How to exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection
search cancel

How to exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection


Article ID: 152747


Updated On:


Endpoint Protection


How do you exclude 2008 R2 Cluster Shared Volumes from Symantec Endpoint Protection?

File and folder exclusions do not appear to be effective--Endpoint Protection still scans files on the Cluster Shared Volumes.


For example--Risk detected

9/16/2010 11:43:04 AM Anomaly Found Auto-Protect scan SYSTEM EICAR Test String \Device\HarddiskVolume9\... Cleaned by deletion Deleted Clean security risk Quarantine


Cluster Shared Volumes are a new technology available only on 2008 R2 clusters. This type of storage does not have an assigned drive letter; it is accessed through a reparse point on each node under %systemdrive%\ClusterStorage\. This reparse point appears as a normal directory, e.g. C:\ClusterStorage\Volume1\, but actually refers to a location on a different volume. Even though C:\ClusterStorage\ can be selected when specifying a file or folder exclusion, Endpoint Protection tries to follow reparse points to their original drive letter and directory. Since there is no drive letter, the original location is returned as a device pathname like "\Device\HarddiskVolume9\..." which cannot be specified as a matching exclusion for Endpoint Protection


This behavior is a consequence of SEP's current design, which requires file paths that can be resolved to a drive letter. Changing this requirement would be an enhancement for a future release, but not considered to be a defect

A partial workaround may be implemented by excluding files based on extension--these types of exclusions are still effective. The Cluster Shared Volumes feature of failover clustering is supported by Microsoft only for use with the Hyper-V server role, so you should be fairly sure of the file types that will be on these volumes:


For further reference, see Cluster Shared Volumes Support for Hyper-V.