Endpoint Protection

Hi,

I'm trying to exclude some .DLL files from being scanned.

I created an exception item indicating "NONE" as prefix variable and checked all the types of scans.

Unfortunately, I can still see in the risk log of the clients that the files are being detected as a risk and getting quarantined.

Does this has something to do with the prefix variable ? How can I exclude a file wherever he could be located ?

Thanks !

Regards,

Eric

How to Create Exceptions or Exclusions for Tamper Protection Alerts that have already been logged

http://www.symantec.com/business/support/index?page=content&id=TECH92553

Creating centralized exception

http://www.symantec.com/business/support/index?page=content&id=TECH104326

Hi,

Please check this below link file:

 http://www.symantec.com/docs/TECH176906

Hello,

Are the .dll files detected by Symantec Autoprotect or Sonar protection?

What are these files detected as?

Exclusion Guidelines for Symantec Endpoint Protection 12.1

http://www.symantec.com/docs/TECH171061

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1

http://www.symantec.com/docs/TECH183201

Creating exceptions for Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO55204

If you are not using any prefix

then you need to specify the complete path

ex: c:\program file\some applicaton\some.dll

if you see it under risk log, you can select those and click on centralized exception at the top.

are they get detected in the same path what you have excluded or diff path, say Temp folder?

Hi Everybody,

Thanks for your quick reply.

All the .DLL files I'm trying to exclude are false positive.

My problem is a same dll can be located in many different sub folders in c:\users\....

In the risk log, they are seen as:

"Status": infected

"logged by" : Defwatch scan or shceduled scan

and SEPM forces the server to reboot everyday because of that :-(

submit for false positive.

https://submit.symantec.com/false_positive/

You need to add the complete path for all the locations found in risks?

Rafeeq,

I can't do that because there are too many paths, and new ones everyday.

I just can't believe you can't exclude a file for the whole disk ! 

Any difference if you exclude the file from Client interface of SEP?

User defined exceptions?

Hello,

In your case, You could try opening the Risk Logs from the SEPM and try adding an exception to the Files.

SEPM>> Monitors>> Logs >> Select Log type as "Risk" and Select the "Time range" and click on view Log.

Check the Screenshot (as shown below)

OR

Submit the file to the Symantec Security Response Team as "False Positive" on

https://submit.symantec.com/false_positive

Hope that helps!!

I have multiple file exceptions for 12.1 where a single file is excluded from the entire disk.

I simply added the exception as C:\test.exe and excluded it from all scans after I checked the Security Risk box. Works as I would expect.

Can you supply a screenshot?

Here's mine for reference (I obviously sanitized the name of the exectuable):

Hope you are not trying to use wildcards and variables. Because Centralized exceptions policy doesn't support wildcards and variables. Also, don't type in just the filename alone. You will need to type in the full path of the file with the file name.

If the file (that needs to be excluded) is in each user profile, you will need to add seperate exclusions for the files in each user profile. For example, if you have this file in 5 user profiles, you will need to add 5 seperate exclusions.

The thing is I don't have 5 user profiles but dozens. The machine is a server. I can't possibly add every single path where the false positive file is. I hope Symantec will change that in a future release and allows the possibility to exclude a file alone whereever it is located !

I guess, until then, I'll have to submit the file to Symantec as a false positive....

Please vote here, if you think that this might help in future.

https://www-secure.symantec.com/connect/ideas/excluding-files-security-risk-scan-file-hash