Endpoint Protection

Hello, I've created 2 exceptions for 2 applications my company makes excluding the parent folders and all sub folders.  I've assigned these 2 policies to my test group.  I've updated the policy on the client forcing it to phone home to the SEPM.

My exceptions still do not show up on the client though.  Is there a step I'm missing somewhere?

You've verified the client has the same policy number as what's showing in the SEPM?

Is inheritance broken on the group the client is in?

Did you manually inspect the registry to verify the exclusions are there/not there? See here:

How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory

Hi Brian, I did check the registry and the test client is not inheriting the exceptions.  When I go back into policies and select one of the policies I created and assign it, it shows the policy is not assigned to any groups. 

How do you check the policy number in SEPM/client?  

Go to the Clients page and select the group the client is in. Select the "Details" tab at the top

Look at the Policy Serial Number entry and compare it to whats on the client.

On the client go to Help >> Troubleshooting and look at the Policy Serial Number

The problem is it sounds like the policy is not applied to the group so you will need to do this first.

I just confirmed the policy number on the SEPM is the same as the one on the client.

But the exceptions do not show in the registry? The policy is applied correctly to the group?

If the policy itself is not showing as assigned to any groups or locations, then the client cannot pick it up.

Can you try assigning the policy from the group itself?  Just goto CLIENTS -> highlight the group -> Click on Policies tab on the right hand pane -> if there's already an exceptions policy assigned then click the little arrows (>>) beside it and choose "Replace policy" and choose your new policy (if no exceptions policy is assigned, then just click "Add a policy" and choose the one you need).

After the changes have been committed, you should see the policy serial number change on the top right of this view.  The policy serial number always reflects the last time any policy changes were made to a group (so if it's not recent, then it indicates no changes were made, so there'd be nothing for the client to pick up).

So I have 2 policies that I created.  The first, is for the domain.  The second policy I created is to exempt the folder in Program Files for the application my company makes and all of its child folders. 

I see the first policy when I go into Clients -> Policies.  What keeps happening is when I go back in to Policies and try to assign the applicaton policy to my test group, I am then prompted to put a check in the box of the groups I wish to apply this policy to.  A few things happen here:

1. Even though I have previously assigned the policy to this test group, the box is empty and I have to put a check in it.

2. Once I put the check in the box and assign the policy to the group, it then replaces the Domain policy in the group.

3. After doing this, I have gone back to the test SEP client and checked the registry and neither exception shows up.

You can only assign one policy per group unless you can use location awareness and assign a different policy for each location.

After making that change, did the client check in to get the updated policy?

So what if you need to apply more than one exception to a single group?  Is there a way to combine policies into 1?  I need exceptions for both the domain and the company's application.

Essentially, you just apply one policy with all the exceptions that you need.

I guess I'm missing out on what you mean by "domain" and "company's application"?

If these are two separate groups, than you will need to set it up that in the SEPM. One group for the domain with the correct policy applied and another for the application.

If both groups need the same policy, except the application one needs a few extra exceptions, than make a copy of the domain one and add the extra exceptions and apply it to only the application group. You will need to break inheritance on this group to apply the policy for only this group.

Sorry, hope I'm understanding it right. Hard to do it remotely with no visibility

So after doing some research, I just now need to have 1 exception applied across the board.  I've gone in and made the changes and now have assigned this 1 exception to my test group.  The exception does not show up on the client when I open SEP.  I did confirm both client and SEPM have the same policy serial number.

Any thoughts?

If the exception is created on the SEPM, it won't show on the client. The only way to verify is via the registry. Is this where you checked?

Only user defined exceptions will show up in the GUI.Admin defined exceptions will be in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
Note: On 64bit window machines the registry path is:
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions 

That's good to know it does not show up on the client, thanks!  I did check the registry though and it is not in there either.

whats the exception you have created? folder or file ?

can you please post the screen shot of your exception defined in sepm?

Here's the attached PNG file with exception.

And you verified this policy is applied to the group?

Seems like this is the second policy apart from the default one.

Did you right click on this policy and select apply ( this would give Group tree and you can apply the policy)

once applied click on OK..now on the right side you should see a column named "location use count", is it 1? 

I think it might help if we follow the entire thing all the way through, from policy assignment to client.  As such, please post the following:

1. Screenshot of the Policies tab of the group containing your test client.  Please try to show the policy serial number and the assignment of the 4D exceptions policy
2. Screenshot of the Help -> Troublshooting panel of the test client
3. Screenshot of the Reg key hives posted by Rafeeq.  You need to look under "Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines\Directory\Admin" for the ones applied by your policy

SMLatCST, I just noticed you have a few sub folders in the registry to look into.  I've attached 2 screen shots and I think the exception did get pushed out to the test client.  Would you mind taking a look at them and just confirm please?

Thanks for all the help!

Yes, that is the exclusion. It looks to be correct.

Yup, those look good to me!

Glad I could help 

I'd like to say thanks to everyone. I wish there was a way to give credit to more than one person.  Thanks to all!

Just as an FYI, you can mark posts for split solutions.

Silly question, so does that give more than one person credit for assisting me?

Yes.

However, it's at your discretion as to which post or posts helped. It's just an option.