How to verify exceptions on a Symantec Endpoint Protection  14 client.

Symptoms

The Endpoint Protection client automatically detects the presence of certain installed components/applications, such as Microsoft Exchange and Active Directory Domain Controllers. Where to manually inspect these exclusions to verify if they need to be added to the Exceptions policy?

It appears exceptions are not applying correctly for an application or excluded directory.

 

The latest version of Endpoint Protection now automatically adds exclusions that are not visible from the Endpoint Protection Manager.

In SEP versions 14.3 RU1 and later, exclusions are no longer viewable in the registry. Verification may be performed via debug logging instead.

14.3 RU1 and newer versions of SEP 14

To enable the debug log

1. Open the SEP client UI
2. Click Help > Troubleshooting
3. Click Debug Logs at the left side
4. Under Symantec Endpoint Protection Debug log setting: click Edit Debug Log Settings
5. In the Symantec Endpoint Protection Debug Log Settings dialog enter: ALL
6. Click OK, then close Troubleshooting and the SEP client UI

To force the SEP client to re-process automatic exclusions

1. Right-click the start menu and click Run
2. Type the following and click OK: smc -stop
3. Wait for the SEP shield to disappear from the tray and the smc command window to close
4. Right-click the start menu and click Run
5. Type the following and click OK: smc -start
6. Open the SEP client UI
7. Click Help > Troubleshooting
8. Click Debug Logs at the left side
9. Under Symantec Endpoint Protection Debug log setting: click View Log
10. Look for entries like the following:

13:46:45.040944[_7752][_3088]|Setting Exclusions
13:46:45.044767[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\_msdcs.contoso.com.dns
13:46:45.045109[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\192.DNS
13:46:45.045310[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb.log
13:46:45.045854[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\RES1.log
13:46:45.046095[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\backup\dns.log
13:46:45.046276[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\RES2.log
13:46:45.046538[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\TEMP.edb
13:46:45.046880[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\edb.log
13:46:45.047121[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\res1.log
13:46:45.047302[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\log\res2.log
13:46:45.047503[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\BOOT
13:46:45.047705[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00001.log
13:46:45.047866[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\Ntfrs.jdb
13:46:45.048107[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\contoso.com.dns
13:46:45.048268[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\cache.dns
13:46:45.048489[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\CACHE.DNS
13:46:45.048711[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00002.log
13:46:45.048932[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\EDB.chk
13:46:45.049274[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\edb00003.log
13:46:45.049495[_7752][_3088]|AP Exclusion: C:\Windows\ntfrs\jet\sys\edb.chk
13:46:45.049697[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\dns.log
13:46:45.049918[_7752][_3088]|AP Exclusion: C:\Windows\system32\dns\samples\PLACE.DNS
13:46:45.050099[_7752][_3088]|AP Exclusion: C:\Windows\NTDS\ntds.dit
13:46:45.050501[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\staging areas
13:46:45.050783[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\staging areas\contoso.com
13:46:45.051125[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\sysvol
13:46:45.051487[_7752][_3088]|AP Exclusion: C:\System Volume Information\DFSR
13:46:45.051749[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL
13:46:45.052151[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\domain\DfsrPrivate
13:46:45.052574[_7752][_3088]|AP Exclusion: C:\Windows\SYSVOL\domain\DfsrPrivate\ConflictAndDeleted

Once you've verified the exclusions have been made you can disable the debug log.

To disable the debug log:

1. Open the SEP client UI
2. Click Help > Troubleshooting
3. Click Debug Logs at the left side
4. Under Symantec Endpoint Protection Debug log setting: click Edit Debug Log Settings
5. In the Symantec Endpoint Protection Debug Log Settings dialog delete the value: ALL
6. Click OK, then close Troubleshooting and the SEP client UI

• Note: It is not necessary to stop and start smc again
  
  

Versions prior to 14.3 RU1, the steps below can be used

Follow the steps below to view applied exclusions in the registry.

1. Start -> Run -> open Regedit
    
2. Browse to the registry key:
   • HKEY_LOCAL_MACHINE\SOFTWARE\SYMANTEC\SYMANTEC ENDPOINT PROTECTION\AV\EXCLUSIONS
     Note: On 64bit window machines the registry path is:
     HKEY_LOCAL_MACHINE\Software\WOW6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions
      
3. Expand the key to view the various applications listed there.
   • The 'File Exceptions' folder is where you can inspect the full list of exclusions associated with that product.

This key is where both automatic and policy added exclusions are stored on the client. Inspecting this key reveals all exclusions applied to the client. If you do not see the exclusion you are trying to add listed in the registry, then it is not being added automatically. You must manually add it to an Exceptions policy.