Video Screencast Help

Exclude SEP from deploying on specific machines

Created: 05 Feb 2013 • Updated: 17 Feb 2013 | 17 comments
This issue has been solved. See solution.

Hi All,

Is there a way on SEPM to create exclusions for client deployment. We have servers that we do not want SEP to be deployed on. On SEPM is there a way that I can create exclusions for sep to be not deployed/installed on those specific machines?

We using SEP 12.1.1101.401

Thank you

Comments 17 CommentsJump to latest comment

Ashish-Sharma's picture


You can move specify computer another group which are you don't want to install sep client

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture


In your sepm you can create new group and move that system particular group.

Thanks In Advance

Ashish Sharma

Rafeeq's picture

SEPM will not automatically install SEP on all the discovered agents in your environment. Not like SCCM.

You create a package and install SEP on only those why like to get installed.

clients will report to SEPM only if they have SEP installed.

To know how many of them dont have SEP installed, you create a Unmanaged detector.

Mithun Sanghavi's picture


In your case if you are manually deploying the packages via Client Deployment wizard to the client / server machine, you would have a choice on which to deploy and on which machine not to deploy.

Secondly, incase, if you are using the Autoupgrade feature, you still get to choose which groups you would like to deploy the packages to.

In case if the Servers are in a certain group along with client, you may move them to a seperate group of servers and then go ahead with Autoupgrade for all other groups where servers do not reside.

Once all the clients have been migrated, you could remove the autoupgrade packages from the groups and then move the servers back to their original groups.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Eyal's picture

Hi Rafeeq,

I'll start by explaining everythig.

I have an exchange server, and when sep is running on this exchange server Webmail does not work so we uninstalled it.

We are using SCCM to deploy SEP on our environment. We excluded this exchange server from our deployment collection on SCCM,but for some strange reason sep got installed on the exchange server.

Now in trying to figure out,how it got installed and if it's possible to make exclusions for the exchange server.

or are there any exclusions that I can create on the SEPM console to make Webmail work?

Thank you

JS@support's picture


When you use Symantec CDW method you manually select the machines on which you wish to deploy SEP.

There must be some configuration issue with SCCM. SEPM will never push SEP client package automatically.It can only happen in Small Business Edition.

SEP client is smart enought to create exclusion if it's installed on servers like Exchange server, Active Directory server. No manual exclusions are required. 

However if you still feel there is some problem when SEP is doing scan OR SEP is blocking any legitamate file then go ahead and create exception.

sandra.g's picture

SEP client is smart enought to create exclusion if it's installed on servers like Exchange server, Active Directory server. No manual exclusions are required.

I believe the caveat to the "no manual exclusions are required" is: if you have installed Exchange components to non-default locations, you may need to exclude those items manually. I'd read through the following for detailed information: About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products


Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Rafeeq's picture

When you install SEP it will automatically create exclusions for Exchange.

About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products

on your exchange server make sure you have only Antivirus and Antispyware installed. NTP seems to cause some issue if no proper firewall settings are configured.

GeoGeo's picture

SEP 12 onwards Symantec now recommend putting all elements on a server. Reason SEP 11 was only antivirus and antispyware was cause the other components were so labour intensive on the server.

Last support call I had with symantec they advised this.

Please review ideas and vote there could be something useful :)

SebastianZ's picture

Well for 12.1 as well some of the things to keep an eye for apply:

If you check as well the default package types found on SEPM - it still include for example "Basic Protection for Servers".

zafar1907's picture


Agreed with rafeeq,in best practice we install antivirus and antispyware component only.
How many cleints and server you have?
Is your sepm integrate with AD?


Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

Eyal's picture

Hi Zafar,

I have more that 12 thousand clients and more than 200 servers and yes SEPM is intergrated with AD.

Thank you

SebastianZ's picture

Regarding the appropriate exclusions as per Microsoft:

SEP will add several exclusions automatically :

AjinBabu's picture

Hi Eyal,

As a best practice keep only Virus and spyware protection on the High traffic serves
If Microsoft Exchange servers are installed on a computer with Symantec Endpoint Protection client, the client software automatically detects the presence of Exchange. When the client software detects a Microsoft Exchange server, it creates the appropriate file and folder exclusions for File System Auto-Protect and all other scans. Microsoft Exchange servers can include clustered servers. The client software checks for changes in the location of the appropriate Exchange files and folders at regular intervals. If Exchange is installed on a computer where the client software is already installed, the exclusions are created when the client checks for changes. The client excludes both files and folders; if a single file is moved from an excluded folder, the file remains excluded

Please go through the below tech articles for more details.


Eyal's picture

Thank you so much everyone for all your responses. I will install the antivirus and antispyware component only and see how that goes.

Im keeping this forum open for now as I'm still troubleshooting the issue. More suggestions and advices are still welcomed.

Sumit G's picture


Agree with above comments. You can install the AV & AVS component on that systems and also add the important folder in excluding from scanning so that it will help to sort the issue of WebMail.


Sumit G.