Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Creating a centralised exception for a folder in user profile

Created: 02 Mar 2010 • Updated: 21 May 2010 | 9 comments
rgs's picture
This issue has been solved. See solution.

We have an in-house piece of software which launches a web browser as part of its function.
Symantec is flagging it as a trojan and preventing it from launching the browser.
The executable is located in the user profile. I can successfully create an exception for the folder where it is located, but I'll have to create an exception for every user. 
Is there a way to use a system variable in the folder path, so that I only need one exception? I tried %USERNAME% in the path but it didn't work.

Comments 9 CommentsJump to latest comment

Grant_Hall's picture

 Here is the list of wildcards that centralized exception allows. Hopefully it will help. 

What variables and wildcards does Endpoint Protection allow in Centralized Exception Policies

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/384d78d53c33691b882574d400531250?OpenDocument

Thanks,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

SOLUTION
Grant_Hall's picture

 No it doesn't look like you are going to be able to map directly to the user's directory. However you might be able to get around this by installing your program in a location such as C:\Windows\System32 or another folder which can be mapped to. I don't know how extensive your program is or how many users you have, but this might still be a quicker more clean solution.

Sorry,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Rafeeq's picture

its possible the only thing is you have to write it for multiple users thats,it ,jf you have 4 to five users logging in you can create them  
c:\documents and settings\users1 and so on

other than that if the program is genuine submit it as false positive, 
https://submit.symantec.com/false_positive/index.html
symantec will analyze it , if its no harm then will be excluded in next virus defs.


rgs's picture

Grant, the application is a .Net one with third party modules that install stuff all over the system, so we don't have much choice in the matter. Just one of the many reasons I dislike .Net...

Rafeeq, I think you're right, I will have to add an exception for every user. I believe it's being flagged for its behaviour in starting another application, rather than code inside the executable, so I doubt if they could create a def for it.
It seems a bit cheeky to ask them anyway, as it's only installed on our in-house PCs here :-)

Grant_Hall's picture

 Your right it is probably most likely the heuristic detection that is picking up your application and flagging it, but I still think that your quickest solution will be to submit it for testing. While it is true that it is probably getting flagged for it's call to other processes, it can still be made into a definition that will allow calls from your process to other processes. Don't worry about it being simply a in house application. In fact I would say that a good portion of the programs that are submitted are these sorts of in house processes like yours. The vast majority of commercial software will not mistakenly be picked up. Still if you don't want to submit it you can add it as an exception as Rafeeq is suggesting, and it will work too.

Hope this helps,
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

Rafeeq's picture

Try creating exceptions for all the path its detecting too, if it works for one user
just copy the same for other user profile.
if you are okay you can create an exception for My documents and settings as all profiles reside in there. 

rgs's picture

Grant, I spoke to the developer and the app will probably continue to be modified over time, so it's probably easier to create the exceptions once than to keep bugging your guys for new defs.

Rafeeq, I thought about doing that, but an exception that big would be very risky as it would mean that nothing in the profiles would be protected.

Lisatech's picture

Perhaps I am not reading the KB accurately but my understanding is that you can wildcard a folder path but not for a file. So why can't you put in a path that is specific upto the user name then wildcard the username then include the rest of the software folder path:

C:\Documents and Settings\*\Application Data\"Rest of the fldr path"

One post I read indicated that with the exclusions, the files are 'scanned' but no action is taken... Can anyone verify this?

I have a number of servers with the same application (Dev, Test and Prod environments) but the application is installed in 2 different paths so I have setup exclusions that wild card upto the specific folder:

*AppSuffix\Fdlrname

I expect this to work so that wherever EndPoint encounters that pattern match it will exclude it and the subfolders underneath.... Comments anyone? I am really hoping that I don't have to manually put in each specific path...

As well, a suggestion I would have is the ability to create a text file for importing into the Exclusion policy - I dislike having to cut and paste the folder paths in when the app above has 14 folders that needed to be excluded....