Video Screencast Help

Excluding VPN software folders from being blocked by SONAR/ flagged as security risks

Created: 20 Nov 2012 • Updated: 21 Nov 2012 | 12 comments
R03's picture

Hello - 

Under exceptions on SEPM if I add folders (and their sub folders) into the exclusions list exempting them from scans would that prevent SONAR from blocking DNS/hostname changes initiated by executables within those folders?

I need to allow our VPN clients to initiate DNS changes/changes to the host file so that they continue to function properly but inspite of adding their folder paths to the exclusions list and applying the exception to the respective OU (SEPM syncd with AD) I still see that SONAR continues to block certain legit executables from within the excluded folders from performing DNS/hostname changes.

I do not want to add DNS or hostname change exception to specific executables cos the SHA-256 values differ from language to language and version to version. I prefer excluding the folders themselves.

Please bear in mind that for all other folders and files I want SONAR to behave the way it currently does so changing the System Change Events (SONAR)  under the Virus and Spyware Protection Policies to log only/ignore is not an option.

Please advise.

 

 

 

 

Discussion Filed Under:

Comments 12 CommentsJump to latest comment

.Brian's picture

Check this KB article on exceptions in SEPM:

http://www.symantec.com/business/support/index?pag...

If you exclude a folder, it wil lbe excluded from SONAR scans

 

Exclude a folder from scans

Supported on Windows and Mac clients.

Excludes a folder from virus and spyware scans, SONAR, or all scans on Windows clients. You can also exclude a folder from virus and spyware scans on Mac clients.

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

R03's picture

I get that.. but does mean that SONAR will allow DNS changes initiated by executables from within the excluded folder? I think not.

.Brian's picture

Nope that is completely separate. So yiu either need to set the dns/hostname change to allow or add via hash, neither of which want to/can do.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

R03's picture

 

Yes I understand that too... as mentioned in my original post if I have legit DNS changes being initiated by more than 1 executable within those folders and I have muliple versions of the VPN software running then that would result in creating multiple SHA-256 exceptions.

 

Isn't there a simpler way? 

.Brian's picture

If there is, I'm not aware of it. Only the two I mentioned above.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

szilagyic's picture

I am having the same problem and am looking for a way to do this also because we run several VPN client versions.  Looking for a way to allow all versions of our current VPN client versions to do host/DNS changes, and also guard us against having future versions blocked as well.  So far putting in a folder exception for the VPN client folder does not work.  It excludes it from SONAR scans, but does not exclude it from host/DNS changes.

Anybody know of a way to do this?  So far it doesn't look like it is possible and we don't want to disable SONAR.

.Brian's picture

Go into your AV policy and access the SONAR tab

Under System Change Events, set:

DNS change detected to either Ignore or Log

Host file change detected to either Ignore or Log

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

szilagyic's picture

Isn't that essentially the same as disabling SONAR protection for DNS/host changes?  We'd rather not disable this protection but rather allow an exception for all versions of our VPN client software.  Thanks for the reply.

.Brian's picture

If you're on SEP 12.1 RU1 MP1 or above than you can set an exclusion per this KB article:

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

Article:TECH194108  |  Created: 2012-07-31  |  Updated: 2012-10-15  |  Article URL http://www.symantec.com/docs/TECH194108

 

If you're on a lower version than you need to do what I suggested in my first post to you.

I would suggest upgrading to the latest version of 12.1, which is 12.1.2, if you can.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

szilagyic's picture

We are on version 12.1 RU1 MP1.  We've done what the article states, but that uses the hash.  Our goal was to add an exception that does not include a hash (or see if it's possible) so that we can guard against installing future versions.  Thanks for your reply.

.Brian's picture

Unfortunately, it is not currently possibly.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.