Endpoint Protection

Guys,

Im pretty much new to adding exclusions so im not sure what is the best way to exclude a process. For example: Microsoft Lync needs the some of the following exclusions:

• Lync Server 2010 processes:
  • ASMCUSvc.exe
  • AVMCUSvc.exe
  • DataMCUSvc.exe
  • DataProxy.exe
  • FileTransferAgent.exe
  • IMMCUSvc.exe
  • MasterReplicatorAgent.exe
  • MediaRelaySvc.exe
  • MediationServerSvc.exe
  • MeetingMCUSvc.exe
  • MRASSvc.exe
  • OcsAppServerHost.exe
  • QmsSvc.exe
  • ReplicaReplicatorAgent.exe
  • RTCArch.exe
  • RtcCdr.exe
  • RTCSrv.exe

Do you add the exlusion in SEPM Exclusion policy as a file and insert the directory and file name for the above process: i.e c:\program files\lync\rtcsrv.exe

or do you add the an application exeception and as in the rtcsrv.exe exeception?

Any help would be appreciated

Hello,

What version of SEP are you running?

In case of SEPM 11.x, Try to enable Network Application Monitoring:

1. Login to the manager and go to Clients
2. Choose the group and Select the Policies tab
3. Under Policies Click Network Application Monitoring
4. Check the box that says, "Enable Network Application Monitoring."
5. From here, you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log.

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11

http://www.symantec.com/docs/TECH104326

How to set up learned applications in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102994

In case of SEPM 12.1, 

Check this Excellent Article:

Creating Application Control Exclusions in Symantec Endpoint Protection 12.1

https://www-secure.symantec.com/connect/articles/crreating-application-control-exclusions-symantec-endpoint-protection-121

Creating an Exception for an Application

1. Login to the Symantec Endpoint Protection Manager (SEPM) and go to the Policies page.
2. On the Exceptions Policy page, click Exceptions.
3. Click Add > Windows Exceptions > Application.
4. In the View drop-down list, select All, Watched Applications, or User-allowed Applications.
5. Select the applications for which you want to create an exception.
6. In the Action drop-down box, select Ignore, or Log only.
7. Click OK.

Reference: 

How to create an application exception in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/HOWTO61213

Creating exceptions for Symantec Endpoint Protection

http://www.symantec.com/docs/HOWTO80919

Good practice to add only the .exe's excluding folder will be a risky one

You need to add all those exe's manually.

We are running SEPM 12.1.3

We do not have the product installed yet, I am trying to configure these before the app is installed.

so my question to do I use the application method mention above by Mithun or do I add the .exe by file exeception?

Exe method. These process will not be detected by Symantec as viruses. AV scans will imparct the performance so an exclusion is needed.

If they sit in the same directory than just add the directory otherwise you can add by filename

Sooooo, it actually depends on what you're trying to exclude the process from.

A file based exception requires the full path, and will exclude the file from signature-based scans (scheduled/on-demand scans and auto-protect).

The application exception actually takes a hash of the process and as such does not require a path.  This applies to the SONAR part of SEP, and allows you to choose if it should be terminated, quarantined, or removed.

Much of this is explained in the below article, which Mithun has already linked ("Thumbs Up" BTW):

http://www.symantec.com/docs/HOWTO80919

For the most part when vendors provide recommendations, these are usually exclusions from the signature-based scans.

Just to clarifythe following statement; should this be added as an application exclusion or a file based exclusion?

• Vmwp.exe (Note: This file may have to be configured as a process exclusion within the antivirus software.)

For the application exclusion you dont need to specify the path fo of  file based you need to specify the complete path.(Almost the same)

In the centralized exception select the prefix as None and give the complete path of the files you want to exclude. Thats it.

To be confirmed,  i want to create AV scanning exception for a list of process like

ABServer.exe, AcpMcuSvc.exe, ASMCUSvc.exe, AVMCUSvc.exe

and those are not listed in Application exception list under View All, do i want to it create manually from        " Add an Application to Monitor" and then select the application then i want to ignore it from Action?

Any help would be highly appreciated.

You can just add a file exclusion for these in the Exceptions policy.

http://www.symantec.com/docs/HOWTO80920

Hi

Please refer the link below

http://www.symantec.com/business/support/index?page=content&id=HOWTO55203&actp=search&viewlocale=en_US&searchid=1384228538138

Regards

Hello,

as you know, an exception will prevent a scan is done on a target:

1) if you exclude a folder, a virus can execute from that folder... not so safe

2) if you exclude an .exe file by its path and name, a virus can attach itself to the good file and execute... not so safe

3) if you exclude a file by its hash, you can be sure only that file is excluded without leaving security holes around.

Hence:

3) is the best option, 2) might be a compromise in excluding several versions of the same file, 1) should be used only in rare and isolated cases like while troubleshooting an issue, temporary workaround or if a 3rd party vendor clearly states to exclude some application folders and not just some files.