Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Endpoint Virtualization Community Blog

Ignoring Processes: A Must-Read for Symantec and Norton Antivirus Users

Created: 28 Feb 2006 • Updated: 29 Jul 2010 • 16 comments
Jared Payne's picture
+1 1 Vote
Login to vote

A feature in the SVS final release is the ability to configure SVS so certain applications running from the base cannot see virtualized applications. Jared Payne tells us how and when this is cool.

The final release of Software Virtualization Solution (SVS) includes a feature called Program Ignore. Program Ignore makes it possible for applications that are installed in the base to run and not see virtualized data. This feature is quite simple to use.

  1. Open regedit and go to HKLM\System\Altiris\FSL
  2. Create/Edit a new Multi-String Value named "ProgramIgnoreList"
  3. Enter the complete path for the executable that you want to ignore in "ProgramIgnoreList"
  4. Restart the computer (the ignore list is only read at system start up)

Antivirus software is one of the main reasons this feature was added. We recommend adding your antivirus scanner to ProgramIgnoreList. You only need to add the scanner executable to this list. It is important to note that SVS does not affect the run-time functionality of antivirus products. Files are scanned as they are opened and SVS does not interfere with this.

There are some other times when you might want an application to be ignored. One example could be an inventory program. If an inventory program sees a file twice (virtualized and unvirtualized), it may get counted twice. Whatever your reason for ignoring a program, this new SVS feature allows you to do it.

By the way, there are no security implications for ignoring an executable. The executable will not have any more access than it would if it could see virtual data.

Comments 16 CommentsJump to latest comment

graeberj2000's picture

I didn't see anything about this in the documentation, but I do get the impression that the registry key(HKEY_LOCAL_MACHINE\SYSTEM\Altiris\FSL\ProgramignoreList) gets autopopulated. Can you shed some light on this?

0
Login to vote
Jeremy_Hurren's picture

Yes, this gets autopopulated with some antivirus products that we know have a problem if they don't get ignored. What this means is that the AV products find the files in their physical location rather than the virtual location. (I.e., the files still get scanned correctly.)

Jeremy Hurren, Sr. Principal Software Engineer, Symantec

+1
Login to vote
mbaierl's picture

Too bad this does not work with cygwin at all. First of all it seems to be impossible to add every single cygwin binary to the ProgramIgnoreList, would be great if a directory can be masked.
On the other side it would be great if this would work at all, my tests did not show any differences to cygwin.

Until when will this be fixed?

0
Login to vote
tfronza's picture

I see a great use for this when building a New Layer that is dependent on another Layered piece of software. For example, some of our custom-built in-house applications are dependent on IBM DB2 registered databases and we have built a layer for DB2. This would be helpful for that.

+1
Login to vote
Sundance's picture

Hiho,

can i use the svs environment variables like [_B_]PROGRAMFILES[_E_] ??

0
Login to vote
Scot Curry's picture

Many thanks to Scott Jones for getting the low down on the McAfee program names to ignore.

C:\Program Files\McAfee\Managed VirusScan\VScan\McShield.exe
C:\Program Files\McAfee\Managed VirusScan\VScan\EngineServer.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\HtmlDlg.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtSvc.exe
C:\Program Files\McAfee\Managed VirusScan\Agent\myAgtTry.exe
C:\Program Files\SiteAdvisor\6173\SAService.exe
C:\Program Files\SiteAdvisor\6173\SiteAdv.exe

+1
Login to vote
rpfenninger's picture

When using McAfee VirusScan Enterprise, I'd recommend to further add the scan32.exe usually found in C:\Program Files\McAfee\VirusScan Enterprise to the Process Ignore List. The scan32.exe represents the On-demand scan.

0
Login to vote
FrankB's picture

What's the limit of programs one can add to this list?

______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.

______________________________________________
Frank Bastiaens
Senior Technical Consultant
Vanderlet B.V.

0
Login to vote
Jordan's picture

Are you talking about numerical limits? You're limited to the size of the multi-string (in characters).

SVS it self doesn't have a limit that I'm aware of.

If a forum post solves your problem please flag is as the solution

0
Login to vote
AllanP's picture

Im missing a reason why i would have to ignore Symantic Antivirus ?

0
Login to vote
rpfenninger's picture

I'm using Norton Internet Security 2009. Which processes should be excluded (or how to find out)?

Am I fine when exluding the following?
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\navwnt.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\navw32.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe

Is it possible to replace the version folder (16.2.0.7) through a variable?

Thanks

0
Login to vote
Scot Curry's picture

[_B_]PROGRAMFILES[_E_]\McAfee\VirusScan Enterprise\scan32.exe
[_B_]PROGRAMFILES[_E_]\Network Associates\VirusScan\scan32.exe
[_B_]PROGRAMFILES[_E_]\Network Associates\VirusScan\mcshield.exe
[_B_]PROGRAMFILES[_E_]\McAfee\VirusScan Enterprise\mcshield.exe

+1
Login to vote
Scot Curry's picture

[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\NTRtScan.exe
[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\tmlisten.exe
[_B_]PROGRAMFILES[_E_]\Trend Micro\OfficeScan Client\PccNT.exe

+1
Login to vote
ManelR's picture

Hi,

The documentation says that "SWV Agent does not affect the run-time protection feature of antivirus software" ... so the question is:

Why are you adding 'mcshield.exe' to this list?

Is not enough to have 'scan32.exe' in the list? (is the process that you launch manually for an on-demand scan)

Thanks.

IT Systems Manager
LCFIB - Computing Lab
Barcelona School of Informatics
Universitat Politècnica de Catalunya - Barcelona Tech
0
Login to vote
Niels Christian Lund's picture

I have noticed that by default there is no Entries for 12.1. Only for 11.x (rtvscan.exe)
Is any Entries needed for SEP 12.1?

Regards
Christian Lund

0
Login to vote
Jordan's picture

I'm looking into this issue.

If a forum post solves your problem please flag is as the solution

0
Login to vote