Endpoint Protection

 View Only

  • 1.  Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 16, 2015 09:03 AM

    Hello Everyone,

    I have been looking around for answers but haven't been able to find a solution or workaround to my issue. Maybe someone can shed some light if they've encountered something like this before.

    I have 4 Exchange 2013 servers running on Windows 2012 R2. We are using SEP 12.1 RU5. I have roughly 24 volume points on each server containing the Exchange databases. These volumes are pointing to a path under C:\MountedVolumes. These mount points have no drive letters attached to them. I have set an exclusion under SEP to exclude the folder C:\MountedVolumes from being scanned, however I am finding that SEP continues to scan the databases inside these mount points. I have also set an exclusion on SEP to ignore the Exchange databases - but I'm having no luck.

    I saw this thread https://www-secure.symantec.com/connect/forums/how-exclude-mount-points-scanning but it hasn't helped.

    Anyone know if this feature is supported? If yes, how I can get it working?

    Many Thanks!!



  • 2.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 16, 2015 09:07 AM

    The problem is wildcards are not supported within the Exception policy and any folder exception needs to start with C:\, D:\, etc.

    If they have a drive letter, I don't see why they wouldn't be excluded..

    Have you verified the exclusion within the registry?



  • 3.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 16, 2015 10:17 AM

    can you let us know what kind exception you have set ?



  • 4.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Trusted Advisor
    Posted Sep 16, 2015 10:51 AM

    Have you tried adding multiple exceptions for the different drive locations? 

    C:\MountedVolumes

    D:\MountedVolumes

    E:\MountedVolumes

    etc

    How many different drives do you expect this to be on? just put it in the policy on serperate lines as wildcard won't work on drives. 



  • 5.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 18, 2015 02:10 PM

    Thanks for the response. So I have checked the registry under HKLM\Software\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\ScanningEngines and both the extensions and directory exclusions are showing up in the registry.

    So on the Exchange 2013 server I have a folder called C:\ExchangeDatabases

    ScreenShot1.PNG

     

    Inside that folder I have all my mount points:

    ScreenShot2.PNG

    Inside my Mount Points I have all my databases an log files which I would like to exclude:

    ScreenShot3.PNG

     

    And on the SEP console I have a centralized exception policy for the C:\ExchangeDatabases folder:

    ScreenShot4.PNG

    Guess I'm trying to see if there's a way to exclude via the mount point GUID i.e. \\?\VolumeID or device name i.e. *\Device\HarddiskVolume4 since I'm kinda stumped.



  • 6.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Trusted Advisor
    Posted Sep 21, 2015 03:45 AM

    Unfortunatly no way to use a wild card the volume ID atm in exceptions. Has to be a specific file or location to put them in exceptions policy. Multiple requests have been made to symantec to include a wildcard feature in exceptions but nothing yet :( 



  • 7.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 23, 2015 09:03 AM

    Thanks for the info. If that's the case, I hope Symantec updates their software and includes that feature into their product.



  • 8.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 23, 2015 09:25 AM

    Wild card exception has been a long pending request, let hope symantec brings this feature in the near future.



  • 9.  RE: Exclude Volume Mount Points from Scanning - Exchange 2013

    Posted Sep 23, 2015 10:34 AM

    Yeah. You can post that as an Idea. I hope there should be one, Just vote up for it.