I'm running latest version of SEP client/server 11.0.6 MP2.

I have third party software, that require running service, and it is detected by false positive. Lets assume service is created by file C:\Windows\ThirdParty.exe. It is added to exceptions as Security Risk File Exception, and as TruScan Proactive Threat Scan Process...

I have 2 type of machines in my network. On x64 Windows Server 2008 R2, ThirdParty.exe function without problem. Its up and running, without being deleted or halted by SEP. But on XP x32 SP3 machines it get immidiately killed no matter what i do. I tried to check from registry if clients receive exception information - it is there..

Whats the problem, please help.

for 64 bit machines; the registry path is differnt.

check if TAmper protection is detection the software, if so create on entry for it.

How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory

Good point - check the path if it remains the same on both architectures.

But as far as i understand there is absolutely no difference for file that is is C:\Windows

On both systems it is there..

when you mention " killed immediately" is that by autoprotect ? It should be 

you can open the sep client on the local xp machine

click on change settings- centralized exception= add; select the file, check if that works.

Yes, it is killed by autoprotect. What's the difference in adding it manually from client or from SEPM?

Hm, could you please open SEP client on a client machine when the probess is stopped and, in the left menu, choose Show logs. Go to Client management - Show logs and choose security log. Is there any sign on this process?

its the same, just in case if the settings is not getting propogated from SEPM :)

Please check the registry key on the client:

HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS

It is there

C:\Windows\ThirdParty.exe in Exclusions -> Scanning Engines -> File Name -> Admin -> 203705480

Are you sure that the process is stopped by autoprotect and not by PTP?

Hmm..

how to check for sure?

could you please open SEP client on a client machine when the probess is stopped and, in the left menu, choose Show logs. Go to Client management - Show logs and choose security log. Is there any sign on this process?

can you post the screen shot of the action page when its killed?

you might need to set exception for the actor process here, check what is getting killed

I dont know what i eventually did. I just removed and re-set expeptions few times, and it worked..

Dont know how, but everything runs great now.

Thanks for support, guys.

Its looks strange issue however its good its working now..

Cool :-)