Endpoint Protection

Hi All,
The other day Symantec published new virus signatures that are flagging our remote control/support software as a "Trojan Horse".  The users of the software in the IT department have the whole program directory in C:\Program Files excluded, but the client installs more as a driver and one of the DLLs (hodll.dll) is placed in Windows\System32 - I need to omit this one single file from being scanned, and I'd like to do it from the Symantec System Center Console.  I know how to exclude folders and extensions, but not individual files; is there a way I can do that?
Seeing as how I can check/uncheck files from the client, I figure there is a way to do it from the SSC...and if not, then maybe there is a registry key I can export? 

All-in-all, I'd like to exclude this one individual file, and report the false-positive to Symantec.  Any insight on either topic would be welcome.

Thanks in advance!  

To set up exclusions for scheduled scans by using Symantec System Center

1. Right-click a server group, a server, or a client group, and then click All Tasks > Symantec AntiVirus >Scheduled Scans.
2. Create a scheduled scan, or edit an existing scan.
3. Click Scan Settings.
4. Click Options.
5. In the Scheduled Scans dialog box, check Exclude files and folders, and then click Exclusions.
6. If you use Symantec AntiVirus 8.x, check Check file for exclusion before scanning.
7. Click Extensions.
8. Type the extension without punctuation.
9. Click Add, and then click OK.
10. Do one of the following:
    • If the scan affects one computer, click Files/Folders, and then check the folders to exclude.
    • If the scan affects more than one computer, click Folders, and then type the drive letter and full path of each folder to exclude. 
      Computers that do not have the excluded folders ignore the exclusion.
11. Click OK four times to save the scan and return to Symantec System Center.

Excluding specific drives and folders from Symantec AntiVirus scans

http://service1.symantec.com/support/ent-security.nsf/docid/2002092413394848 

I'm not looking to edit any "Scheduled Scans", particularly, because I don't have any scheduled.
What I want to edit is All Tasks > Symantec AntiVirus > Client Auto-Protect Options.  When I click "Exclusions" the only options are "Extensions" and "Folders" - I need to make this change domain-wide, so it will need to hit all of my Windows clients.  Not worried about my servers, but it would be easiest to make the change at the "Root" SAV server level.

With that in mind, is there anything else I can try or check out? 

What if I check the file I need to omit through the SAV client that is installed on my "Root" SAV server?  It seems that any of the directories I have created through SSC at the "Root" level show up with the checkmark in the client-piece on the SAV server.  Does that sound plausible?

Hi... chech the follwing link it may give u more details.

http://service1.symantec.com/support/ent-security.nsf/docid/2002092413394848

Thanks for the link, but unfortunately through SSC I still only have the ability to add folder paths, not individual files.  :(

can you post a screen shot here please, checked the document and it mentioned

Check Exclude selected files and folders and then click the lock icon so that it appears as locked.

strange , can  you post a screen shot..

Hi Rafeeq,

Sure; please see below.  Notice how under exclusions I have "Extensions" and "Folders" but no "Files/Folders".
Lower in the pic you can see that  I have a window that I can enter paths for directories but not individual files.

Any luck finding a work around for this?  I am having the same issue on 10000+ machines here.  I really dont want to exclude ALL dll files or ALL the contents of c:\windows\system32

Will get back to you on this.

Hi Rafeeq,

Remember, I am trying to manage it via the Symantec System Center Console, which is where that screenshot came from. 
You can add exceptions for individual files from the client-side, as you are given the heirarchical tree-structure view with checkboxes, but the server side is "Open-Ended".

on client side we get options to add single file
but from SSC we get folders option
we need to check if adding entire file name excludes it or not
something like c:\someting\sometthing.ext from SSC
we need to check the last access time..

give it a try
 

Hey man,

Looks like you can make all the exceptions on one system, export the registry key where the excecptions are saved, then import the key on your other clients' systems.  The location is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan\FileExceptions]

The format for the entries are DWORDs with the "Value Name" set as the file's full path and the "Value Data" is 0. 
E.g. "C:\\WINDOWS\\system32\\hodll.dll"=dword:00000000

Looks like it works alright when merging it to the client systems.  Even if the exempt files don't on the client's PC  the exceptions stick in the registry, so if the files are added later they will be check-marked in the client's exclusions list.  I verified that this morning.

Sucks, but it looks like that may be the only way to do it if you're not ready to move up to the next Endpoint Protection suite.  :-( 

You can check this in the mean time.

can create an exclusion to the entire file in SSC ( via exclude folder)

then check if the exclusions are set in registry


How To Configure File, Folder or File Type Exclusions for AutoProtect on Symantec AntiVirus 10.x unmanaged clients.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009031309034548

Ya know...it would figure that the easiest solution is the one that works!  Sheesh...I could have sworn I tried that once...  Ah well...

Yeah, if you put the file's full path (e.g. C:\WINDOWS\System32\hodll.dll) the file appears checkmarked in the clients' Exceptions tree-list.

Thanks, Rafeeq!  

Hi all,
I have a new question related to this topic that I posted here.  
If you guys get a minute, please take a look and reply if you have any suggestions.

Thanks again!