SEP Client needs separate exclusions for Real-time and Scheduled Scans
Created: 19 Aug 2009 | 13 comments
I have a large SEP customer (40,000 clients) who is upset because there is currently no way to exclude files/folders from real-time scanning and still scan them with scheduled scans. They want us to add this ability to SEP ASAP. This is a letter directly from the customer:
[Customer] would like to request the ability to configure file and folder level exclusions within SEP real-time auto-protect similar to the previous SAV versions.
[Customer] runs a wide variety of third party and in house applications on our windows server environment. We rely on the ability to configure separate real-time scanning exclusions and scheduled scan exclusions to strike a balance between security and performance and data integrity. This can also be described as the balance between two of the three primary tenets of security, Availability and Integrity, per ISC2.
Per our best practices we try to scan as much as possible through real-time auto-protect scanning with the minimal intent of protecting the server from becoming an infected host. However, per third party application requirements and recommendations we need to exclude certain files and folders for the above mentioned performance and possible data corruption reasons. We then balance this with our daily or weekly scheduled scans which will cover the file structure not scanned real-time.
The current SEP client does not allow us to configure, or tune, our clients in this manner. We can set exclusions on a scheduled scan but not via real-time scanning. The centralized exclusions option does not meet our need as it is also applied to a scheduled scan. This allows us to exclude files and folders in real-time scanning but also excludes them from scheduled scans. This prohibits us from striking the desired balance between real-time and scheduled scans.
This issue is also important when addressing support issues with the third party application vendor. In most cases Microsoft is also involved in the support case. The typical first level response is that it could be your AV solution. This can involve additional supports hours / costs as well as the need to engage Symantec in the troubleshooting process.
Currently I have no option other to recommend that we do not move forward with our plan to implement the SEP client on our windows servers. Until we have the ability to configure the SEP client in the manner described above I have to recommend we remain on SAV. This is unfortunate as we have already seen the increased capability of SEP to detect certain malware that SAV was not detecting.
Can you please put this request for product enhancement through the process and escalate as needed? Can you let me know if Symantec is willing to deliver this functionality and an ETA on delivery? I will need this to determine our server AV client roadmap and migration strategy going forward.
Idea Filed Under:
Comments
A suggestion for a work-around.
1. Create the exclusions for Autoprotect that you need.
2. Create a mount point for the excluded folders that you want to scan. (Map a network drive for example).
3. Scan the mount point (Network Drive) and because the system reads it as the mount point (network drive) instead of the actual location the exclusion wont happen.
Great idea
Great idea Jeremy. This should allow the customer to find the balance they are looking for.
Good Idea
Good Idea
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
Good workaround
Good workaround indeed.
However, here is an idea for enhancement request itself: Be able to configure individual "Exception Sets" in SEPM (similar to Installation Feature Sets) rather than a "Centralized Exception Policy" that applies to all scans.
These "Exception Sets" could then be applied to Realtime or Scheduled Scans seperately as an option when creating/editing the policies.
This one gets my vote. We
This one gets my vote. We have a number of apps where the supplier positively excludes real time protection. Seperating real-time and scheduled scan settings is a reasonable compromise. I particularly like MDM's suggestion.
Exclusions for Auto Protect?
I was told that the centralized exclusions that are set cover all types of scans. is that not true?
clarification
Antivirus Exclusions apply to all types of antivirus scan (autoprotect, scheduled scan, manual scan).
The only current way around that is to essentially fool windows by creating a mapped drive so that what is actually c:\program files\bob\bob database\ is read by windows as x:\ and can be scanned manually.
I don't get the baseline of
I don't get the baseline of the idea.
If I exclude a file or folder from AP, why would I like to include it in scheduled scan?
Your excluded files would be scanned if you include them in the scheduled scan.
If it's an exclusion, that's 'cause the vendor for the product(files) recommends it not to be touched by the AV, like MDF, you would scan them either way, scheduled scan would either hang, CPU spike, memory leak for the application(the other one)......Should not matter, AP or scheduled scan.
De facto when AV does something, it starts jumping up and down, waving its arms, and shouting "Hey! I found a virus! Look at me! I'm soooo goooood!"
Another Enterprise w/ This Need
I also work for an enterprise with thousands of Symantec clients. We share this need for separate real-time vs. scheduled scan exclusions, as was present in the SAV CE product. The need is obvious, grant real-time exceptions during production to eek performance out of servers, cover them with a scheduled scan during maintenance windows to ensure nothing nasty has migrated into an excluded directory. Never scanning the folder is a much harder pill to swallow.
Unfortunately we are also an enterprise that literally suffered through the previous SEP releases. IMHO, SEP wasn't ready for prime time until RU5. The number and severity of past problems with SEP's infamous Teefer network driver has left a lot of blood on the floor here. Dealing with the Teefer problems and x64 performance problems, has left us in a state where we pretty much only will consider the AV portion of this client on servers (all other features have been tossed out). There's little appetite left for 'another Symantec issue/shortfall/bug'. Discovering the lack of this feature I'm afraid is the straw. It leaves us in a less than ideal position with external facing application architectures.
Between the loss of features and the near constant pain of upgrading to address severe issues up to RU5, I can say our feeling is the same as in the customer note above. In his case he indicated not recommending installing SEP on servers. In ours, we're looking forward to contract date expiration and plan on courting Symantecs replacement.
More testing was needed for this product prior to release. Wider enterprise/ wider array of configurations including x64 and VM environments needed to be considered in testing. Removing popular features between product releases is never a good idea without a real alternative. (mapping a drive as indicated is just an administrative nightmare when talking dozen, hundreds, and thousands of servers).
Don't think we're a customer that can be saved, but might be worthwhile to know where you stumbled in case you can avoid losing more.
Agreed this is a need for
Agreed this is a need for large customers, they need to have the ability to not do real time scans for a particual directory for performance reasons, but want the ability to do a manual scan as a mitigation. Scanning from another machine is workatourd, not a solution.
Interesting dlilema
Never thought of a need for this before today. Had a customer ask me exactly the same thing. Had sent an email out for the reminder that Centralized Exceptions are just that and apply to all scans. Customer came back and says we need to seperate AutoProtect exclusions from Scheduled and Manual scans. Wants to scan EVERYTHING on a schedule but apply the exceptions list to AutoProtect scanning.
Let the brainstorming begin.
Senior Consultant @ Creative Breakthroughs, Inc. a Symantec Platinum Partner
http://www.cbihome.com/
See my post at the top of the
See my post at the top of the thread about mount points. This is currently the best way to accomplish what you are describing.
Mount points would seem to
Mount points would seem to work but are really pretty unmanageable in large server environments. Also depending on the server sonfiguration you could have numerous variations on a theme from a drive letter perspective. Seperate policies for AutoProtect versus Scheduled scans did exist in SAV. Removing them was a bad idea. This becomes especially apparent when a customer is migrating from SAV to SEP.
Senior Consultant @ Creative Breakthroughs, Inc. a Symantec Platinum Partner
http://www.cbihome.com/
Would you like to reply?
Login or Register to post your comment.