Video Screencast Help

Scan - Files Approved but Exception Policy

Created: 10 Feb 2014 • Updated: 11 Feb 2014 | 29 comments
This issue has been solved. See solution.

Hi all,

I have created a Virus and Spyware protection Policy that makes scheduled full scan.

I also created a test Exception Policy which exclude a folder to scheduled and on-demand scans.

I have desactivated Insight in Virus Policy and in Group Settings.

When the scan finished, I see 97 approved files not scanned but in my Exception Policy, the folder excluded contains just one file.

 

What is the problem ?

 

Thanks a lot in advance.

 

Regards,

 

Kevin.

 

 

Operating Systems:

Comments 29 CommentsJump to latest comment

.Brian's picture

Does it say approved or Files Trusted?

Can you share a screenshot?

Verify the exclusion is set on the client, see here:

About the files and folders that Symantec Endpoint Protection excludes from virus and spyware scans

http://www.symantec.com/docs/HOWTO80947

https://www-secure.symantec.com/connect/forums/aut...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kevin Moine's picture

It is written File Approved : 97.

 

scan.png

 

How I can access the HKEY_LOCAL ?

.Brian's picture

In which log are these appearing on the SEP client? Or SEPM?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Have you enabled system lock down?

These might be files from the approved list ( virus defs files which are approved)

 

Kevin Moine's picture

@ _Brian : This log is providen by Application Event Viewer in SEP client.

 

@ Rafeeq : I don't know. I'm searching.

.Brian's picture

So, to confirm, you have the policy configured to exclude one single folder? Is there anything in it? Is this folder on root of C:?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Hello Kevin,

 

is the folder in the network or local?

Check in the registry as per this document

http://www.symantec.com/business/support/index?page=content&id=TECH207935

Kevin Moine's picture

In the client group, on the Policies tab, the system lockdown is disabled.

The folder with one file is local. It is just a test.

ps : I work on VMs.

.Brian's picture

Use regedit.exe to access the registry to check to see what file exclusions are set per my link above.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kevin Moine's picture

So, to confirm, you have the policy configured to exclude one single folder? Is there anything in it? Is this folder on root of C:?

Yes, I exclude one folder to scheduled and on-demand scan. In this one, there is one file.

You are right, the folder is on root of C:.

I use regedit.exe on the client or on the manager ?

Kevin Moine's picture

I am here 

  • HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions

What do you want to know ? There are lots of folders.

Rafeeq's picture

Navigate to all the folders below exclusions, you will see all the folders which are excluded from scanning, how many exclusions do you see for the same path?

Rafeeq's picture

To add Enable vpdebug it will tell you about files it scanned

How to enable "Vpdebug Logging" on Symantec Endpoint Protection 11.0, 12.1, and 12.1 RU1

 

http://www.symantec.com/business/support/index?page=content&id=TECH102939

SOLUTION
Kevin Moine's picture

Hi all,

So in Exclusions\ScanningEngines\Directory\Admin :

The first is Directory Name C:\Test\ and ThreatName  C:\Test\.

It is the folder I excluded from scheduled and on-demand scan.

I activate vpdebug through GUI.

I have launched a full scan to see the results as you suggest.

So I have this  on the file : CExclusionScanSink::OnNewDirectory - Excluding folder - c:\Test.

That is OK but i have lots of C:\Windows\.....\.... and C:\Windows32\.......

Why ? I do not make exceptions for those folders or files.

AttachmentSize
vpdebug.txt 3.65 MB
Rafeeq's picture

Exception is applied thats sure from the logs, it did not scan any file inside the c:\test folder

09:38:13.508056[_1412][_916]|Processing directory 'C:\Test'.
09:38:13.509022[_1412][_916]|Skipping directory C:\Test

since you scanned the entire C drive, all files in the c drive as scanned

approved files are symantec definition files

IsTrustedCallback(C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.3001.165.105\Data\Definitions\VirusDefs\20140112.020\catalog.dat, ...): file trusted. (File = defverify.cpp, Line = 1162)09:29:48.074364[_1412][_916]|

I could see 93 such files, 

Kevin Moine's picture

You could see 93 approved files that are symantec definition files, ok.

 

But in the event 2, i see 101 files approved.

scan_0.png

So there are 8 files added.

Kevin Moine's picture

Is that possible to only approved files or folders that are in Exception Policy, in my case one folder which contains one file.

He do not want the others files.

Rafeeq's picture

By default windows search index files are excluded from scanning and symantec def files these are always on C:\ or OS root drive.

Your file is not scanned or you just ignore the others 

Kevin Moine's picture

Oh sorry, I make a mistake with the personal pronoun.

I want to write "I do not want the others files"

May I can adjust the general behaviour to scan windows search index files and symantec def files ?

or 

May I can just delete these files on the scan event, that is to say may i can have only my exception policy written on the scan event like my image show.

So I will have File trusted ignore : 1.

 

.Brian's picture

According to this post by Mithun, Windows Search Indexer is considered trusted and will be ignored by the scan.

https://www-secure.symantec.com/connect/forums/aut...

There is an option to ignore this.

In the AV policy on the Auto-Protect tab click Advanced scanning and monitoring and uncheck "Do not scan when trusted processes access the files"

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Not possible that in log, Symantec has its own way of identifying files and writing out in logs

You may need to uncheck that if you want those files to be scanned

trusted process.PNG

Kevin Moine's picture

Ok, I uncheck "Do not scan when trusted processes access the files".

But It is available just for Auto protect. Is Scheduled and on-demand scan affected by ?

.Brian's picture

This applies to auto-protect only

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Trusted files will be treated same by scans too

Trusted files

Virus and spyware scans include a feature that is called Insight that lets scans skip trusted files. You can choose the level of trust for the files that you want to skip, or you can disable the option. If you disable the option, you might increase scan time.

Auto-Protect can also skip the files that are accessed by trusted processes such as Windows Search.

http://www.symantec.com/business/support/index?page=content&id=HOWTO80947

Kevin Moine's picture

Insight is desactivated in Scans and in Communication Settings.

To sum up, I am forced to have symantec defintion files and Windows Search in approved files when I see the results of a scheduled scan ?

 

.Brian's picture

Correct

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Kevin Moine's picture

Ok, thanks a lot for your patience and skills.

Numerous posts are really interesting.

Unfortunately, I cannot tag more than one as solution.

See you for others questions.