Endpoint Protection

...or

Force SEP 11 to detect the presence of SMS for MSE

SEP 11.0.6005 (RU6a) is running on Windows 2008r2 SP1 64bit.

We installed SMS-MSE 6.5 (Symantec Mail Security for MicroSoft Exchange).

I see two Symantec KB documents that say SEP 11 and SEP 12.1 will detect the presence of SMS-MSE   6.5 and lower.

http://www.symantec.com/docs/TECH102400

http://www.symantec.com/docs/TECH85451

I examined the registry carefully to confirm whether this folder (or similar) was given a scan exclusion, but it was not:

      <install drive>:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Temp

Is there a known way to force SEP to detect?

Please do not post instructions for creating exclusions on the SEPM side.  

Thanks

John

Was SEP installed before or after SMSMSE was installed?

Did SEP automatically add any exclusions at all or was it simply that only this one was "missed"?

I don't see the exclusion you referenced in either of these KBAs which is why I ask.

Brian

Brian,

SEP was installed first.

The Exchange exclusions are in the client registry. I would have to research (and possibly test) to see if they got  there just from a CE policy.

TECH10240 does not actually name the folder to exclude.

TECH85451 does name a 6.0 version of it.

There are other docs that refer to the folder in different ways.

TECH122809 under Known Issues on the other hand says  "Symantec Endpoint Protection automatically excludes the needed folders for Exchange. However, two product directories need to be excluded manually:....but the KB cited there refers to SMSMSE folders  assuming they are the same application.

Some docs hint at manually excluding one or two of these folders

\Program Files\Symantec\SMSMSE\<ver>\Server\

\Program Files\Symantec\SMSMSE\<ver>\Server\Temp

\Program Files\Symantec\SMSMSE\<ver>\Server\Quarantine

...but if you need to exclude manually the docs should not say that SEP will do it automatically.

Thanks  (I will be back here Monday.)

John,

My understanding is that SEP needs to be installed AFTER SMSMSE has been installed in order to detect it and automatically add the necessary exclusions. If SEP is installed first, it won't detect it. This detection is only made during the initial install of SEP.

You will need to uninstall/re-install for the detection and automatic add of exclusions to take place.

I believe this holds true for other products that SEP auto-adds exclusions for (Active directory domain controller, Exchange, etc.)

Is it on 64 bit , the registries are bit different in 32/64

32bits: HKLM\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions
64bits: HKLM\Software\WOW6432node\Symantec\Symantec Endpoint Protection\AV\Exclusions\

Hi John,

Use the latest and greatest SMSMSE - version 7.  &: )

Post-install FAQ for Symantec Mail Security 7.0 for Microsoft Exchange
Article:TECH200421   |  Created: 2012-12-03   |  Updated: 2012-12-03   |  Article URL http://www.symantec.com/docs/TECH200421 
 

Question: What exclusions do I need if Symantec Endpoint Protection or Symantec AntiVirus is installed on the same computer?
Answer: Symantec Endpoint Protection automatically excludes the needed folders for Exchange. However, two product directories need to be excluded manually:

<drive>:\Program Files (x86)\Symantec\SMSMSE\7.0\Server\Temp
<drive>:\Program Files (x86)\Symantec\SMSMSE\7.0\Server\Quarantine

Read the article for your version of SEP or SAV for complete details.
References:

• Creating Centralized Exception policies in Symantec Endpoint Protection Manager 11
• Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1
• About automatic exclusions of Microsoft Exchange server files and folders in Symantec AntiVirus 10.1 and Symantec Client Security 3.1
• Preventing Symantec AntiVirus 10.0 from scanning the Microsoft Exchange directory structure

"Thumbs Up" to Brian's post earlier, SEP has to be installed after SMSME for it to detect and apply the auto-exclusions.

On an semi-related note, and worth mentioning, is that the version of SEP you're installing (RU6a) is not supported for Win2k8RU2SP1, and it is recommended you upgrade to RU7 or later:

http://www.symantec.com/docs/TECH94910

Brian,  and SMLatCST,  thank you for the post that "SEP needs to be installed AFTER SMSMSE has been installed in order to detect it and automatically add the necessary exclusions."  If anyone has a KB odc on that, that wouild be great.

Rafeeq,  yes the registry is different for 64 bit  (HKLM\Software\WOW6432node\Symantec).   I try to post the essential facts and not put in too much detail.

Mick2009,  The Exchange team is using SMS-MSE 6.5.  Some of the Symantec KB docs say auto-exclusions are not created for version 7.0.

These were supposed to be 11.0.7.  I will probably uninstall SEP 11 RU6a, install RU7, and check for auto-exclusions. (I wonder if donig a repair via Windows would let Symantec create auto-exclusions?)

I work on the a SEP 12.1  upgrade project as much as permitted. 

Thank you for your ideas.  I will to post here what resolution we use.

Regards, John

I'll try to find a KBA for it. I only know because I've seen multiple Symantec employees on here mention it as well as tech support when a call was placed.

Cheers John!

Definitely upgrade to SEP 12.1 RU3.  If you must stay on SEP 11, go for SEP 11 RU7 MP3.

Doing a repair should look for it and create exclusions.

I know about AD exclusions where its mentioned that if server is promoted as DC after SEP is installed. you need to create exclusions for that.

1.

I had an Auto-upgrade group already set up to upgrade to SEP 11 RU7 so I tried it.  It succeeded. That acted enough like a new install that it created two registry entries on the client side to exclude

<drive>:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Temp

<drive>:\Program Files (x86)\Symantec\SMSMSE\6.5\Server\Quarantine

2.

Repair did not succeed in a test in my case. It might have succeeded if the existing version had been at least v11 RU6 MP1.

3.

And speaking of exclusions,  Windows and other vendors recommend many many exclusions, nearly all of which are UNNECESSARY at our site.  I have seen the ones for AD and we do not do any of them. 

I do not want any more pointless exclusions to document and track than required, so I politely question every request I get. Most fade away after just a little probing. You have to probe anyway, because the user may not know what path/file/process she REALLY meant or even what server he installed the app on.  

We will manually add exclusions now,  and upgrade servers later.

The Symantec KB docs that refer to exclusions being creted automatically should specify any particular conditions and caveats.

Thanks all

John