Centralized Exceptions Policies - Why to use them and how to configure them
Why Should I Use A Centralized Exceptions Policy?
There are many reasons that you might want to create a Centralized Exceptions Policy, though here are some of the most common reasons:
- In order to automate administrative tasks on user machines, you use tools to hide script windows while they run in the background.
- IT Staff use tools such as IP scanners or key loggers for legitimate administrative purposes.
- You'd like to control whether your users can add program or security risk exceptions themselves.
Applications and tools that assist with automated scripting, IP Scanners and KeyLoggers are often categorized as security risks by antivirus software including Symantec Endpoint Protection. Once SEP has been installed, it will prevent any of these types of programs that it categorizes as security risks from running, and will throw them into the quarantine.
In nearly all companies, allowing an IT department to function normally and be able to script and automate various administrative functions can be a critical time saver. To make sure that those needed programs that are classified by SEP as security risks are still available to your users / IT staff, you'll want to create a Centralized Exceptions Policy.
How To Create A Centralized Exceptions Policy:
Centralized Exceptions Policies can be created from within Symantec Endpoint Protection Manager. Once you've loaded it and logged in, follow these steps:
- Choose the Policies tab from the left-hand menu
- Under View Policies, select Centralized Exceptions
- Right-Click in the Centralized Exceptions Policies section and choose Add
- In the Overview of your new policy, type a name and description for your new policy (i.e. IT Exceptions, Security Risk Exceptions for the IT Department)
- Next, click on Centralized Exceptions in the left menu
- On this screen, you'll need to add those applications that you'd like to exclude from SEP checking. These can be Security Risks, specific files or folders or even file extensions. To exclude one of these items, add it and choose Ignore as the action.
- The third option on the left menu will allow you to configure the options that allow or deny specific Policy Groups the option to create exceptions themselves. You can choose specific types of allowed or denied exceptions if you'd prefer.
- Finally, Click OK.
Assigning A Centralized Exceptions Policy:
Now that you've created your Centralized Exceptions Policy, you'll need to assign it to one of the administrative client groups.
- In the Centralized Exceptions Policies list view, right-click on the newly created policy (IT Exceptions in my case). Choose Assign.
- You will now be presented with a list of your administrative client groups, including "My Company and the Default group.
- Place a check mark next to each client group that you'd like to assign this policy to. (NOTE: If you choose "My Company", the policy will be assigned to every client group below that uses policy inheritance).
- Once you've checked all client groups that you'd like to apply this policy to, choose Assign.
- The policy will be applied to those client groups that you've chosen the next time the SEP client software checks in with the SEP Management Server. The time that this takes may vary based on your client group's Communications Settings, (Usually within 15 minutes if you're using Push mode).
central exceptions on Client vs Management Console
Hi there,
Great article!
Quick question that I haven't yet found an answer to: If I setup a Central Exception policy on a client, is this policy only going to effect that client? Or will it be overridden by the management console?
Thanks,
NWCenter IT
RE: central exceptions on Client vs Management Console
Hey NWCenter IT,
Centralized Exceptions defined through the client software are subject to the "Client Restrictions" section in the Centralized Exceptions Policy that you apply to that client. If you allow the client to create exceptions, then the specific exceptions that you define in the policy will be merged with the client created exceptions.
If you choose to set the "Client Restrictions" to not to allow the clients to create Centralized Exceptions, then the policy settings will overwrite and lock-out the ability to allow clients to create exceptions.
I hope that answers your question.
Regards,
ScottyM
Hi Very good article .
Hi
Very good article . But I want to create a specific Exception policy which i am mentioning below can you tell me how to create it.
My problem is when ever I try to install a software it is blocked by symantec and i am unable install the software(ex:- oracle , Printer drivers, scanner drivers).
after stoping SEP by smc - stop command I can install all the above.
So I want to create an exception to these so that without stoping SEP I can install all the softwares above mentioned.
Please help me regarding this.
How does the denial policy
How does the denial policy work?
RE: How does the denial policy
You just have to create a new Centralized Exceptions Policy and un-check all of the options for "Client Restrictions". Once you do that and apply it, you'll be able to deny clients the ability to create any sort of exception.
Great article
One thing to note is that I'm very cautious about using centralized exceptions. Basically I make absolutely sure they are applied to the right group, and validate that they are justified. Basically, my concern is that sometimes I walk into client environments where they have been very liberal in applying centralized exceptions. Therefore, their is some level of risk associated with these exceptions and weighing that risk is important.
In essence, apply centralized exceptions only when needed, don't apply them if you "think" there are issues. Instead, implement them when you know there is an issue with a particular directory or file. Good article there ScottyM!
Good Article, I would like to
Good Article,
I would like to see the ability to add multiple exception policies to groups :
ie
standard exception policy
sql exception policy
DC exception policy
wsus exception policy
etc
etc
m00
Can you help us in resolving
Can you help us in resolving MSIE WPAD Spoofing issue using denial policy, or centerlised exception policy?
RE: Can you help us in resolving
Hi Tejas, After reviewing the MSIE wpad spoofing thread on Connect, it looks like the only real option in terms of exceptions is to create a specific exception for
C:\Program Files\Internet Explorer\iexplore.exe
Though doing so may expose you to further risks.
If that still doesn't resolve the issue, you may want to contact Symantec Customer Support.
SEP and Hyper-V in Server 2008
Can any one help me how to exclude the Hyper-V files in server 2008 which is located system32 folder. When i open the browse window to exclude the Hyper-V files it didnt show any files not .exe nor dll rest of the files are appearing but not Hyper-V files.
I am using SEP MR4 MP1a.
Please any one can help me out because its very critical for me.
Thanks and Regards
Saqib
Re
Hi Scott,
We able to create policy of centralize exceptions of Autoprotect scan but how can we exclude files or folder in schedule scan?
Regards,
M.R
Re: Centralized Exceptions for Scheduled Scan
Hi M.R.
Any centralized exceptions policy should take effect for an Autoprotect or a Scheduled scan.
Regards,
Scott
Would you like to reply?
Login or Register to post your comment.