How are exclusions implemented by Symantec AntiVirus Corporate Edition?

Article:TECH98546  |  Created: 1999-01-18  |  Updated: 2007-01-08  |  Article URL http://www.symantec.com/docs/TECH98546
Article Type
Technical Solution


Environment

Issue



You want to know whether the Exclusions feature of Symantec AntiVirus Corporate Edition (Symantec AV) or Norton AntiVirus Corporate Edition (NAVCE) is "exclude first" or "exclude last."


Solution



What are prescan and postscan exclusions?
Using the postscan exclusion method to exclude files, each file is scanned, even files that are in the exclusion list. When an infected file is found, the scanner checks the exclusion list to see whether the file is excluded. If the infected file is excluded, then the file is left alone and no report is generated. Using the prescan exclusion method, the scanner checks the exclusion list before scanning each file. If the file is in the exclusion list, then the file is not scanned.

Do Symantec products use the prescan or postscan exclusion method?
NAVCE version 7.0x uses a postscan exclusion method to exclude files. NAVCE 7.5 and 7.6, and Symantec AV 8.0 can be configured to use prescan or postscan exclusion methods to exclude files. By default, NAVCE uses the postscan method, because scanning performance is generally better. Note that prescan exclusions are only available on Windows computers. NetWare servers only support postscan exclusions.

To configure Symantec AV 8 or NAVCE 7.5 or 7.6 to use the prescan exclusion method on a scheduled scan:
  1. Open the Symantec System Center (SSC), and then unlock the server group.
  2. Right-click the server, point to All Tasks, point to Symantec AntiVirus or Norton AntiVirus, and then click Scheduled Scans.
  3. Create a scheduled scan or edit an existing one.
  4. Click Scan Settings.
  5. Click Options.
  6. Click the "Exclude files and folders" box, and then click Exclusions.
  7. Click the "Check file for exclusion before scanning" box.
  8. Click Extensions or Files/Folders to create the exclusions.

NOTE: Using a similar method, you can configure prescan exclusions for Manual Scans and Realtime Virus Protection from within SSC or the NAVCE user interface.

Why would I want to enable prescan exclusions?
In certain scenarios, enabling prescan exclusions can enhance performance. For example, if you have a server set up for a database that handles thousands of file operations with a specific unique extension, and if you choose not to scan that file since it currently has no virus threats associated with it, then adding the extension to the exclusions list and enabling prescan exclusions would increase performance. All files with that extension will be excluded from scanning. If prescan exclusions were disabled in the same scenario, then all the files would be scanned resulting in a larger performance hit, because scanning a file generally takes longer than parsing through the exclusions list.

In an environment where there is a large variety of files going through a server, it is generally better to disable prescan exclusions. For example, you may scan All Types but want to exclude a certain extension. However, that extension makes up only 2 percent of the server activity. In this case, it is better to keep prescan exclusions disabled. If you were to enable prescan exclusions, then all files, including the 98 percent of files without that extension, will be parsed through the exclusions list before scanning. Because 98 percent of the files will not be excluded, 98 percent of the files will be parsed and scanned, rather than just scanned. By enabling postscan exclusions (the default), only files that are infected will be parsed through the exclusions list.





Legacy ID



1999051810561348


Article URL http://www.symantec.com/docs/TECH98546


Terms of use for this information are found in Legal Notices