Endpoint Protection

ehlo,

I am trying to determine what problems may occur by stacking my 1 centralized exceptions policy with a ton of exceptions.

I have a scenario of having to put alot of exceptions in and 90% of the exceptions will not apply to all hosts.

Specficially is there a performance hit by putting alot of items in exceptions list? I would imagine this would be less performance problem than actually having to scan the file(s).

Since I have no clear picture how how Symantec loads the exception list each time a scan is performed I am assuming it loads the exception list in memory and then checks that list against all files on the system about to be scanned, then skips those items. (As opposed to checking each individual file against the list DURING the actual scan.)

Anyone got any insight on this?

Thanks 

The exclusions are kept in the registry and checked whenever a scan occurs. Depending on which scan you selected the exclusion (ie. scheduled) it would be checked during the scan and excluded.

I don't believe there are any best practices per se but say you want to exclude a directory C:\test on only one machine for all scans and you create the policy and assign it to all groups, well not only will c:\test be excluded on that machine but all machine. Probably 99% of the time it won't matter but just say a machine gets infected and it creates a directory called c:\test where it runs from. Well that would now be exluded and the malware allowed to run.

Your best bet would be to group machines by function or similarities (ie. servers, laptops, desktops, smtp servers, file servers, etc) and assign different policies for each giving you a more fine grained control.