. Note also WARNING above for HaveExceptionFiles--HaveExceptionFiles value must be absent or set to one for extension exclusions to work)

    To specify excluded extensions (*.abc and *.xyz in this example):
    symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ExcludedExtensions -d 'abc,xyz' -t REG_SZ


    Note that the entire list of excluded extensions are specified in one command, as opposed to file and directory exclusions. So, if you need to remove or add a single extension, re-execute the command with the modified list.


Specifying Exclusions for Scans other than Real Time

    The commands are identical to the ones above, but Storages\FileSystem\RealTimeScan is replaced with the following:

    LocalScans\ManualScan for exclusions that are applied to all manual scans
    Custom Tasks\ (e.g. Custom Tasks\myschedscan) for exclusions that are applied to a specific scheduled scan (NOTE there is a space in "Custom Tasks")





Technical Information

"Symantec Endpoint Protection\AV" is the key prefix in SAVFL as of version 1.0.6. Earlier versions used keys that were prefixed with "VirusProtect6".

 

References

Additional information can be found in the Connect Forum article SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide.




Legacy ID



2009072917021448


Article URL http://www.symantec.com/docs/TECH95274


Terms of use for this information are found in Legal Notices