Endpoint Protection

Running SEP 11.0.6200.754

We have an encryption product that during its installation creates a shadow drive. This product than runs all network based programs from this shadow drive. The sep client's network view displays the programs path from this shadow drive, even see SmcC.exe & ccApp.exe running from this path.

Example path from SEP network application view:

ccApp.exe -> \Device\eedmk{GUID}\Program Files\Common Files\Symantec Shared\ccApp.exe

Issue:

How do we build exception rules in SEP to be excluded from scanning when these execute run from the shadow drive?

How do we get sep to recognize the shadow drive?

I suspect that the shadow drive is file-based. Do you know the full patch to it? It is possible to exclude the whole folder with its all subfolders.

>> The sep client's network view

What do you mean exactly?

Under NTP options if you select view network activity & display the application details it will show what pgm's are running and the path. In this view is where I see all the pgm's running from the shadow drive.

Ok, I see. But you want to create exclusions from scanning with antivirus component, right?

How about this shadow drive? Is there any fixed path to this drive? If this is the one you gave in your first post, does GUID change or it remains always the same?Ha

ve you already tried to create an exclusion and had a particular problem or you just want to know how you can do it? It the latter, please have a look on:

Creating Centralized Exception Policies in Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH104326

Symantec Endpoint Protection Manager - Centralized Exceptions - Policies explained
http://www.symantec.com/docs/TECH104432

How to add a Security Risk Exception in the Endpoint Protection Manager
http://www.symantec.com/docs/TECH10312

How to Create Scanning Exceptions for both Managed and Unmanaged Symantec Endpoint Protection Clients
http://www.symantec.com/docs/TECH91951

The shadow drive is the same for all installations of this encryption product with the exception of the guid. Its unique to each installation. The problem is I am not able to get Endpont Protection to see this shadow drive to add any exception rules.

>> The problem is I am not able to get Endpont Protection to see this shadow drive to add any exception rules.

I am not sure what you mean by it. Please answer my question first as the whole situation is a bit unclear for me:

If there is a path why you cannot put it into exception?

Here is an example. We have an exception rule on one host that is allowed to run PWDUMP4.exe. It resides in path "C:\Tools\PWDump4.exe" There is a folder exception rule in the SEP client for "C:\Tools\” but in the SEP client under the network application details view it appears as:

  \Device\eedmk{4bed3218-0dce-11e0-adc6-806d6172696f}\Tools\PWDump4.exe

The shadow drive created by the encryption product is: "\Device\eedmk{4bed3218-0dce-11e0-adc6-806d6172696f}" so each time the pwdump program is executed SEP flags the risk because it doesn't match the path in the exception rule & we are unable to get the SEP client to recognize this shadow drive. It doesn't even show up when we run the command "VSSADMIN LIST SHADOW"

We opened a BCS Advanced Access support case with Symantec to talk to the vendor that owns this encryption product. Will post the final outcome.

Is this similar to TrueCrypt or PGP mounted volumes?   If so, if you are executing programs from this encrypted drive I would think you would WANT to scan inside it for viruses.

And if so, then unless this volume is read only, there is no difference between it and a C:\ except for the fact you have encryption behind it.   The encryption doesn't prevent a mounted encrypted volume from having a virus.   In fact, this is where I store sample copies of viruses so that the weekly scan doesn't delete them.

If it is read only, then it would be similar to a CD or DVD to antivirus.   It still could have a virus, however if you've scanned it once there is no need to repeat the scan over and over.

My thoughts.