Video Screencast Help

Proper Syntax For Exceptions SEP 11

Created: 28 Feb 2013 • Updated: 07 Mar 2013 | 3 comments
This issue has been solved. See solution.

All,

I need a confirm on the proper way to set up folder Exceptions in SEP 11.

I set up the policy and verified that the Registry has the setting, it does.  BUT, the registry reports it as %[WINDOWS]%SoftwareDistribution\Datastore\Log

Windows of course does not process %[WINDOWS]%

When I go to Centralized Exceptions --> Add --> Windows Exceptions --> folder exceptions

I have the options for Prefix, and then folder.

What is the proper thing to put in here?

I am thinking that if I want to exclude for example C:\windows\SoftwareDistribution, I would do:

Prefix [NONE]

and then just put in %windir%\SoftwareDistribution.

Can anyone Confirm or Deny this ?

Comments 3 CommentsJump to latest comment

_Brian's picture

I have always found it is best to leave prefix at NONE and add the full path. I was never a fan of adding a prefix. I usually just put in the full path. I know the wildcards * and ? are not supported per this KB:

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11

Article:TECH104326  |  Created: 2008-01-04  |  Updated: 2012-05-09  |  Article URL http://www.symantec.com/docs/TECH104326

 

Note: Wildcard variables such as * and ? are not supported for Known Risks, File, or Folder exceptions. The ? wildcard is supported for Extension exceptions. The Folder exceptions screen will accept * and ? but they will be treated as literal characters and not wildcard variables.

Since that is the Prefix SEPM uses, I would have to assume it will work. Try dropping the eicar test file in that excluded directory. Or just setup the exclusion for C:\WINDOWS\[your folder name]

Rafeeq's picture

 

Please, note that the variables on SEP are referring to the variables in the computer:

[program files] in SEP = %programfiles% in the system

 

If you have:

in system A
SQL installed on C:\Program Files\SQL
and %programfiles%=C:\Program Files
 

in system B
SQL installed on D:\Program Files\SQL
and %programfiles%=D:\Program Files
 

the exclusion %programfiles%\SQL works on both A and B.

If in system B you have:
SQL installed on D:\Program Files\SQL
but %programfiles%=C:\Program Files

the exclusion %programfiles%\SQL does not work on B because it reads C:\Program Files\SQL which is not correct for B.

To check on the fly the value of a variable on a given system, just enter it in Start > Run..

 

back slash also does not needed

 

Using Prefix Variables for Security Risk Folder Exceptions in your Centralized Exceptions Policy.

http://www.symantec.com/business/support/index?page=content&id=TECH92938&locale=en_US

.

 

 

SOLUTION
hforman's picture

%Windows% does not look correct.  It should be "windir".  Also, the threat name should not be a location.  When you created the exclusion did you put it as a threat exclusion or a folder exclusion?