Endpoint Protection

Hi,

 I have a server which I am going to promote to a DC, which currently has the SEP AV client installed. I'm under the impression that SEP automatically excludes from scanning any DC related stuff. I'm just wondering if the current installation will detect that the server has become a DC after I run dcpromo and reboot, and thus exclude the reelvant stuff from being scanned, or will I need to uninstall the SEP client, do a dcpromo and then reintall SEP?

Cheers,

Andrew

check out this link from MS and create an scanning exclusion in SEPM

http://support.microsoft.com/kb/822158

Yes, as it will also automatically create exclusions on an Exchange server.

When you first install the client , even if the server is not dc , i would create the necessary exceptions

you can navigate to

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\FileExceptions

You will find the below info

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\FileExceptions]
"C:\\WINDOWS\\NTDS\\EDB.chk"=dword:00000000
"C:\\WINDOWS\\NTDS\\edb.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\edb00001.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\edb00002.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\edb00003.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\ntds.dit"=dword:00000000
"C:\\WINDOWS\\NTDS\\RES1.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\RES2.log"=dword:00000000
"C:\\WINDOWS\\NTDS\\TEMP.edb"=dword:00000000
"C:\\WINDOWS\\ntfrs\\jet\\log\\edb.log"=dword:00000000
"C:\\WINDOWS\\ntfrs\\jet\\log\\res1.log"=dword:00000000
"C:\\WINDOWS\\ntfrs\\jet\\log\\res2.log"=dword:00000000
"C:\\WINDOWS\\ntfrs\\jet\\Ntfrs.jdb"=dword:00000000
"C:\\WINDOWS\\ntfrs\\jet\\sys\\edb.chk"=dword:00000000


these are the directories which are excluded.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller\NoScanDir]
"C:\\WINDOWS\\SYSVOL"=dword:00000000
"c:\\windows\\sysvol\\domain\\DO_NOT_REMOVE_NtFrs_PreInstall_Directory"=dword:00000001
"c:\\windows\\sysvol\\staging"=dword:00000001
"C:\\WINDOWS\\SYSVOL\\staging areas"=dword:00000001
"C:\\WINDOWS\\SYSVOL\\sysvol"=dword:00000001

Its all excluded by default  so no need to worry
 

In short, no, it will not detect promotion to a domain controller. You need to handle that in the excusions and settings. HOWEVER, I pushed the FULL SEP install to ALL of our servers and have had NO interference with DC operations. The firewall, AV, etc. is all there.
I did exclude what needed to be excluded just in our general policies anyway so it wasn't an issue - the DCs don't get special treatment here.SEP seems to be pretty smart - esp if you enable the options under 'smart traffic filtering' in the firewall policy.
Do exclude what's suggested - the login script/logon area, logs, DHCP and DNS folders need to be excluded, but you can do that for everything when you first install SEP at all.

But the short answer is - no, it does not detect promotions or the fact it's a DC.

SEP will not detect if the Server is promoted as  DC.

When SEP is installed intially , The client monitors the applications that are installed on the client computer. If the software detects Active Directory on the client computer, the software automatically creates the exclusions.
You have to either uninstall and Reinstall the SEP Client or Create the Exclusion manually .