Im pretty much new to adding exclusions so im not sure what is the best way to exclude a process. For example: Microsoft Lync needs the some of the following exclusions:
Do you add the exlusion in SEPM Exclusion policy as a file and insert the directory and file name for the above process: i.e c:\program files\lync\rtcsrv.exe
or do you add the an application exeception and as in the rtcsrv.exe exeception?
Any help would be appreciated
What version of SEP are you running?
In case of SEPM 11.x, Try to enable Network Application Monitoring:
Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
How to set up learned applications in the Symantec Endpoint Protection Manager
In case of SEPM 12.1,
Check this Excellent Article:
Creating Application Control Exclusions in Symantec Endpoint Protection 12.1
Creating an Exception for an Application
How to create an application exception in the Symantec Endpoint Protection Manager
Creating exceptions for Symantec Endpoint Protection
Good practice to add only the .exe's excluding folder will be a risky one
You need to add all those exe's manually.
We are running SEPM 12.1.3
We do not have the product installed yet, I am trying to configure these before the app is installed.
so my question to do I use the application method mention above by Mithun or do I add the .exe by file exeception?
Exe method. These process will not be detected by Symantec as viruses. AV scans will imparct the performance so an exclusion is needed.
If they sit in the same directory than just add the directory otherwise you can add by filename
Sooooo, it actually depends on what you're trying to exclude the process from.
A file based exception requires the full path, and will exclude the file from signature-based scans (scheduled/on-demand scans and auto-protect).
The application exception actually takes a hash of the process and as such does not require a path. This applies to the SONAR part of SEP, and allows you to choose if it should be terminated, quarantined, or removed.
Much of this is explained in the below article, which Mithun has already linked ("Thumbs Up" BTW):
For the most part when vendors provide recommendations, these are usually exclusions from the signature-based scans.
Just to clarifythe following statement; should this be added as an application exclusion or a file based exclusion?
For the application exclusion you dont need to specify the path fo of file based you need to specify the complete path.(Almost the same)
In the centralized exception select the prefix as None and give the complete path of the files you want to exclude. Thats it.
To be confirmed, i want to create AV scanning exception for a list of process like
ABServer.exe, AcpMcuSvc.exe, ASMCUSvc.exe, AVMCUSvc.exe
and those are not listed in Application exception list under View All, do i want to it create manually from " Add an Application to Monitor" and then select the application then i want to ignore it from Action?
Any help would be highly appreciated.
You can just add a file exclusion for these in the Exceptions policy.
Please refer the link below
as you know, an exception will prevent a scan is done on a target:
1) if you exclude a folder, a virus can execute from that folder... not so safe
2) if you exclude an .exe file by its path and name, a virus can attach itself to the good file and execute... not so safe
3) if you exclude a file by its hash, you can be sure only that file is excluded without leaving security holes around.
3) is the best option, 2) might be a compromise in excluding several versions of the same file, 1) should be used only in rare and isolated cases like while troubleshooting an issue, temporary workaround or if a 3rd party vendor clearly states to exclude some application folders and not just some files.