Video Screencast Help

How to create a centralized exception to registry scans?

Created: 10 May 2012 • Updated: 10 May 2012 | 6 comments


I would like to know how to create a centralized exception capable of jump registry scans on a specific server, or to avoid scanning some registry keys.

We have a critical service that keep stopping when detects that another process is using it [SEP].


Comments 6 CommentsJump to latest comment

pete_4u2002's picture

whats the registry path you want to exclude?

you can exclude those from scan?

check this article for central exception

Creating Centralized Exception Policies in SEPM 

Carlos Vieira's picture

you can exclude those from scan?

That's what I'm asking for: how to exclude a specific registry key [you can call it "reg key"] from beeing scanned?

As I said, we have a critical machine that must not be stopped by any means, and it is [specific service] every time SEP schedulled scan is running [full scan]. This specific service is stopping cause this reg key is detected as beeing used by another process.

Mithun Sanghavi's picture


What version of SEP are you running?

In Symantec Endpoint Protection, you could not exclude a registry key from being scanned.

There are nine options which could be used to for exceptions, these are:

Application, Application to Monitor, Application Control, Extensions, File, Folder, Known Risks, Trusted Web Domain, Tamper Protection Exception.

Creating exceptions for Symantec Endpoint Protection

Could you please explain us in detail about this Issue?

Could you please attach a screenshot of the error mesage which would explain us more?

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

you can exclude the folder of the service that is getting stopped.

Carlos Vieira's picture
In fact, what we have it's a Windows Server Cluster running this specific web application constantly reading/writing in Oracle databases. When SEP is running, 
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
DETAIL -  2 user registry handles leaked from \Registry\User\S-1-5-21-2667608430-3576672997-1743003026-1496:
Process 1304 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-2667608430-3576672997-1743003026-1496\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
Process 864 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2667608430-3576672997-1743003026-1496\Printers\DevModePerUser
[ default][10732]ut_read_reg:2:ocr registry key SOFTWARE\Oracle\olr cannot be opened. error 2
[    CLSE][10732]clse_get_crs_home: Error retrieving OLR configuration [0] [Error opening olr registry key. The system cannot find the file specified.]
Well, I think the problem is clear: Oracle is reading from registry in which is also been reading by SEP what causes the service to stop. What could be the best solution? Decrease scan type to a "fast" scan? Adding Oracle to exceptions will be enough? Preventing SEP from scanning registry? Other solution?
pete_4u2002's picture

exclude the oracle folder, check this link

What scan exclusions could be applied to an Oracle database server running Symantec Antivirus or Symantec Endpoint Protection