Endpoint Protection

 View Only

  • 1.  How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 11, 2009 01:21 PM
    Using the Centralized scan exceptions either on the client or from a managed policy prevents even a manual scan of that folder from happening. I need to be able to have a folder excluded from all other scans except manual ones that I have configured on the client.

    IE: A server with C: and D: drives
    Normal scheduled scans can run on all of the C: Drive and on all of the D: drive except D:\queue\
    I create a local centralized exception for the D:\queue\ folder.
    I then create a custom scan that is on demand for the D:\queue\ folder.
    When I run the custom scan there are zero files scanned acording to the scan logs even though the folder contains 100 files.
    If I remove the local centralized exception and re run the custom scan the log shows that 100 files are scanned.

    If I then create a centralized exception in a policy on the management server for the D:\queue\ folder and then run the manual scan the log shows that zero files are scanned.
    Remove the policy from the server and update the policy on the client machine and the logs show that it scans 100 files.


    The old version of SAV was able to exclude that folder and then still scan it with a manual scan, how do I setup SEP to do the same?

    Thanks all!




  • 2.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.
    Best Answer

    Posted May 11, 2009 08:09 PM
    Either I can't do it or I'm not an administrator. Are you doing this editing all on the Management Console?
    Instead of making an excemption rule, try making a set of rules on what to scan. One includes the queue folder and one that doesn't.


  • 3.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 12, 2009 12:31 AM
    It look like the exception is overriding the your custom scan, am I correct? I have tested this before but can you do the exception(test) on C: drive?


  • 4.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 12, 2009 07:21 AM
    Mon, I have setup the exception both locally on the machine as well as from the management console with the same results. I am local admin and domain admin.  I had not thought about replacing the default scan with one I setup to just regularly scan all but that folder. I think that will work well, but it seems a hassel compared to have the old SAV worked. Again, thank you for the thought, sometimes a fresh pair of eyes comes up with the easiest solution.

    Paul, you are correct the exception always overrides no matter what drive or folder I set it to. I tested on several folders on the D: drive as well as several on the C: drive both from the local exceptions policy on the client as well as from the management console with the same result.

    Thanks everyone.


  • 5.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 12, 2009 07:36 PM
    You're welcome Noah. :)

    If I'm placing myself to Symantecs shoes, Centralized exemptions is probably designed to exclude certain files and folders which would make a software not work or make SEP not work if it is being monitored constantly. And this is also applicable to servers where there is a high rate of read/write access.


  • 6.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 13, 2009 08:32 AM
    Mon, that makes sense. An exemption is an exemption.

    I have found though that this is actually not going to properly work for me after all in my case.
    The issue shows up because once I remove the exception the autoprotect mode will still scan files in those folders.
    Those folders are queue for incoming mail that have been classified as unknown. If Auto protect deletes or moves the infected files I have no way to do any proper forensics on the files nor does my mail app know that they are moved and that causes all kinds of difficulties.

    I believe at this point my only option is going to be to reinstall SAV and remove SEP.

    Again, thank you for your help.

    Noah


  • 7.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 13, 2009 12:38 PM
    @Noah, what you probably need is a different solution for handling emails like Brightmail. A dedicated mail security application or appliance works better than an AV scanning for email files.


  • 8.  RE: How to setup SEP to not scan a folder unless it is a manual scan: Centralized Exception, Manual scan issue.

    Posted May 13, 2009 03:02 PM
    We are currently using SurfControl email filtering as well as web filtering. In Surfcontrol when a message is not scanned properly with the Norton Command line scanner it gets placed in the Queue folder.  Once in the queue folder the only way to remove it without causing issues is with the SurfControl management app. So when SEPs active scan sees one of the queued files and deletes or Quarantines it we run into problems. At this point I am removing SEP and re-installing SAV10 as a stand alone client since that has worked for us since it was out.

    Again than you for taking a look and offering your ideas.
    Noah