Endpoint Protection

Expand all | Collapse all

SEPM Exclude a Process

ℬrίαη09-05-2013 10:00 AM

  • 1.  SEPM Exclude a Process

    Posted 09-05-2013 09:54 AM

    Guys,

    Im pretty much new to adding exclusions so im not sure what is the best way to exclude a process. For example: Microsoft Lync needs the some of the following exclusions:

    • Lync Server 2010 processes:
      • ASMCUSvc.exe
      • AVMCUSvc.exe
      • DataMCUSvc.exe
      • DataProxy.exe
      • FileTransferAgent.exe
      • IMMCUSvc.exe
      • MasterReplicatorAgent.exe
      • MediaRelaySvc.exe
      • MediationServerSvc.exe
      • MeetingMCUSvc.exe
      • MRASSvc.exe
      • OcsAppServerHost.exe
      • QmsSvc.exe
      • ReplicaReplicatorAgent.exe
      • RTCArch.exe
      • RtcCdr.exe
      • RTCSrv.exe

    Do you add the exlusion in SEPM Exclusion policy as a file and insert the directory and file name for the above process: i.e c:\program files\lync\rtcsrv.exe

    or do you add the an application exeception and as in the rtcsrv.exe exeception?

    Any help would be appreciated



  • 2.  RE: SEPM Exclude a Process

    Trusted Advisor
    Posted 09-05-2013 09:58 AM

    Hello,

    What version of SEP are you running?

    In case of SEPM 11.x, Try to enable Network Application Monitoring:

    1. Login to the manager and go to Clients
    2. Choose the group and Select the Policies tab
    3. Under Policies Click Network Application Monitoring
    4. Check the box that says, "Enable Network Application Monitoring."
    5. From here, you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log.

    Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11

    http://www.symantec.com/docs/TECH104326

    How to set up learned applications in the Symantec Endpoint Protection Manager

    http://www.symantec.com/docs/TECH102994

     

    In case of SEPM 12.1

    Check this Excellent Article:

    Creating Application Control Exclusions in Symantec Endpoint Protection 12.1

    https://www-secure.symantec.com/connect/articles/crreating-application-control-exclusions-symantec-endpoint-protection-121

     

    Creating an Exception for an Application

    1. Login to the Symantec Endpoint Protection Manager (SEPM) and go to the Policies page.
    2. On the Exceptions Policy page, click Exceptions.
    3. Click Add > Windows Exceptions > Application.
    4. In the View drop-down list, select All, Watched Applications, or User-allowed Applications.
    5. Select the applications for which you want to create an exception.
    6. In the Action drop-down box, select Ignore, or Log only.
    7. Click OK.

    Reference: 

    How to create an application exception in the Symantec Endpoint Protection Manager

    http://www.symantec.com/docs/HOWTO61213

    Creating exceptions for Symantec Endpoint Protection

    http://www.symantec.com/docs/HOWTO80919

    Hope that helps!!


  • 3.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:00 AM
    Do all these files sit in the same directory?


  • 4.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:02 AM

    Good practice to add only the .exe's excluding folder will be a risky one

    You need to add all those exe's manually.



  • 5.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:04 AM

    We are running SEPM 12.1.3

    We do not have the product installed yet, I am trying to configure these before the app is installed.

    so my question to do I use the application method mention above by Mithun or do I add the .exe by file exeception?



  • 6.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:16 AM

    Exe method. These process will not be detected by Symantec as viruses. AV scans will imparct the performance so an exclusion is needed.

     



  • 7.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:30 AM

    If they sit in the same directory than just add the directory otherwise you can add by filename



  • 8.  RE: SEPM Exclude a Process

    Posted 09-05-2013 10:31 AM

    Sooooo, it actually depends on what you're trying to exclude the process from.

    A file based exception requires the full path, and will exclude the file from signature-based scans (scheduled/on-demand scans and auto-protect).

    The application exception actually takes a hash of the process and as such does not require a path.  This applies to the SONAR part of SEP, and allows you to choose if it should be terminated, quarantined, or removed.

    Much of this is explained in the below article, which Mithun has already linked ("Thumbs Up" BTW):

    http://www.symantec.com/docs/HOWTO80919

    For the most part when vendors provide recommendations, these are usually exclusions from the signature-based scans.



  • 9.  RE: SEPM Exclude a Process

    Posted 09-09-2013 04:35 AM

    Just to clarifythe following statement; should this be added as an application exclusion or a file based exclusion?

    • Vmwp.exe (Note: This file may have to be configured as a process exclusion within the antivirus software.)


  • 10.  RE: SEPM Exclude a Process

    Posted 09-09-2013 08:29 AM

    For the application exclusion you dont need to specify the path fo of  file based you need to specify the complete path.(Almost the same)

    In the centralized exception select the prefix as None and give the complete path of the files you want to exclude. Thats it.



  • 11.  RE: SEPM Exclude a Process

    Broadcom Employee
    Posted 11-11-2013 08:24 PM

    To be confirmed,  i want to create AV scanning exception for a list of process like

    ABServer.exe, AcpMcuSvc.exe, ASMCUSvc.exe, AVMCUSvc.exe

    and those are not listed in Application exception list under View All, do i want to it create manually from        " Add an Application to Monitor" and then select the application then i want to ignore it from Action?

    Any help would be highly appreciated.



  • 12.  RE: SEPM Exclude a Process

    Posted 11-11-2013 08:40 PM

    You can just add a file exclusion for these in the Exceptions policy.

    http://www.symantec.com/docs/HOWTO80920



  • 13.  RE: SEPM Exclude a Process

    Broadcom Employee
    Posted 11-11-2013 10:57 PM

    Hi

    Please refer the link below

    http://www.symantec.com/business/support/index?page=content&id=HOWTO55203&actp=search&viewlocale=en_US&searchid=1384228538138

    Regards

     



  • 14.  RE: SEPM Exclude a Process

    Broadcom Employee
    Posted 11-12-2013 06:50 AM

    Hello,

    as you know, an exception will prevent a scan is done on a target:

    1) if you exclude a folder, a virus can execute from that folder... not so safe

    2) if you exclude an .exe file by its path and name, a virus can attach itself to the good file and execute... not so safe

    3) if you exclude a file by its hash, you can be sure only that file is excluded without leaving security holes around.

    Hence:

    3) is the best option, 2) might be a compromise in excluding several versions of the same file, 1) should be used only in rare and isolated cases like while troubleshooting an issue, temporary workaround or if a 3rd party vendor clearly states to exclude some application folders and not just some files.