We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Exclusions for Domain Controller server for Symantec Endpoint Security

Medium Priority
9,441 Views
Last Modified: 2013-12-09
Hi,
We are using Symantec End Point Security v11 in our enviroment and I  like to find out which files, folders or file types to exclude from scanning Domain Controller server running windows 2008.

Thank you.
Comment
Watch Question

Site Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011
Commented:

There is an official Microsoft recommendation on the files you need to exclude in AV on a Domain Controller. See the "For Windows Server 2003 and Windows 2000 domain controllers" section of http://support.microsoft.com/kb/822158 for a full list of all the paths you need to exclude.

-Matt

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Matt,

One more question, when I setup exclusion list does that apply to both file system auto protect and schedule scan?

Thanks,
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

I've not used Endpoint Protection before so couldn't say. I know in McAfee VirusScan Enterprise you have to set the Exclusions for the Scheduled Scan separately to the exclusions for the OnAccess Scanner, however from what I can find, SEP seems to have just one policy which excludes files from all scans.

Interestingly, I did find something in the SEP manual which states it will automatically detect an Active Directory Domain Controller and add the appropriate exclusions. However it doesn't harm to add them manually also, to ensure everything is excluded as appropriate.

-Matt

Author

Commented:
Thank you Matt.
Note that the document referenced in the solution specifies contrained wildcard exclusions in spefific directories, which the SEP product is not capable of excluding in that manner.

     I.e., the document says "Turn off scanning of the log files that are located in the folder
     "%windir%\SoftwareDistribution\Datastore\Logs". Specifically, exclude the following files:

         * Res*.log;     * Res*.jrs;     * Edb.chk;    * Tmp.edb

     The wildcard character (*) indicates that there may be several files.

However, SEP is capable only of:
a. Global extension exclusion; exclude all files on the system with an extension
b. Directory exclusion: exclude all files in a directory (and subdirectories if desired)
c. Explicit file exclusion: exclude a full path to a file

Since options b and c do not provide for wildcards, it's difficult if not impossible in practice to  create manual exclusions per the recommendations.
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
s24support,

You're certainly right - if wildcard support is lacking, you have an issue with the Microsoft document. That document does not take into account each AV product's features, so interpretation of it is required to ensure the proper exclusions over each file is in place. This might mean excluding an entire directory to ensure the wildcard paths are excluded.

In terms of an Active Directory Domain Controller, manual exclusions can be made in the registry if SEP was installed before the DC promotion process: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e24515901bf70e8b65257623005bbec4?OpenDocument. This will exclude the AD DS files but not the SoftwareDistribution area common to all servers.

You might not be able to replicate the exact recommendations of the document and given the feature set, that is to be expected. Not wanting to enter a debate about nor having any prejudice towards any AV products (I feel you are free to use, within reason, whatever you are comfortable with), it is worth asking yourself whether you have the correct product if it lacks wildcard features in an enterprise-class deployment?

-Matt

Author

Commented:
s24support thank you for the update.
Tigermatt thank you for your input, have you used any product other then symantec for enterprise security in terms of virus and malware that actually catches spyware and malware. Any help would be appreciated.

Thanks,
tigermattSite Reliability Engineer
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:

Nirav04,

*laughing*... mentioning anti-virus, anti-malware or anti-anything to a room full of IT professionals is likely to elicit a spectacular response, as no one will ever agree on which is the "best".

In my opinion, you should use a product you feel comfortable with. This might be as a result of in situ testing in your lab, product demonstrations, reviews, trusted peer recommendations and so on.

To add my personal opinion (and I will stress it is merely that), I use a couple of different AVs. At work, we use McAfee Virusscan Enterprise (VSE) on all 600 or so nodes. This supports 2500 users on our network. Their ePolicy Orchestrator product is invaluable for central monitoring and control. VSE is fairly common-place in corporate environments, but Sophos, ESET Nod32, Kaspersky are other market leaders to name just a few.

I also consult for smaller customers, most of whom operate AVG's network products. These are small businesses and generally have no more than 10-20 nodes and a similar number of users. Their requirements and budget is substantially different. AVG provides a central management console (AVG Admin) which works, but I have my doubts that this would scale in a large corporate environment.

The products I use have never caused me issues, but then, I remove where possible the opportunity to become infected. One of the most important steps towards protection is PROactive rather than REactive measures: lock your machines down accordingly so badware cannot spread between hosts, define and make sure your users understand a security policy particularly on connecting foreign devices (USB memory keys, personal laptops etc.) and most importantly, TRAIN users to spot the obvious signs of virus, trojan, malware or phishing attacks, avoiding or identifying infection if it does occur. Attachments from unknown senders should be opened with caution or emails purporting to offer something which seems too good to be true probably are just that. Lock your firewall both inbound AND outbound. Make sure workstations are properly patched with OS and application updates, as well as virus definition updates. Rebuild any production machine suspected of infection; don't try to clean it.
 
But... my software and procedural choices are simply an opinion, most of which is beyond my control, dictated by budgets, standards imposed on me, proven technologies and so on. There are many products out there. You should make sure you invest time and money in research, your implementation plan, inventorying your devices (ensure everything is secure) because - after all - money spent now could prevent a chatastrophic network disaster further down the road, which can drastically affect company productivity leading to turnover issues, losing your customers' trust and in worst case scenarios, insolvency.

-Matt
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.