Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

UserProfile Exclusions

Created: 26 Jan 2013 | 13 comments

Using the latest SEP 12.2

We are using a product called ProfileUnity and it's really slow when logging on with SEP installed (just the AV, with no sonar, no download insight)

I need to make the exceptions listed here: http://na2.salesforce.com/_ui/selfservice/pkb/PublicKnowledgeSolution/d?orgId=00D3000000006Eb&id=50140000000bW1J&retURL=%2Fsol%2Fpublic%2Fsolutionbrowser.jsp%3Fsearch%3Dantivirus%26cid%3D000000000000000%26orgId%3D00D3000000006Eb%26t%3D4&ps=1

The first exception is in the users %temp%\unttmp2 folder

I know stupid SEP still wont allow me to make exceptions in the %userprofile% folder (gee, it was submitted as an idea 3 years ago). What other options do I have? I know I can exclude c:\users, but that's a security risk.

I want to exclude .7z files, but only from \\this-server. Is that possible?

Thank You

Comments 13 CommentsJump to latest comment

.Brian's picture

When you say \\this-server do you mean only 1 machine?

If so, you can either put it into it's own group and add the exclusion for .7z files or you allow in the policy the ability to add exclusions locally.

Also, I would just exclude the unttmp2 folder. So set the prefix variable to [NONE] and add the absolute path C:\Documents and Settings\<user>\Local Settings\Temp\unttmp2 to the policy. It will only exclude this location, not all of %temp%

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bjohn's picture

Using Virtual Desktops.

\\This-server would be a server the virtual desktops access for the users profile. Basically I want to exclude .7z files on that server.

For your second point, I'm not talkig about just one machine, or one user for that matter. Again, virtual desktops.

.Brian's picture

Adding the .7z extension is easy.

Not so much for the folder under the user profiles as the way to currently do it is by adding for each user name....not practical.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bjohn's picture

Yes, I excluded the .7z extension already, although it's a security risk. What I really want to do is to exclude it in a particular share/folder location.

I hate Symantec.

bjohn's picture

I'm wondering if someone can help me with this...

I stripped down my Symantec installation to include only AV, made exceptions, even disabled auto-protect (which disables sonar and download protection).

Yet, the mere fact that Symantec is on the machine, adds 15 seconds more to the profileunity load process.

On a machine without Symantec, it loads 15 seconds faster.

Anything I can do?

SebastianZ's picture

Not sure if disabling Auto Protect is a good idea - without it you have basically no "live" protection.

Have a go and open a case with Symantec, I am afraid the scope of your problem is bit above the recommendations that can be provided via forum. A lot more analysis and reproductions will be necessary to reach here any solution or workaround.

Mithun Sanghavi's picture

Hello,

I agree with SebastianZ's recommendation as we already aware of this Limitation. However, as much as I believe this is being considered for the Future Releases.

Check these IDEA's - 

https://www-secure.symantec.com/connect/ideas/using-system-variables-exceptions

https://www-secure.symantec.com/connect/idea/centralized-exceptions-hash-or-filename

https://www-secure.symantec.com/connect/idea/sepm-more-variables-avas-exclusions

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SebastianZ's picture

Good links Mithun - the issue regarding the inability to set the User profile variables in exceptions has been already reported many time. Please support the ideas listed and hopefully we will see this option added in the future.

JS@support's picture

Hi,

I know I can exclude c:\users, but that's a security risk --> I really don't think there would be a security risk.

Exception paths will not be scanned only for scheduled scan not for real time scan. Symantec should take care even though it's under exception policy.

Even though after creating exception it doesn't mean threat can easily enter/move in the user profiles.

AravindKM's picture

There are no separate exclusions for real-time and scheduled scans. If you add any file/folder to exclusion it will be excluded from all types of scans..

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

cus000's picture

Hah i missed out on these ideas, will vote them.

I think it's good to have a different option for Auto-Protect scan

bjohn's picture

https://www-secure.symantec.com/connect/idea/sepm-... has been active since 2009. Obviously there's no pointing in having an idea and voting for it if it's not going to be implemented.

I think I personally voted for that idea almost two years ago.

Yes, as it's mentioned in that thread, it's not something that's easy to implement, nevertheless, it SHOULD have been implemented by now!

Stupid!

bjohn's picture

Need some more help. I re-directed my %temp% to c:\temp. Created central exclusions for c:\temp. I see that the registry lists the exclusions I created.

Still slow.

When I look at list of files being scanned by auto-protect, I see that files in c:\temp are being scanned?

What gives?

Using the latest version.