why not just put in the full path?

I see what you are saying now. Yes have the %userprofile% variable for our exclusions seems to be a pretty important option actually.

I think adding a %userprofile% variable is critical

Good idea. In fact this is an urgent requirement.

Yes, this is a major oversight in an enterpise environment.

Critical exclusion 

very important for our company...

I now have a customer with 10's of thousands of users that he needs to make an exception for in all of their profiles. This needs to be changed immediately.

Where is product management with this.

I have now 2 customers that really need exclusions for user's profile.  This is especially important on citrix/ESX/etc environments.

This is also critical for us, not just for centralized exceptions but also for firewall rules. Can we expect this anytime soon Symantec...?

This is also critical for us, not just for centralized exceptions but also for firewall rules. Can we expect this anytime soon Symantec...?

I have been asked to move to another security product.  This is going to effect a March roll-out we have scheduled.  Symantec support has given no work arounds for me to centrally exclude a directory from the %userprofile%.  Without this exclusion for all workstations, we can not longer use SEP.

I don't understand how this gets overlooked. There should at least be a way of excluding a specific filename without specifying a full path. That way I could exclude certain files from being scanned from user profiles.

Is there anything done regarding this in RU6a?

Adding some food for thought to this thread:

Symantec's white paper on Terminal Servers makes mention of profiles.  The full .pdf can be downloaded from http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008112414453348 

"Some server administrators may wish to exclude their users roaming profiles and/or “My Documents” folders from being scanned for security risks. While this will improve performance, Symantec would not recommend this approach – in practice this is generally the location in which security risks are discovered."

Thanks and best regards,

Mick
 

I have several customers on Citrix that would be happy for this, even though Symantec does not recommend it. For many customers, it would be important to exclude directories like m:\documents and settings\%username%\Application Data\<application>\<subfolder>.

So, I would not only want the %userprofile% variable, but also %user%.

We are also looking to exclude subdirectories of the users' folders, namely My Documents.  This seems like it should be a simple fix and could be released with a patch.  Shouldn't it be up to the admins to decide what is secure for their network?

And while they're at it, maybe Symantec could include some other filters they have built into their Backup Exec product?

for example:

%temp%  %wintemp%  %webtemp%  %recycled%  %currentuserprofile%  %currentusermydocs%

Has anything happened about this? I need some exceptions for folders and files within roaming profiles.

The cache of a graphical medical application resides under the Application Data (XP) or AppData folder  (Win7) and we need to exclude it for some 15,000 users on 10,000 machines.  Either SEP needs to add the functionality for all Windows OS variables as Oivin mentioned above or at least add the Current User profile to the list.  I suggest allowing all Windows variables but will settle for Current User.  Thanks!

This thread is also pushing for something similar but has less votes.  I'm voting for everything hoping to get the developers attention:

https://www-secure.symantec.com/connect/idea/centr...

We have an application which creates a folder structure inside each user temp folder.  We are experiencing performance issues and it is recommended by the applictation vendor to exclude this temp folder from all Virust Scanning.  How are we able to provide a solution?

Hi,

I use the version SEPM 12.1.671.4971

How to exclude a directory like "c:\documents and settings\%username%\temp" ?
How can i define custom prefix variable ?

Thanks and best regards, Christoph

Paul, I completely agree with the wildcards in exceptions. This would avoid the issue that %USERPROFILE% doesn't exist until a user logs in. There is even another idea post for wildcards. I'm not sure if supporting regular expression would be preferred, but certainly the use of * and ? would be most useful.

I thing Paul M's comments are correct about wildcards.

We will need this functionality or some other work around for the exception process in SEP 12.

I am not going to sugar coat it, deficiencies like this are the reason we only signed a 1 extension

with Symantec.

I've just started rolling out the 12.1 client and it's picked up one app's DLL's as problem files.  The location is in the user profile's folders.  I have a few hundred people that this is affecting and can't add an exception for each user as that's totally absurd. 

Until Symantec take a look at the files and OK them, this is indeed a critical issue.

The wildcard idea looks good, as long as there's a way to put a path in that covers all the subfolders in a userprofile then I'd be happy.    <-  it's a face and it's happy

I think Wildcard won't be implemented due to restriction from Java, which SEPM is using

Yahya - That's kinda funny. SEP uses Java but every day I see the firewall blocking Java download requests from the Java application. At first I was suspicious of the firewall activity but it looks to me like Java auto updates cannot run because the file downloads are blocked. I can imagine someone at Symantec saying, "The client will be okay. It'll download the Java update and everything will be fine."

BUT, that's not why I'm here.

We need the ability to block variable filenames like BITxxx.tmp, WITHOUT a specific path, so SEP will stop tagging our SCCM downloads as malicious. Apparently the scanning technology doing this is Suspicious.Cloud

Comments?

Does anybody know, if and when exceptions with wildcards are possible?

We need to exclude one foldername (on any drive, any subdir, any junction).
Till now, we have to enter every possible absolute path.

Our document management system recommends excluding a specific folder that is created in the %userprofile% temp directory. If the exclusion is not setup it could result in document corruption. We need a way to exclude this folder. Is there any changes or updates to this issue?

It is still not possible. You can exclude the whole "users" folder. We had the same issue with Citrix and profiles, and that's was the only way unfortunately.

We are using a specific application (Connectwise) that needs to have a folder in the exceptions:

%userprofile%\AppData\roaming\Connectwise

It seems that the current workaround is to add the folder c:\users as an exception, is there another method?  Sounds like add the whole c:\users folder would be a pretty big security risk.

I'm in the same situation like Bjam above. I need to configure an exception in %userprofile%\TEMP for our document managament system.

Fully agree to Pauls idea of implementing wildcards. Any idea what the current status is? I don't see this being implemented in 12.1 RU2. 

It's a shame that this hasn't been fixed yet. Stupid Symantec.

Someone gets angry.... anyway i support this idea

Having the option of using a Windows path variable just makes since.  Everytime I run into this issue I'm surprised it hasn't been added.  I can't vote thumbs up enough times on this to let you know how important I think this is.

This feature definitely needs to be added. We are in the process of rolling out a reporting system that has a very specific set of exceptions we must add.

One of the exceptions we need to add looks like this: C:\Users\<Windows USER_ID>\AppData\Roaming\reporting_program\etc

Essentially each user that runs the program gets this folder created in their appdata folder. We need to be able to exclude only that program's folder within each user's appdata folder. The only way around this currently is to exclude the entire C:\Users directory which is completely unacceptable.

EDIT:

I should also mention that this program is essential for patient care. We absolutely need it to work properly, so if there isn't a way to get the exceptions working we might just have to look into a different product.