Exceptions, excluded are not applying to an application or directory - How to Verify if an Endpoint Client has Automatically used exclusions
search cancel

Exceptions, excluded are not applying to an application or directory - How to Verify if an Endpoint Client has Automatically used exclusions

book

Article ID: 151606

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to verify exceptions on a Symantec Endpoint Protection client

Symptoms

The Endpoint Protection client automatically detects the presence of certain installed components/applications, such as Microsoft Exchange and Active Directory Domain Controllers. Where to manually inspect these exclusions to verify if they need to be added to the Exceptions policy?

It appears exceptions are not applying correctly for an application or excluded directory.

 

Cause

The latest version of Endpoint Protection now automatically adds exclusions that are not visible from the Endpoint Protection Manager.

Resolution

In SEP versions 14.3 RU1 and later, exclusions are no longer viewable in the registry. Verification may be performed via debug logging instead.

  • To enable the debug log:
  1. Open the SEP client UI
  2. Click Help > Troubleshooting
  3. Click Debug Logs at the left side
  4. Under Symantec Endpoint Protection Debug log setting: click Edit Debug Log Settings
  5. In the Symantec Endpoint Protection Debug Log Settings dialog enter: ALL
  6. Click OK, then close Troubleshooting and the SEP client UI
  • To force the SEP client to re-process automatic exclusions:
  1. Right-click the start menu and click Run
  2. Type the following and click OK: smc -stop
  3. Wait for the SEP shield to disappear from the tray and the smc command window to close
  4. Right-click the start menu and click Run
  5. Type the following and click OK: smc -start
  6. Open the SEP client UI
  7. Click Help > Troubleshooting
  8. Click Debug Logs at the left side
  9. Under Symantec Endpoint Protection Debug log setting: click View Log
  10. Look for entries like the following:

13:46:45.040944[_7752][_3088]|Setting Exclusions
13:46:45.044767[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\_msdcs.contoso.com.dns
13:46:45.045109[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\192.DNS
13:46:45.045310[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb.log
13:46:45.045854[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\RES1.log
13:46:45.046095[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\backup\dns.log
13:46:45.046276[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\RES2.log
13:46:45.046538[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\TEMP.edb
13:46:45.046880[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\edb.log
13:46:45.047121[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\res1.log
13:46:45.047302[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\res2.log
13:46:45.047503[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\BOOT
13:46:45.047705[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00001.log
13:46:45.047866[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\Ntfrs.jdb
13:46:45.048107[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\contoso.com.dns
13:46:45.048268[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\cache.dns
13:46:45.048489[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\CACHE.DNS
13:46:45.048711[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00002.log
13:46:45.048932[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\EDB.chk
13:46:45.049274[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00003.log
13:46:45.049495[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\sys\edb.chk
13:46:45.049697[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\dns.log
13:46:45.049918[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\PLACE.DNS
13:46:45.050099[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\ntds.dit
13:46:45.050501[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\staging areas
13:46:45.050783[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\staging areas\contoso.com
13:46:45.051125[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\sysvol
13:46:45.051487[_7752][_3088]|AP Exclusion: C:\System Volume Information\DFSR
13:46:45.051749[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL
13:46:45.052151[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\domain\DfsrPrivate
13:46:45.052574[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\domain\DfsrPrivate\ConflictAndDeleted

Once you've verified the exclusions have been made you can disable the debug log.

  • To disable the debug log:
  1. Open the SEP client UI
  2. Click Help > Troubleshooting
  3. Click Debug Logs at the left side
  4. Under Symantec Endpoint Protection Debug log setting: click Edit Debug Log Settings
  5. In the Symantec Endpoint Protection Debug Log Settings dialog delete the value: ALL
  6. Click OK, then close Troubleshooting and the SEP client UI
  • Note: It is not necessary to stop and start smc again

For all versions prior to 14.3 RU1, the steps below can be used.

HOW TO VISUALLY INSPECT EXCLUSIONS

  1. Start > Run > Regedit
     
  2. Browse to the registry key:
    • HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
      Note: On 64bit window machines the registry path is:
      HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
       
  3. Expand the key to view the various applications listed there.
    • The 'File Exceptions' folder is where you can inspect the full list of exclusions associated with that product.

This key is where both automatic and policy added exclusions are stored on the client. Inspecting this key reveals all exclusions applied to the client. If you do not see the exclusion you are trying to add listed in the registry, then it is not being added automatically. You must manually add it to an Exceptions policy.


 

 

Powered by Wolken Software