Guide: DFS and DFSR Concerns when deploying Symantec Endpoint Protection 11.0
For those of you who use DFS or DFSR in your corporate networks, I thought i'd give you all a bit of a guide to the perils and pitfalls of deploying Symantec Endpoint Protection software in your corporate environment.
- Installing the SEP Client on DFS(R) Servers -
As with most servers, when installing the SEP Client, only install the Antivirus/Antispyware components. Do not install the Network Threat Protection component unless you're thoroughly experienced with configuring it, this will reduce the likelihood of accidentally disabling certain ports or services on your server.
The SEP Client generally plays nicely with DFS and DFSR, though I recommend doing the following for your DFSR Server installs. Set up a Centralized Exceptions list containing all locations of your "DfsrPrivate" folders on the server. You generally don't want these files to be scanned as they change frequently and don't tolerate file locking or minor alterations very well. You can set up "Centralized Exceptions" locally in the client software on your server or in SEP Manager. If you create the Centralized Exceptions Policy on the SEP Manager, just make sure to only apply it to your DFSR Servers.
- Scan Settings on my DFS & DFSR Servers -
This is generally personal preference, but I recommend setting a bi-weekly or monthly full scan of file servers, DFSR or otherwise. Due to the large number of files, full scans can take quite a while to run and you don't want your file servers to be bogged down scanning files constantly.
- Troubleshooting: Some files are no longer replicating between servers -
A recent discovery of this issue in my corporate network led me to do a bit of investigation. We use Exchange/Outlook for our corporate email.
Apparently, on user machines, the Outlook Auto-Protect component of Symantec Endpoint Protection causes email attachments that are saved to have the hidden "Temporary File" attribute set.
DFSR doesn't replicate files with the "Temporary File" attribute by design. Because of this, any user who saved a file/attachment from Outlook to our file servers initially seemed not to notice any issues. However, those employees who travel between offices soon noticed that these saved email attachments were not replicating properly.
I have had to disable Outlook Auto-Protect to resolve this issue temporarily and manually run a powershell script to remove the "Temporary File" attribute from the affected files. Symantec tech support is working on the issue, i'll keep this article updated.
These links explain the DFSR half of the issue:
- UPDATE -
According to Symantec Support, the Antivirus Email Protection is a bit of a redundancy and is not required in most environments. The current solution to the DFSR issue is to disable that functionality for clients.
Scroll to the "Deactivate the email tools on Endpoint Protection Clients" section.