Endpoint Protection

12.1.1000.157 RU1

Host of shared folder is an physical Windows 2003 Server Standard 32bit with 4GB RAM.

Mac clients use a shared folder on this server for storing images. There are about 10,000 images (generally, JPG, TIF and RAW) per folder within a number of folders inside the share.

If we Disable Symantec Endpoint Protection, the folder contents display within a few seconds. When enabled, the folder content listing appears to timeout but some reports indicate contents will eventually appear after some minutes.

Shoud I disable Auto Protect for this server/folder and instead schedule scans nightly (can you point me at instructions on how I go about this from the console)?

What are the recommended steps for dealing with this kind of issue?

Thanks

It's really up to you and what your requirement is.

Being that is a large directory being scanned, it may be best to disable AP and enable daily scans of the share.

It's never really recommended to disable AP but if work suffers because of it, you may need to go in this direction.

Login to the SEPM and go to your AV policy section.

You can create a new AV policy and once you open it go to the Administrator defined scans tab

Add a new scan here and edit as needed.

Disabling  Auto Protect for this server/folder  may not be a right idea. We can create a AV policy from the SEPM and customize it.

For the shared drive you can disable the network scanning.

Network settings provides the following options:
· Network

Enables or disables scanning on network drives

· Network Settings

When scanning is enabled on network drives, Auto-Protect scans files when a client computer or a server accesses them from a server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache.

Before disabling autoprotect check with disabling NTP or you can Exclude mapped drive from autoprotect scan.

Disabling Auto-Protect is never recommended - you basically disabling the live scanning of antivirus itself basically leaving only schedule scan option - but scheduled scan may be already to late if the threat go onto your machine while auto protect was off.

Why not simply excluding this folder from Auto-Protect Scan:

Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 12.1

http://www.symantec.com/docs/TECH183201

On the clients accessing the share you can as well disable network scanning for shared drives. Both those solution will be less harmful than disaling AP alltogether.

Thanks for the all information.

Based on comments above, I created a group specifically for this server and added an exceptions policy (using SebatianZ's link) to exempt one folder and the file types JPG, TIF & FFF from AutoProtect only (as this was an option). Hopefully this means that those excepted files & folders will still be scanned by the scheduled scans.

As disabling the SMC client on the server was what improved performance I didn't look at the Network Drives scanning exception on the clients as I didn't think this was necessary.

Having enabled the exceptions above, users report the performance is good. We accept the potential risk as the overhead of AutoProtecting these folders was too high (assuming auto protect is that "on-access/at file-open" scanning facility). I didn't except anything else (Insight, Scheduled scans or whatever).

Hi,

AutoProtect exclusions are valid for both realtime and scheduled scans, test it with EICAR files...

It is not recommended to exclude an entire shared folder, shared folders are often used by threats to spread in computer networks.

You may also set the AV on that system to scan files only when modified (and created) instead of at every access.