Endpoint Protection

 

 

"The latest version of the Endpoint Protection client automatically detects the presence of certain installed components/applications like: IIS, Microsoft Exchange Servers, Active Directory Domain Controllers, etc. Where can you manually inspect these exclusions to verify if they need to be added to the Centralized Exceptions policy?"

 

So it gives a registry key and says to open the File Exceptions folder. There is no File Exceptions folder in that registry key. "Exclusions" is highlighted in the article, for whatever that is worth.

 

I can't find any automatically added exceptions and this server has IIS installed. My problem is that my network guys want to add a ton of exclusions that I'm not sure are appropriate and I definitely don't want to add them if they are added automatically by SEP.

 

Is there a definitive article or document on what is excluded automatically by SEP?

 

Thanks,

 

Ray

--------------

Here is their list. Please ignore the bold-face. It seems it can't be removed when it is pasted in. Any comments on the appropriateness is appreciated.

 

C:\MSSQL$WSUS

C:\WSUS

C:\Program Files\Common Files\Microsoft Shared\Web Storage System

C:\Program Files\Citrix

C:\Program Files\UPHClean

C:\Windows\Cluster

C:\Windows\IIS Temporary Compressed Files

C:\WINDOWS\Microsoft.NET\Framework

C:\Windows\System32\Inetsrv

C:\windows\system32\spool

C:\windows\softwaredistribution\datastore

C:\windows\sysvol

C:\windows\system32\dhcp

C:\windows\system32\dns

C:\Windows\system32\wins

C:\Windows\system32\GroupPolicy

C:\Windows\system32\config

C:\Windows\system32\wbem

C:\Windows\system32\Microsoft.NET

C:\windows\ntds

C:\windows\ntfrs

C:\Windows\adam

C:\WINNT\system32\spool

C:\WINNT\softwaredistribution\datastore

C:\WINNT\SYSVOL

C:\WINNT\system32\dhcp

C:\WINNT\system32\dns

C:\WINNT\system32\wins

C:\WINNT\system32\GroupPolicy

C:\WINNT\system32\config

C:\WINNT\system32\wbem

C:\WINNT\system32\Microsoft.NET

C:\WINNT\NTDS

C:\WINNT\NTFRS

C:\WINNT\adam

D:\MSSQL.1\MSSQL\Data

D:\Virtual Machines

E:\Program Files\Microsoft\Exchange Server

E:\MNS_FSW_DIR_TFSCMS01

E:\SMS\Inboxes

E:\SMS_CCM\ServiceData

Q:

---------------------------

Extensions

.BAK

.CHK

.DB

.DIT

.EDB

.LDB

.LDF

.LOG

.,MDB

.MDF

.NDF

.SHD

.SPL

.TMP

.TRN

 

Sadly, the KB is wrong on the IIS front, I'm going to get that amended. The rest of it is mainly OK though. Underneath the Exclusions folder, you will see each product or type of automatic exclusion we have and then under there is the FileExceptions folder. To clarify, from MR2 onwards, SEP automatically excludes files involved with the following products or Windows features: MS Exchange Server Active Directory SEPM Embedded Database The exclusions are automatic, based on us discovering the product (or "feature") installed on the server. Both the Exchange and the AD exclusions are done as per Microsoft KB's and we use the registry to find out the correct locations, based on your individual installs. There are no IIS automatic exclusions at this point in time. That list of exclusions is quite large, most of the extensions are valid - I would questions the whole Virtual Machines folder - if its VMWare just exclude VMDK's and VMEM's and if its another product then the hard disk and memory files for each (VHD for Virtual Server, possibly Hyper-V too). Things like ntds, ntfrs, sysvol, etc. are all AD exclusions and will be done automatically on a DC. For the others I would recommend you create groups for each server type, and only put the exclusions neccessary onto each group - that keeps it a little more secure. hth and apologies for the confusion.