Endpoint Protection

 View Only

  • 1.  IRON.DB File Interacting with exe files which are under exception policy

    Posted Jul 04, 2015 07:03 PM

    I have applied exceptions of one of applicaiton in symantec and policy is synched with the endpoint so exclusions are in place.

    while running the process monitor I am still seeing the symantec (IRON.DB) file is still interacting with the executable files which already excluded.

    otdoccnv.exe 16992  QueryStandardInformationFile     C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IRON\Iron.db
    C:\ProgramData\Symantec\Symantec Endpoint Protection\12.1.4112.4156.105\Data\IRON\Iron.db
    And the same for indexengine processes and admserv.exe
     
    otdoccnv.exe, admserv.exe and indexengine processes are under the same path which are excluded already why *.exe process would access to this Symantec Endpoint protection iron.db file? 


  • 2.  RE: IRON.DB File Interacting with exe files which are under exception policy

    Posted Jul 04, 2015 08:07 PM

    What is the exact operation that is being performed within procmon?

    Iron is apart of whitelisting. Are you seeing any network traffic as well to indicate its going out to Symantec reputation database?

    What type of exception did you enter? Did you exclude those files from ALL scans? Did you add them for Download Insight as well?



  • 3.  RE: IRON.DB File Interacting with exe files which are under exception policy

    Posted Jul 05, 2015 03:52 AM

    Procmon is just we used to troubleshooting purpose to see where symantec is interacting with the application executable files. The path is already in the SEP exclusions but still I can see a lot of events related to symantec in procmon log that its interacting with Iron.db.



  • 4.  RE: IRON.DB File Interacting with exe files which are under exception policy

    Posted Jul 05, 2015 08:32 AM

    It may not mean much. Symantec used to have a KB article on configuring procmon correctly to see events but it longer exists unfortunately.

    Best to ask support.