Video Screencast Help

How to stop scanning of NTUSER.dat

Created: 06 Sep 2011 | 10 comments

Windows often generates a temporary userprofile during logon becasue the ntuser.dat file is locked by another process. Event viewer indiactes its symantec scan. How can I setup a centralized exceptions for this file? My policies all stem from the top of our AD hierarchy. i need to apply this policy to a group below the "My Company" group. Ideas

Comments 10 CommentsJump to latest comment

Mithun Sanghavi's picture

 

Hello,

Could you try and see if an exclusion of the NTUSER.DAT file from scanning helps to temporarily work around the issue?

http://www.symantec.com/docs/HOWTO18217

Add the exclusion as follows: %userprofile%\ntuser.dat

Hope that resolves the Issue.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

khaskins82's picture

The wildcard % is not valid in SEP 11. Did they fix it?

James-x's picture

The use of environmental variables (example: %temp%) in exclusions is not supported either Symantec Endpoint Protection 11 or 12.1.

This is by design.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Ian_C.'s picture

That is indeed good security practice, but makes exclusions for user specific folders difficult.

You simply can't create exclusions for every username in the corporation!

What other option exists to exclude

C:\Documents and Settings\UserX\Some random file.
C:\Documents and Settings\UserY\Some random file.
C:\Documents and Settings\UserZ\Some random file. 

Does v12.1 have the option?

Please mark the post that best solves your problem as the answer to this thread.
RB Smith's picture

I need to make exclusions for every student in our domain, otherwise the temp profile will load occasionally driving my techs crazy. The students lose printers and desktop configurations when this happens.

peter ashley's picture

SEP12.1 changed the storage location of user scheduled scans (out of the user registry) to reduce the occurrence of this kind of issue.

However the issue can still occur due to other programs like search indexer. 

Detailed diagnostic steps may be necessary to uncover the root source if the source is not obvious:

http://blogs.technet.com/b/markrussinovich/archive/2009/08/10/3272210.aspx

John Cooperfield's picture

Good post about 12.1 moving user scheduled scans out of the registry. Maybe other scans should move, too.

Regards

RB Smith's picture

 USB mouse now seems to be locking up as well when users logoff. Not sure this is related. Does anyboday at Symantec have answers for this?

John Cooperfield's picture

We have the issue, and there is no direct fix, and there is no practical way to exclude ntuser.dat,

SO, we will exclude the file extension .DAT.

Hope this helps.