Ability to excude specific drives from Centralized exception

When you make an exception you are lowering your security. The trade off that you get improved performance.

The larger the exception that is made, the larger the hole in your security becomes. Excluding an entire drive from being scanned could cripple your entire environment were you to experience any threat that put autorun.inf on all drives.

In the example in your Idea that you linked above was SQL. Once it is common practice for the SQL directory to be excluded virus writers will start dumping files there, knowing that AV most likely wont scan that directory. This is why I suggested excluding the extension instead of the directory, it is safer.

In any case, my comments on this idea are just cautionary; I am not a developer, nor do I have any contact with them.

I understand where you guys are coming from. But if Symantec is worried about the calls that come in after an event there shouldn't be any options for exclusions.

My point here is since exclusions are available limiting what you can exclude is enforcing what Symantec thinks security should be and does not leave it up to the company to decide.

If Symantec was worried about all the calls after the outbreak Symantec should make it where you get a warning notification EVERY time you are making ANY exclusion. And then a different setting can be made where the SEPM administrators have the option not to get the wonderful WARNING YOU ARE CREATING AN EXCLUSION THAT MAKES YOU MORE VULNERABLE messge.

The other point I have to make is, I assume that most people who are the SEPM administrators or the security team who make the policy decisions work with security, and understand the risks they are taking with every exclusion.

Yes, it is scanned, if the drive is scanned.  It is not a malicious file, though.  It is a text file.

From: 'How to prevent a virus from spreading using the "AutoRun" feature'
Document ID: 2008032111570648
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008032111570648 

Note: The "autorun.inf" file in and of itself, is not malicious.  It is just a text file. 
If you open it with a text editor you will see a line similar to this:

[AutoRun]
open= [path][filename].exe

 If the file [filename.exe] in the specified path is not detected by Symantec AntiVirus or Symantec Endpoint Protection, please submit the file to Symantec Security Response using the instructions in the following document:

"How to Use the Web Submission Process" at:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090711312848

I would add to this that the [filename.exe] in the specified path may be a legitimate executable.

I hope this clarifies things.

sandra

We do scan autorun.inf; provided of course there is not an exception for that file extension and the AV has been configured to scan all file types and not just certain extensions.

There are even generic detections that will pick up several autorun.inf variants for known threats; I have seen logs from machines where this has happened.

On the first one, someone has already posted the same link I did.

The second one I think speaks for itself, differentiating between the file itself and its being used for malicious purposes.

sandra