Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Guide: DFS and DFSR Concerns when deploying Symantec Endpoint Protection 11.0

Created: 17 Mar 2009 • Updated: 25 Mar 2009 | 4 comments
Language Translations
Scott Meltzer's picture
+7 7 Votes
Login to vote

For those of you who use DFS or DFSR in your corporate networks, I thought i'd give you all a bit of a guide to the perils and pitfalls of deploying Symantec Endpoint Protection software in your corporate environment.
 

- Installing the SEP Client on DFS(R) Servers -
As with most servers, when installing the SEP Client, only install the Antivirus/Antispyware components.  Do not install the Network Threat Protection component unless you're thoroughly experienced with configuring it, this will reduce the likelihood of accidentally disabling certain ports or services on your server.   

The SEP Client generally plays nicely with DFS and DFSR, though I recommend doing the following for your DFSR Server installs.    Set up a Centralized Exceptions list containing all locations of your "DfsrPrivate" folders on the server.   You generally don't want these files to be scanned as they change frequently and don't tolerate file locking or minor alterations very well.    You can set up "Centralized Exceptions" locally in the client software on your server or in SEP Manager.  If you create the Centralized Exceptions Policy on the SEP Manager, just make sure to only apply it to your DFSR Servers.

 

- Scan Settings on my DFS & DFSR Servers -
This is generally personal preference, but I recommend setting a bi-weekly or monthly full scan of file servers, DFSR or otherwise.   Due to the large number of files, full scans can take quite a while to run and you don't want your file servers to be bogged down scanning files constantly.

 

- Troubleshooting: Some files are no longer replicating between servers -

A recent discovery of this issue in my corporate network led me to do a bit of investigation.  We use Exchange/Outlook for our corporate email.

Apparently, on user machines, the Outlook Auto-Protect component of Symantec Endpoint Protection causes email attachments that are saved to have the hidden "Temporary File" attribute set.  

DFSR doesn't replicate files with the "Temporary File" attribute by design. Because of this, any user who saved a file/attachment from Outlook to our file servers initially seemed not to notice any issues.   However, those employees who travel between offices soon noticed that these saved email attachments were not replicating properly. 

I have had to disable Outlook Auto-Protect to resolve this issue temporarily and manually run a powershell script to remove the "Temporary File" attribute from the affected files.    Symantec tech support is working on the issue, i'll keep this article updated.

These links explain the DFSR half of the issue:

http://blogs.technet.com/filecab/archive/2006/05/10/427837.aspx

http://blogs.technet.com/askds/archive/2008/11/11/dfsr-does-not-replicate-temporary-files.aspx


- UPDATE - 

According to Symantec Support, the Antivirus Email Protection is a bit of a redundancy and is not required in most environments.   The current solution to the DFSR issue is to disable that functionality for clients.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102311173048?Open&seg=ent

Scroll to the "Deactivate the email tools on Endpoint Protection Clients" section.

Comments 4 CommentsJump to latest comment

rpatty's picture

Handy article. I notice it's been about a year without updates, though. We have the same problem at our office: the combination of SEP and Outlook is causing files to be flagged as Temporary, and then they're not being replicated with DFS.

When we first discovered the problem, tech support on the phone told us that this issue wasn't being worked on, supposedly because "we only have a few customers who use DFS" which I don't really buy.

Anybody know if this issue is actually being worked on as Scott says above, or is it being put on the back burner, as our phone tech told us?

0
Login to vote
ECSSysAdmin's picture

Just stumbled across this issue in our environment.

According to the response I just received to a case submission, Symantec states:

We are currently aware of the issue, and may have a fix with the next release of SEP 11.x.

So it's a definite maybe at this point.

0
Login to vote
Ian_C.'s picture

http://www.symantec.com/docs/TECH103087 has the latest release notes. No mention of DFS / DFSR. No mention of it in SEP 12.1 either.

 

Please mark the post that best solves your problem as the answer to this thread.
0
Login to vote
rpatty's picture

Curious after two years this is still in the "we're working on it (or maybe we're not)" stage. Shame.

Wanted to note that in 11.x we'd set up a Client Install Feature Set specifically to turn off Outlook Auto-Protect when we built installers. When we upgraded to 12.1 this week, that translated perfectly to the new setup, and we were able to continue to use the same Client Install Feature Set as before, without any fiddling. Also nice that in the same Feature Set you can still see options for both 11.x and 12.x, and either set them individually or have them translate automatically. That's a small detail that was very well done, props for that.

Not nearly as nice as if they'd actually address the primary issue, but I'm very glad they at least kept Plan B working properly.

0
Login to vote