Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9165
  • Last Modified:

Exclusions for Domain Controller server for Symantec Endpoint Security

Hi,
We are using Symantec End Point Security v11 in our enviroment and I  like to find out which files, folders or file types to exclude from scanning Domain Controller server running windows 2008.

Thank you.
0
Nirav04
Asked:
Nirav04
  • 4
  • 3
1 Solution
 
tigermattCommented:

There is an official Microsoft recommendation on the files you need to exclude in AV on a Domain Controller. See the "For Windows Server 2003 and Windows 2000 domain controllers" section of http://support.microsoft.com/kb/822158 for a full list of all the paths you need to exclude.

-Matt
0
 
Nirav04Author Commented:
Matt,

One more question, when I setup exclusion list does that apply to both file system auto protect and schedule scan?

Thanks,
0
 
tigermattCommented:

I've not used Endpoint Protection before so couldn't say. I know in McAfee VirusScan Enterprise you have to set the Exclusions for the Scheduled Scan separately to the exclusions for the OnAccess Scanner, however from what I can find, SEP seems to have just one policy which excludes files from all scans.

Interestingly, I did find something in the SEP manual which states it will automatically detect an Active Directory Domain Controller and add the appropriate exclusions. However it doesn't harm to add them manually also, to ensure everything is excluded as appropriate.

-Matt
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Nirav04Author Commented:
Thank you Matt.
0
 
s24supportCommented:
Note that the document referenced in the solution specifies contrained wildcard exclusions in spefific directories, which the SEP product is not capable of excluding in that manner.

     I.e., the document says "Turn off scanning of the log files that are located in the folder
     "%windir%\SoftwareDistribution\Datastore\Logs". Specifically, exclude the following files:

         * Res*.log;     * Res*.jrs;     * Edb.chk;    * Tmp.edb

     The wildcard character (*) indicates that there may be several files.

However, SEP is capable only of:
a. Global extension exclusion; exclude all files on the system with an extension
b. Directory exclusion: exclude all files in a directory (and subdirectories if desired)
c. Explicit file exclusion: exclude a full path to a file

Since options b and c do not provide for wildcards, it's difficult if not impossible in practice to  create manual exclusions per the recommendations.
0
 
tigermattCommented:
s24support,

You're certainly right - if wildcard support is lacking, you have an issue with the Microsoft document. That document does not take into account each AV product's features, so interpretation of it is required to ensure the proper exclusions over each file is in place. This might mean excluding an entire directory to ensure the wildcard paths are excluded.

In terms of an Active Directory Domain Controller, manual exclusions can be made in the registry if SEP was installed before the DC promotion process: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/e24515901bf70e8b65257623005bbec4?OpenDocument. This will exclude the AD DS files but not the SoftwareDistribution area common to all servers.

You might not be able to replicate the exact recommendations of the document and given the feature set, that is to be expected. Not wanting to enter a debate about nor having any prejudice towards any AV products (I feel you are free to use, within reason, whatever you are comfortable with), it is worth asking yourself whether you have the correct product if it lacks wildcard features in an enterprise-class deployment?

-Matt
0
 
Nirav04Author Commented:
s24support thank you for the update.
Tigermatt thank you for your input, have you used any product other then symantec for enterprise security in terms of virus and malware that actually catches spyware and malware. Any help would be appreciated.

Thanks,
0
 
tigermattCommented:

Nirav04,

*laughing*... mentioning anti-virus, anti-malware or anti-anything to a room full of IT professionals is likely to elicit a spectacular response, as no one will ever agree on which is the "best".

In my opinion, you should use a product you feel comfortable with. This might be as a result of in situ testing in your lab, product demonstrations, reviews, trusted peer recommendations and so on.

To add my personal opinion (and I will stress it is merely that), I use a couple of different AVs. At work, we use McAfee Virusscan Enterprise (VSE) on all 600 or so nodes. This supports 2500 users on our network. Their ePolicy Orchestrator product is invaluable for central monitoring and control. VSE is fairly common-place in corporate environments, but Sophos, ESET Nod32, Kaspersky are other market leaders to name just a few.

I also consult for smaller customers, most of whom operate AVG's network products. These are small businesses and generally have no more than 10-20 nodes and a similar number of users. Their requirements and budget is substantially different. AVG provides a central management console (AVG Admin) which works, but I have my doubts that this would scale in a large corporate environment.

The products I use have never caused me issues, but then, I remove where possible the opportunity to become infected. One of the most important steps towards protection is PROactive rather than REactive measures: lock your machines down accordingly so badware cannot spread between hosts, define and make sure your users understand a security policy particularly on connecting foreign devices (USB memory keys, personal laptops etc.) and most importantly, TRAIN users to spot the obvious signs of virus, trojan, malware or phishing attacks, avoiding or identifying infection if it does occur. Attachments from unknown senders should be opened with caution or emails purporting to offer something which seems too good to be true probably are just that. Lock your firewall both inbound AND outbound. Make sure workstations are properly patched with OS and application updates, as well as virus definition updates. Rebuild any production machine suspected of infection; don't try to clean it.
 
But... my software and procedural choices are simply an opinion, most of which is beyond my control, dictated by budgets, standards imposed on me, proven technologies and so on. There are many products out there. You should make sure you invest time and money in research, your implementation plan, inventorying your devices (ensure everything is secure) because - after all - money spent now could prevent a chatastrophic network disaster further down the road, which can drastically affect company productivity leading to turnover issues, losing your customers' trust and in worst case scenarios, insolvency.

-Matt
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now