Endpoint SWAT: Protect the Endpoint Community

 View Only
Back to Library

Symantec Endpoint Protection interactions with network drives 

Feb 20, 2015 05:46 AM

FAQ

 

Scanning of network drives

 

Q. Does an Administrator-Defined Scan scan the mapped network drives?

A. No, it does not. However, if a file located on the network drive is run locally on the client computer and loaded in the memory at the time of the scheduled Administrator-Defined Scan, the file will be scanned at the source of the network drive.

 

Q. Does a Full or Active Scan created locally by the end user scan the mapped network drives?

A. No, it does not. However, if a file located on the network drive is run locally on the client computer and loaded in the memory at the time of the Full or Active Scan, the file will be scanned at the source of the network drive.

 

Q. Is it possible to exclude files running from network drives from a Full or Active Scan?

A. It is possible to exclude files running from network drives using an Application Exception only. The SEP client will not honor file or folder exception for network drives using the UNC (i.e. \\<networkdrive_ip_address>) or the mapped network drive path (i.e. T:\<networkdrive_folder>).

 

Q. Is it possible to exclude files running from mapped network drives from Auto-Protect?

A. It is possible to exclude files running from mapped network drives from being scanned by Auto-Protect using:

- A folder exception configured with the path of the mapped network drive,

- A file exception configured with the path of the mapped network drive,

- An application exception.

 

Auto-Protect Network Settings

 

Q. How Scan files on remote computer works?

A. Whenever a file located on a remote computer will be accessed or modified, Auto-Protect will scan it and if malicious will remove it from the remote computer.

 

Q. How Only when files are executed works?

A. This setting applies only when a file is executed, such as an .exe, .cmd, .dll etc. and does not apply to files such as .txt, .docx, etc. You can disable this option to scan all files on remote computers, but you might impact your client computer performance.

 

Q. What are the risk and benefit of disabling Scan files on remote computer?

A. The risk is that malicious files can be executed on the client computer from the remote one without being detected by Auto-Protect. The benefit would only be performance related.

Note: if the option to Scan files on remote computer is disabled because of performance issue, you should consider an Application Control policy to prevent unauthorized files from running.

 

Ask for a password before scanning a mapped network drive

 

Q. Where to find the option Ask for a password before scanning a mapped network drive?

A. The option Ask for  password before scanning a mapped network drive is available from the Virus and Spyware Protection policy under Windows Settings > Advanced Options > Global Scan Options > Scan Network Drive.

 

Q. When will the password be required?

A. The end user will be prompt for the password when:

 

A) When right clicking the mapped network drive or any folders or files from it.

pwd_scan_for_viruses.png

B) When creating a Local Custom Scan which would include mapped network drives.

pwd_custom_scan.png

Statistics
0 Favorited
21 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Jul 29, 2015 11:34 AM

(sorry for the late response)

If the share is read-only, the remote SEP client will not be able to remove the file. And if there is a SEP client running on the system hosting the share, I believe it should take care of it, depending the Auto-Protect settings in place for that client.

MIXIT
Jun 05, 2015 10:28 AM

A helpful article!  I've never gotten around to finding out what the network scan does.  I always assumed that it meant your client computer would reach out and scan all files on a network share.  Which so if you had 50 computers all with access to a public server share, you'd have 50 scans running against the same network folder which would be nuts. 

 

A quesiton though:  For this one:

Q. How Scan files on remote computer works?

A. Whenever a file located on a remote computer will be accessed or modified, Auto-Protect will scan it and if malicious will remove it from the remote computer.

 

What if the share containing the file is read-only?  Will the scan simply fail to remove the file, or do the two SEP agents on each system collaborate to overcome share-based security?  If so, what's to prevent a hacker from somehow leveraging this ability by compromising a SEP agent on one machine?  This latter quetsion is a bit rhetrical since if a hacker CAN do that, I doubt we'd be able to do anything about it :)

Migration User
Feb 23, 2015 10:16 AM

Hi Betterjuice,

Good point but I believe this is purely Windows related and that it does not compare to the cache settings available in Symantec Endpoint Protection. Two different things.

Regards,

Shulk.

Migration User
Feb 23, 2015 02:54 AM

What if the feature "Network share Caching" is enabled on Windows ? 

https://technet.microsoft.com/en-us/library/dd637828(v=ws.10).aspx

Kind regards,

Migration User
Feb 20, 2015 04:12 PM

Thanks a lot Brian, much appreciated!

ℬrίαη
Feb 20, 2015 01:58 PM

Great article. Thanks for sharing.

Related Entries and Links

No Related Resource entered.