Endpoint Protection

I am having an issue w/ exclusions during the client installation -  I have a  required remote access tool deployed on client PC's (due to the remote nature of some employees) that is identified as a Trojan (FP but no big deal - an exclusion should handle that) found during SEP client installation... Once the SEP client is installed and has restarted, it ignores the file, but before that happens it finds it during the initial def update upon installation. my exclusions are set up and respond accordingly when the client is loaded on the PC but deploying new images (NetInstall) it finds the file upon initial def update - It seems that the exclusions are not rolled into the installation package - Can anyone verify or offer any adavice?

Tanx

Navigate to HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions
   and see if the exclusions are there or not

Policies are not in the pushed package, only server info. The first thing the client does is connect back to the SEPM for updates including policy updates. Which scan is detecting this file? If it truely is a false positive then our Security Response team will want to have a look at it.

Call support and create a case, submit the file and with the tracking number we can open a case with security response to resolve the false positive. The way the policies are done you will not be able to work around this issue and its better to deal with getting the FP resolved.

The value will not be in the registry yet because of the way the policy is processed on a push deployment.

You should export  a package and use the migration and deployment wizard to work around the issue if you do not want to get the FP resolved.

It is happening during the initial live update session - I am guessing the first scan is running in the background - Thanks for the quick response

I assumed it wasn't rolled into the package but wanted to be sure

The reg wouldn't work as you said...

The file detected is slave.exe which is a piece of the client side part of "Remote-Anything" (www.twd-industries.com) - this being a commercial remote control app it can be used "for good or evil" hence it only being an opinion that it is an FP. I will create a case as per your suggestion and see if I can get added as a potential FP. Thank you for the quick response

While I still urge you to open a case with us and submit the file to security response, you can disable the install scan following this document. This would allow the client to download the exclusions policies before running the scan.

Title: 'How to disable the scan that runs when the Symantec Endpoint Protection client is first installed.'
Document ID: 2008111616533448
> Web URL:http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008111616533448?Open&seg=ent