Hi all,

I have created a Virus and Spyware protection Policy that makes scheduled full scan.

I also created a test Exception Policy which exclude a folder to scheduled and on-demand scans.

I have desactivated Insight in Virus Policy and in Group Settings.

When the scan finished, I see 97 approved files not scanned but in my Exception Policy, the folder excluded contains just one file.

What is the problem ?

Thanks a lot in advance.

Regards,

Kevin.

Does it say approved or Files Trusted?

Can you share a screenshot?

Verify the exclusion is set on the client, see here:

About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans

http://www.symantec.com/docs/HOWTO80947

https://www-secure.symantec.com/connect/forums/auto-protect-trusted-processes

It is written File Approved : 97.

How I can access the HKEY_LOCAL ?

Have you enabled system lock down?

These might be files from the approved list ( virus defs files which are approved)

In which log are these appearing on the SEP client? Or SEPM?

@ _Brian : This log is providen by Application Event Viewer in SEP client.

@ Rafeeq : I don't know. I'm searching.

Hello Kevin,

is the folder in the network or local?

Check in the registry as per this document

http://www.symantec.com/business/support/index?page=content&id=TECH207935

In the client group, on the Policies tab, the system lockdown is disabled.

The folder with one file is local. It is just a test.

ps : I work on VMs.

So, to confirm, you have the policy configured to exclude one single folder? Is there anything in it? Is this folder on root of C:?

Use regedit.exe to access the registry to check to see what file exclusions are set per my link above.

So, to confirm, you have the policy configured to exclude one single folder? Is there anything in it? Is this folder on root of C:?

Yes, I exclude one folder to scheduled and on-demand scan. In this one, there is one file.

You are right, the folder is on root of C:.

I use regedit.exe on the client or on the manager ?

I am here 

• HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions

What do you want to know ? There are lots of folders.

Navigate to all the folders below exclusions, you will see all the folders which are excluded from scanning, how many exclusions do you see for the same path?

To add Enable vpdebug it will tell you about files it scanned

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

http://www.symantec.com/business/support/index?page=content&id=TECH102939

Hi all,

So in Exclusions\ScanningEngines\Directory\Admin :

The first is Directory Name C:\Test\ and ThreatName  C:\Test\.

It is the folder I excluded from scheduled and on-demand scan.

I activate vpdebug through GUI.

I have launched a full scan to see the results as you suggest.

So I have this  on the file : CExclusionScanSink::OnNewDirectory - Excluding folder - c:\Test.

That is OK but i have lots of C:\Windows\.....\.... and C:\Windows32\.......

Why ? I do not make exceptions for those folders or files.

Attachment(s)

vpdebug_5.txt   3.65 MB 1 version

Exception is applied thats sure from the logs, it did not scan any file inside the c:\test folder

09:38:13.508056[_1412][_916]|Processing directory 'C:\Test'.
09:38:13.509022[_1412][_916]|Skipping directory C:\Test

since you scanned the entire C drive, all files in the c drive as scanned

approved files are symantec definition files

IsTrustedCallback(C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20140112.020\catalog.dat, ...): file trusted. (File = defverify.cpp, Line = 1162)09:29:48.074364[_1412][_916]|

I could see 93 such files, 

You could see 93 approved files that are symantec definition files, ok.

But in the event 2, i see 101 files approved.

So there are 8 files added.

it also Skips files that are accessed by Windows Search index

http://www.symantec.com/business/support/index?page=content&id=HOWTO55233

Is that possible to only approved files or folders that are in Exception Policy, in my case one folder which contains one file.

He do not want the others files.

By default windows search index files are excluded from scanning and symantec def files these are always on C:\ or OS root drive.

Your file is not scanned or you just ignore the others 

Oh sorry, I make a mistake with the personal pronoun.

I want to write "I do not want the others files"

May I can adjust the general behaviour to scan windows search index files and symantec def files ?

or 

May I can just delete these files on the scan event, that is to say may i can have only my exception policy written on the scan event like my image show.

So I will have File trusted ignore : 1.

According to this post by Mithun, Windows Search Indexer is considered trusted and will be ignored by the scan.

https://www-secure.symantec.com/connect/forums/auto-protect-trusted-processes

There is an option to ignore this.

In the AV policy on the Auto-Protect tab click Advanced scanning and monitoring and uncheck "Do not scan when trusted processes access the files"

Not possible that in log, Symantec has its own way of identifying files and writing out in logs

You may need to uncheck that if you want those files to be scanned

Ok, I uncheck "Do not scan when trusted processes access the files".

But It is available just for Auto protect. Is Scheduled and on-demand scan affected by ?

This applies to auto-protect only

Trusted files will be treated same by scans too

http://www.symantec.com/business/support/index?page=content&id=HOWTO80947

Insight is desactivated in Scans and in Communication Settings.

To sum up, I am forced to have symantec defintion files and Windows Search in approved files when I see the results of a scheduled scan ?

Yes .. No way to turn those off.

Correct

Ok, thanks a lot for your patience and skills.

Numerous posts are really interesting.

Unfortunately, I cannot tag more than one as solution.

See you for others questions.