Endpoint Protection

Hey,

i've just installed SEP11 MR4 MP2 on one of our Hub Transport servers and have encountered a small problem, Symantec say that the product is application aware for 2007 and should exclude the folders Microsoft recommend.

When i look in the server's registry in:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server\NoScanDir

It is not scanning:

C:\Program Files (x86)\Symantec\SMSMSE\6.0\Server\Quarantine
C:\Program Files (x86)\Symantec\SMSMSE\6.0\Server\Temp

I's expect it to be excluding a bunch more as highlighted in Microsoft's aricle (specifically for HT servers): http://technet.microsoft.com/en-us/library/bb332342.aspx

Just some of them are

%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\Adam
%Program Files%\Microsoft\Exchange Server\TransportRoles\Data\SenderReputation

But I don't see any of these excluded. Am I missing something? Or is it SEP not as Exchange aware as it's said to be?

Also in the Microsoft article it says that you Processes such as Edgetransport.exe should not be scanned. How do i go about checking that this is being scanned or not, and if it isn't where do I add it as an  exception?

Many thanks

Preventing Symantec Endpoint Protection 11.0 from scanning the Microsoft Exchange 2007 directory structure

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007072619121148
 

My Hub Transport server isn't clustered, my CAS servers are, so that document doesn't apply to this particular install I've done, also it's a default install, everything is in c:\Program Files\Microsoft\Exchange Server.

HOW TO VISUALLY INSPECT EXCLUSIONS

 

Start > Run > Regedit

Browse to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS

Expand the key to view the various applications listed there.

The 'File Exceptions' folder is where you can inspect the full list of exclusions associated with that product.
 

Hi Prachand,

Sorry think I worded my original post badly, I've looked in that folder and there's very little there. See screenshot:



There's nothing else listed in the other folders.

Hi brascatmalarky,

I am unable to effectively troubleshoot the root cause over the forums here, though here are the default exclusions that should be added by Symantec with a default installation of Exchange 2007 on a 64 bit machine:


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server]
"HaveExceptionFiles"=dword:00000001
"HaveExceptionDirs"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server\FileExceptions]
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\First Storage Group\\Mailbox Database.edb"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\Second Storage Group\\Public Folder Database.edb"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server\NoScanDir]
"C:\\Program Files\\Microsoft\\Exchange Server\\Bin"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\ClientAccess"=dword:00000001
"C:\\Program Files\\Microsoft\\Exchange Server\\ExchangeOAB"=dword:00000001
"C:\\Program Files\\Microsoft\\Exchange Server\\Logging\\Managed Folder Assistant"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\First Storage Group"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\Mailroot\\vsi 1\\BadMail"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\Mailroot\\vsi 1\\PickUp"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\Mailroot\\vsi 1\\Queue"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\MDBTemp"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Mailbox\\Second Storage Group"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Data\\IpFilter"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Data\\Queue"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Data\\SenderReputation"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs"=dword:00000001
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\Connectivity"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\MessageTracking"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\PipelineTracing"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\ProtocolLog\\SmtpReceive"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\ProtocolLog\\SmtpSend"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Logs\\Routing"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Pickup"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\TransportRoles\\Replay"=dword:00000000
"C:\\Program Files\\Microsoft\\Exchange Server\\Working\\OleConverter"=dword:00000000
"C:\\WINDOWS\\IIS Temporary Compressed Files"=dword:00000000
"C:\\WINDOWS\\system32\\inetsrv"=dword:00000000


To add these to the machine with Exchange installed:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008082610254148?Open&seg=ent