Endpoint Protection

I'm trying to document some server configurations.  Is there a way to dump the list of file and folder exclusions to a text file?

Thanks,

Dennis

Solution

Use the following instructions to create a new client scheduled scan and/ or edit an old client scheduled scan from Symantec System Center with file exclusions:

To configure the scan

1. Open the Symantec System Center.
2. Right click on the Parent Server.
3. Go to All Tasks> Symantec AntiVirus> Scheduled Scans.
4. Click the Client Scans tab.
5. Go to new or select an existing scan and click Edit> Scan Settings> Options.
6. Check Exclude files and folders.
7. Click on Folders.
8. Type the complete path of the folder. (for example C:\Inetpub )
   Note: One per line with no spaces at the beginning or at the end. You can only exclude folders and all sub-folders using this method
    
9. Click OK until you are back to the Symantec System Center.

On the Parent Server

1. Open the registry by clicking Start> Run.
2. Type regedit.
3. Go to HKLM\Software\Intel\Landdesk\VirusProtect6\CurrentVersion\ClientConfig\LocalScans\ClientServerScheduledScan_<number><number></number>
   • If the client is in a client group go to HKLM\Software\Intel\Landdesk\VirusProtect6\CurrentVersion\Groups\<group name>\ClientConfig\LocalScans\ClientServerScheduledScan_<number><number></number>
4. In the pane on the right, check that the value "HaveExceptionsDirs & HaveExceptionFiles" is "1", if not, change it to "1".
5. Expand ClientServerScheduledScan_<number>.
6. Go to NoScanDir Key.
7. In the pane on the right, you will see the folders added above of REG_DWORD values.
8. The title of each value will show the complete folder added above. Make sure that each of these has a value of 1 if it is not please change them to 1.
9. Go to FileExceptions Key.
10. Right click on the right and go NEW, then DWORD Value.
11. Name the Value the path to the file. Example: C:\Windows\eicar.com
12. Double click the DWORD value and set it to 1
13. Exit registry editor.

• Note: you will have to go back into the SSC and go to back to all tasks> Symantec AntiVirus>Scheduled Scans and press ok (this commits the manual changes to the grc.dat).

Verification on the Parent Server:

1. Go to %SYSTEMROOT%\Program Files\SAV\.
2. Make a backup of the GRC.DAT file in case the original needs to be restored.
3. Open GRC.DAT from the Symantec AntiVirus folder.
   Note: Do NOT make any change to this file, only note that the information is here.
   
    
4. Go to the local scan section which may look like this:
   
   !KEY!=$REGROOT$\LocalScans\ClientServerScheduledScan_1\FileExceptions
   GRC-State-Counter=D<number><number></number>
   C:\windows\eicar.com=D1
   !KEY!=$REGROOT$\LocalScans\ClientServerScheduledScan_1\NoScanDir

C:\Inetpub\=D1

If these files exist, exit without saving.

Verification on the Client (It might take some time for settings to be replicated to the clients)

1. Open the registry by clicking Start> Run.
2. Type regedit.
3. Go to HKLM\Software\Intel\Landdesk\VirusProtect6\CurrentVersion\ClientConfig\LocalScans\ClientServerScheduledScan_<number><number></number>.
4. In the pane on the right, check that the value "HaveExceptionsDirs & HaveExceptionFiles" is "1", if not, change it to "1".
5. Expand ClientServerScheduledScan_<number><number></number>.
6. Go to NoScanDir Key.
7. In the pane on the right, you will see exact the number of REG_DWORD values.
8. The title of each value will show the complete folder or filename including its path and extension. Make sure that each of these has a value of 1 if it is not please change them to 1.
9. You should now be able to run the scheduled scan from Symantec System Center.

Yes, the folder exclusions are in the registry, and I can dump from there.  Where can I dump the file extension exclusions?

I found it, thanks.