Endpoint Protection

We are actively testing and rolling out SEP 11.0.5 and ran into an issue with compressed files.    When our scheduled scan scans any sort of compressed file, the CPU usage spikes to around 55% percent.   I know that compressed files have to be decompressed before scanning them and this is most likely the reason for the increased CPU usage but what I'm really wondering is there a way to exclude files from being scanned in a scheduled scan?   Centralized exceptions is not the answer because this does nothing but exclude it from the realtime scanner and if something is flagged as a virus to ignore it.   Any help would be greatly appreciated.

Not possible ; if you want to exclude it has to be excluded via centralized exception.

https://www-secure.symantec.com/connect/forums/how-exclude-folder-auto-protect-include-full-scan

You could disable the scanning of compressed files during the Administrator-scheduled scan:  Within the appropriate AV Policy, choose Scans, highlight the scan you want to alter and click Edit, then on the Scan Details tab, click on Advanced Scanning Options, then uncheck Scan files inside compressed files.  You can do the same with the Administrator On-Demand scans.

Centralized Exceptions cover scheduled and manual scans as well as real-time scans, but it's probably more efficient to do the above.

File System Auto-Protect does not scan within a compressed file:

Title: 'Auto-Protect does not scan within compressed files'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000111509105448

SEP (and SAV before it) can alert you to the presence of malicious files within a compressed file during a manual or scheduled scan, but cannot delete it or modify it in any way.  If the file was ever uncompressed, File System Auto-Protect would detect the malicious files and intervene.

I hope this helps.

sandra

What depth are you scanning the zipped files..
Just for Compressed files Decomposer engine is used.
normal scan does not use the decomposer engine however when a comprssed file is scanned it comes into picture and secondly it checks how much level deep have you selected for the scan..

So to virtually ignore them you can set this to 0

We were scanning 3 levels deep inside zip files but I changed this setting to 1.   It still seems to spike the CPU a little.   I'm leaning more towards the solution that Sandra posted and have already convinced my superiors that we should do this.   I'm assuming there is no caveat to disabling the compressed files scan ability within the scheduled scan?   Thank you all for your help.

There is no caveat that I am aware of. :)  You could always right-click on a compressed file and choose "Scan for Viruses..." from the context menu if you want to scan a compressed file on an individual basis, but extracting the contents will also prompt a real-time scan as the contents write to the hard drive.

sandra

Did that work for you?

sandra

Yes it did.  I forgot to mark this thread as solved.   Thank you for your help!

Many thanks, and you're welcome!