Endpoint Protection

 View Only

  • 1.  How to create a centralized exception to registry scans?

    Posted May 10, 2012 10:03 AM

    Hello,

     

    I would like to know how to create a centralized exception capable of jump registry scans on a specific server, or to avoid scanning some registry keys.

    We have a critical service that keep stopping when detects that another process is using it [SEP].

     

    Thanks.



  • 2.  RE: How to create a centralized exception to registry scans?

    Broadcom Employee
    Posted May 10, 2012 10:59 AM

    whats the registry path you want to exclude?

    you can exclude those from scan?

    check this article for central exception

    Creating Centralized Exception Policies in SEPM
    http://www.symantec.com/business/support/index?page=content&id=TECH104326 
     



  • 3.  RE: How to create a centralized exception to registry scans?

    Posted May 10, 2012 11:27 AM

    you can exclude those from scan?

    That's what I'm asking for: how to exclude a specific registry key [you can call it "reg key"] from beeing scanned?

    As I said, we have a critical machine that must not be stopped by any means, and it is [specific service] every time SEP schedulled scan is running [full scan]. This specific service is stopping cause this reg key is detected as beeing used by another process.



  • 4.  RE: How to create a centralized exception to registry scans?

    Trusted Advisor
    Posted May 10, 2012 01:13 PM

    Hello,

    What version of SEP are you running?

    In Symantec Endpoint Protection, you could not exclude a registry key from being scanned.

    There are nine options which could be used to for exceptions, these are:

    Application, Application to Monitor, Application Control, Extensions, File, Folder, Known Risks, Trusted Web Domain, Tamper Protection Exception.

    Creating exceptions for Symantec Endpoint Protection

    http://www.symantec.com/docs/HOWTO55204

    Could you please explain us in detail about this Issue?

    Could you please attach a screenshot of the error mesage which would explain us more?

    Hope that helps!!



  • 5.  RE: How to create a centralized exception to registry scans?

    Broadcom Employee
    Posted May 10, 2012 01:53 PM

    you can exclude the folder of the service that is getting stopped.



  • 6.  RE: How to create a centralized exception to registry scans?

    Posted May 11, 2012 07:15 AM

     

    In fact, what we have it's a Windows Server Cluster running this specific web application constantly reading/writing in Oracle databases. When SEP is running, 
     
     
    CLUSTER LOGS:
     
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
     
    DETAIL -  2 user registry handles leaked from \Registry\User\S-1-5-21-2667608430-3576672997-1743003026-1496:
    Process 1304 (\Device\HarddiskVolume2\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe) has opened key \REGISTRY\USER\S-1-5-21-2667608430-3576672997-1743003026-1496\Software\Symantec\Symantec Endpoint Protection\AV\Custom Tasks
    Process 864 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-2667608430-3576672997-1743003026-1496\Printers\DevModePerUser
     
    DATABASE LOGS:
     
    [ default][10732]ut_read_reg:2:ocr registry key SOFTWARE\Oracle\olr cannot be opened. error 2
    [    CLSE][10732]clse_get_crs_home: Error retrieving OLR configuration [0] [Error opening olr registry key. The system cannot find the file specified.]
     
    Well, I think the problem is clear: Oracle is reading from registry in which is also been reading by SEP what causes the service to stop. What could be the best solution? Decrease scan type to a "fast" scan? Adding Oracle to exceptions will be enough? Preventing SEP from scanning registry? Other solution?


  • 7.  RE: How to create a centralized exception to registry scans?

    Broadcom Employee
    Posted May 11, 2012 07:19 AM

    exclude the oracle folder, check this link

    What scan exclusions could be applied to an Oracle database server running Symantec Antivirus or Symantec Endpoint Protection
    http://www.symantec.com/docs/TECH134383