Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Why do some Exceptions still come up in my Logs ?

Created: 01 Apr 2010 • Updated: 09 Jan 2013 | 9 comments
This issue has been solved. See solution.

I've created a control policy to monitor my system32 directory (modify only) and an independant 'test' directory (read and modify)

I got an onslaught of entries everytime SEP did an update so I added all those processes to the centralised exceptions policy.  I also added some other processes to the centralised exceptions policy that I know are standard OS activities....... However there has been a couple of exceptions

1) SEP's local Rtvscan.exe process which is already in my centralised exceptions still comes up in the log entries when assumably scanning my test directory.

2) the c:/windows/system32/spoolsv.exe process writes to the system32/spool directory every hour and again is logged even though I have got that very same process as an exception in the centralised policy it is using, has got the spool directory to be ignored also in the centralised policy and have also added the spool directory to the files and folders exceptions list in the actual cotnrol policy aswell.

Comments 9 CommentsJump to latest comment

Rafeeq's picture

did you add the process to the list; exclude the following process in the application control along with centralized exception?
under exclude the do not apply the rule to the following rules.

SaladFingers's picture

Anybody else use controls on files and folders this way and had the same problems?

SaladFingers's picture

no as I read an article that highlighted that they need to be added to the centralised exceptions.

I did originally just have the processes in they very list you are refering too and it did not make a blind bit of difference.

I'll add them there aswell and let you know.  However this still doesn't justify why the spool directory (not process) is not being ignored as that IS in both policies already.

SaladFingers's picture

So I added the process to the application control policy, so it is in both.  I then made sure the policy update was pushed down to the workstation I am teting it all on and printed.

Checked the logs on the SEPM console a couple of minutes later and the spoolsv.exe process and spool folder are both being coming up in the Logs  (BOOOOO!)  :-(

SaladFingers's picture

I've also removed saved and added save the aformentioned exceptions to both policies aswell - with no luck.

Rafeeq's picture

open sepm
centralized execptions
under truscan proactive, u see detected processes. Do u see it there? if so add it ..

SOLUTION
SaladFingers's picture

Thanks Rafeeq but there are no processes listed under the truscan proactive detected processes exceptions so cannot add it...  any other suggestions ?

The processes I have previously added, are added to the centralised exceptions as a  Tamper Protection File.

This was down via the Log screen by selecting the start button at the top which sits next to the 'Action: Add File to Centralized Exceptions Policy' field.  It then lists all my centralized exception  so I can choose the appropriate one.

SaladFingers's picture

Thanks Rafeeq but there are no processes listed under the truscan proactive detected processes exceptions so cannot add it...  any other suggestions ?

The processes I have previously added, are added to the centralised exceptions as a  Tamper Protection File.

This was done via the Log screen by selecting the start button at the top which sits next to the 'Action: Add File to Centralized Exceptions Policy' field.  It then lists all my centralized exception  so I can choose the appropriate one.