Install SEP client on Microsoft System Center Configuration Manager 2007


Article ID: 155994


Updated On:


Endpoint Protection


 How to install a Symantec Endpoint Protection (SEP) client on Microsoft System Center Configuration Manager (SCCM) 2007

 The SEP client install will require exclusions to work with the SCCM.


 Summary of Exclusions for ConfigMgr 2007:

CAB and archived files exclusions:
· Exclude the file from the antivirus scan. –OR-
· Exclude all .cab files from the antivirus scan. –OR-
· Exclude all archived files from the antivirus scan. –OR-
· Exclude the following items from the antivirus scan:
· The folder in which the file is located.
· The path of the file on the local computer.
Exclusion of <DriveLetter>:\<ConfigMgr Install Folder>\Inboxes\SMS_Executive:
The SMS_Executive service may stop responding to some threads. These include the following threads:
• SMS_Discovery_Data_Manager
• SMS_Status_Manager
• SMS_Replication_Manager
• SMS_Despooler
• SMS_Data_Loader
• SMS_Collection_Evaluator
If you experience the behavior described above or in this article (KB327453), use one or more of the following methods to reduce the file backlog:
• Exclude the <DriveLetter>:\<ConfigMgr install folder>\Inboxes\SMS_Executive Thread Name directory or the SMS_CCM\ServiceData directory from the virus-scanning process
• Make sure that the antivirus software is not configure for Real-Time monitoring.
• Remove the antivirus software, and then restart the server so that any remaining traces re unloaded and removed from memory.
Note: If you exclude the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory from virus scanning or remove the antivirus software, you may make the site server and all clients vulnerable to potential virus risks. The client base component files reside in the <DriveLetter):\<ConfigMgr install folder>\Inboxes directory, therefore use these options only as a short-term troubleshooting step and not as a solution for this behavior.
Exclusion of %Windir%\SoftwareDistribution :
Where the antivirus program is configured to scan the %Windir%\SoftwareDistribution folder on the computer on which the ITMU scan is run. In this case, when the antivirus program scans the .edb file the antivirus program locks the file. The result is that ITMU cannot access the .edb file. To workaround this issue please make sure that the antivirus program does not scan the files in the %windir%\SoftwareDistribution folder on any computer on which the Windows Update Agent is installed.
Microsoft Windows Update or Automatic Update related files
The Windows Update or Automatic Update database file. This file is located in the following folder:
Exclude the Datastore.edb file.
The transaction log files. These files are located in the following folder:
Exclude the following files:
Note The wildcard character indicates that there may be several files.
APPENDIX: ConfigMgr 2007 Antivirus Recommendations
It is recommended from a performance point of view that antivirus scanning be disabled on certain key non-executable items. As these items are non-executable they provide minimal risk on a server, where the number of non-trusted application should be negligible and the opening of files by user applications is also minimal. The key items include:
- ConfigMgr 2007 database data and log files (server-side)
- ConfigMgr 2007 log files (server-side)
- ConfigMgr 2007 transactional files (server-side)
- Windows Update Scan Catalog (client-side)
The following is a listing of the details of the above types of key items:


Applies To

Microsoft System Center Configuration Manager (SCCM) 2007

Symantec Endpoint Protection 11.x and 12.1.x

Windows supported OS's