Endpoint Protection

 View Only
Back to Library

Centralized Exceptions Policies - Why to use them and how to configure them 

Apr 24, 2009 04:44 PM

Why Should I Use A Centralized Exceptions Policy?

There are many reasons that you might want to create a Centralized Exceptions Policy, though here are some of the most common reasons:

  1. In order to automate administrative tasks on user machines, you use tools to hide script windows while they run in the background.
  2. IT Staff use tools such as IP scanners or key loggers for legitimate administrative purposes.
  3. You'd like to control whether your users can add program or security risk exceptions themselves.
Applications and tools that assist with automated scripting, IP Scanners and KeyLoggers are often categorized as security risks by antivirus software including Symantec Endpoint Protection.   Once SEP has been installed, it will prevent any of these types of programs that it categorizes as security risks from running, and will throw them into the quarantine. 

In nearly all companies, allowing an IT department to function normally and be able to script and automate various administrative functions can be a critical time saver.   To make sure that those needed programs that are classified by SEP as security risks are still available to your users / IT staff, you'll want to create a Centralized Exceptions Policy.


How To Create A Centralized Exceptions Policy:

Centralized Exceptions Policies can be created from within Symantec Endpoint Protection Manager.   Once you've loaded it and logged in, follow these steps:

  1. Choose the Policies tab from the left-hand menu
  2. Under View Policies, select Centralized Exceptions
  3. Right-Click in the Centralized Exceptions Policies section and choose Add
  4. In the Overview of your new policy, type a name and description for your new policy (i.e.  IT Exceptions, Security Risk Exceptions for the IT Department)
  5. Next, click on Centralized Exceptions in the left menu
  6. On this screen, you'll need to add those applications that you'd like to exclude from SEP checking.   These can be Security Risks, specific files or folders or even file extensions.  To exclude one of these items, add it and choose Ignore as the action.
  7. The third option on the left menu will allow you to configure the options that allow or deny specific Policy Groups the option to create exceptions themselves.  You can choose specific types of allowed or denied exceptions if you'd prefer.
  8. Finally, Click OK.

Assigning A Centralized Exceptions Policy:

Now that you've created your Centralized Exceptions Policy, you'll need to assign it to one of the administrative client groups.
  1. In the Centralized Exceptions Policies list view, right-click on the newly created policy (IT Exceptions in my case).  Choose Assign.
  2. You will now be presented with a list of your administrative client groups, including "My Company and the Default group.
  3. Place a check mark next to each client group that  you'd like to assign this policy to.  (NOTE: If you choose "My Company", the policy will be assigned to every client group below that uses policy inheritance). 
  4. Once you've checked all client groups that you'd like to apply this policy to, choose Assign.
  5. The policy will be applied to those client groups that you've chosen the next time the SEP client software checks in with the SEP Management Server.   The time that this takes may vary based on your client group's Communications Settings, (Usually within 15 minutes if you're using Push mode).
     

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

shaabin
Jan 14, 2015 06:13 AM

Is there is any exception policy for Hiyper-V server??

Migration User
Sep 18, 2012 03:16 AM

When the exceptions are added to the client, do you have to stop and start the SEP services for the changes to apply?

I have added the exceptions and SEP still scans the directories.

And also checking the registry, there is no folder for exceptions listed.

Migration User
Oct 20, 2010 10:36 AM

Quick question:

is it possible see from SEP console the exception created by the client? So I don't mean the centralized exception policy, but the ones entered manually from client side.

I would like collect these information to create centralized policy ad hoc and then deny for the future to allow to the client to create new exceptions.

thanks

Migration User
Sep 17, 2010 01:51 PM

If PTP finds a process, it can be added to the exception and optionally configured to log, quarantined, stop, etc.  however, to manually add a process it has to be a .EXE extension and will only log.  This seems broken to me!!

The latest IMSOLK virus is not being caught by PTP, only by Auto Protect, which allows the virus to continue running in memory and attempting to infect other systems.

Migration User
Jun 04, 2010 04:12 PM

I am running SEP 11.0.5002.333 "standalone" (i.e. without SEP Mgr installed) on a small network.  The option for "Change Settings", "Centralized Exceptions", "Add", "Security Risk Exceptions", "File" is not grayed out, but nothing happens when it is clicked. The "Folder" selection does allow selecting a folder to ignore, but the files in the folder continue to be treated as a risk.  I was able to enter the files in the folder as a "Truscan Proactive Threat Scan Exception" but two of the files continue to be treated as a risk (Nir Utilities, Dialuppass.exe and lsasecretsview.exe).

Migration User
Jan 28, 2010 09:38 AM

 This feature has been removed:
http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/73a278b5de8e0af9882574d40064cd2c?OpenDocument

Migration User
Dec 18, 2009 02:48 PM

While I know I can see Centralized Exceptions in the client machines Registry, is it possible to display AdminExceptions within the SEP client?  It is confusing to some people when they can see and click the "Centralized Exceptions" button, but only are presented with a "User Defined Exceptions" tab, which is empty.

This would be useful when I am ensuring people that Database Files have exceptions in place. 

Migration User
Sep 30, 2009 12:00 PM

Hi M.R. 
  Any centralized exceptions policy should take effect for an Autoprotect or a Scheduled scan.

Regards,
 Scott

Migration User
Sep 30, 2009 04:59 AM

Hi Scott,

We able to create policy of centralize exceptions of Autoprotect scan but how can we exclude files or folder in schedule scan?

Migration User
Jul 02, 2009 01:02 AM

Can any one help me how to exclude the Hyper-V files in server 2008 which is located system32 folder. When i open the browse window to exclude the Hyper-V files it didnt show any files not .exe nor dll rest of the files are appearing but not Hyper-V files.

I am using SEP MR4 MP1a.

Please any one can help me out because its very critical for me.


Thanks and Regards
Saqib

Migration User
May 04, 2009 10:28 AM

Hi Tejas,  After reviewing the MSIE wpad spoofing thread on Connect, it looks like the only real option in terms of exceptions is to create a specific exception for

C:\Program Files\Internet Explorer\iexplore.exe

Though doing so may expose you to further risks.

If that still doesn't resolve the issue, you may want to contact Symantec Customer Support.

Migration User
May 04, 2009 08:38 AM

Can you help us in resolving MSIE WPAD Spoofing issue using denial policy, or centerlised exception policy?

Migration User
May 01, 2009 09:58 AM

Good Article,

I would like to see the ability to add multiple exception policies to groups :

ie

standard exception policy
sql exception policy
DC exception policy
wsus exception policy

etc
etc

shaun_b
Apr 29, 2009 06:33 PM

One thing to note is that I'm very cautious about using centralized exceptions. Basically I make absolutely sure they are applied to the right group, and validate that they are justified. Basically, my concern is that sometimes I walk into client environments where they have been very liberal in applying centralized exceptions. Therefore, their is some level of risk associated with these exceptions and weighing that risk is important.

In essence, apply centralized exceptions only when needed, don't apply them if you "think" there are issues. Instead, implement them when you know there is an issue with a particular directory or file. Good article there ScottyM! 

Migration User
Apr 29, 2009 02:29 PM

You just have to create a new Centralized Exceptions Policy and un-check all of the options for "Client Restrictions".  Once you do that and apply it, you'll be able to deny clients the ability to create any sort of exception.

Migration User
Apr 29, 2009 10:54 AM

How does the denial policy work?

Migration User
Apr 29, 2009 02:31 AM

Hi
     Very good article . But I want to create a specific Exception policy which i am mentioning below can you tell me how to create it.

My problem is when ever I try to install a software it is blocked by symantec and i am unable install the software(ex:- oracle , Printer drivers, scanner drivers).

after stoping SEP by smc - stop command I can install all the above.

So I want to create an exception to these so that without stoping SEP I can install all the softwares above mentioned.

Please help me regarding this.

Migration User
Apr 28, 2009 10:41 AM

Hey NWCenter IT,
   Centralized Exceptions defined through the client software are subject to the "Client Restrictions" section in the Centralized Exceptions Policy that you apply to that client.   If you allow the client to create exceptions, then the specific exceptions that you define in the policy will be merged with the client created exceptions.

If you choose to set the "Client Restrictions" to not to allow the clients to create Centralized Exceptions, then the policy settings will overwrite and lock-out the ability to allow clients to create exceptions.

I hope that answers your question.

Regards,
   ScottyM

Migration User
Apr 27, 2009 06:10 PM

Hi there,

Great article! 

Quick question that I haven't yet found an answer to:  If I setup a Central Exception policy on a client, is this policy only going to effect that client?  Or will it be overridden by the management console?

Thanks,
NWCenter IT

Related Entries and Links

No Related Resource entered.