Antivirus flagging Symantec Data Loss Prevention (DLP) as a virus or security threat

book

Article ID: 160017

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Antivirus software running on the same system as Symantec DLP flags it as a virus or a security threat.

You want to exclude DLP files from being scanned by antivirus software.

Cause

Symantec Data Loss Prevention (DLP) frequently writes to several common directories. Some antivirus solutions may view this behavior like a virus or security threat and may shut down DLP.

Resolution

In your antivirus software, exclude or omit the following directories from future scans.

DLP 15.5 

Enforce Server Specific

C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\logs
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\temp
C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\scan
C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatTemp
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatWorkDir
[Drive]:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat

Detection Server Specific

C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\drop
C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\logs
C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\temp
C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\scan
C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents
C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\spool

Oracle

[Drive]:\oracle

  • You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
  • You can confirm this folder by running the following command while logged in as the 'protect' user: echo %TEMP%.
  • Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
  • For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.

 

DLP 15.1 

Enforce Server Specific

C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\temp
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\scan
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatTemp
C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatWorkDir
[Drive]:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat

Detection Server Specific

C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\drop
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\temp
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\scan
C:\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
C:\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\spool

Oracle

[Drive]:\oracle

  • You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
  • You can confirm this folder by running the following command while logged in as the 'protect' user: echo %TEMP%.
  • Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
  • For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.

 

DLP 11.6.x through 15.0.x

\drop 
\drop_discover
\drop_ep
\drop_pcap
\drop_ttd
\icap_spool
\packet_spool
\SymantecDLP\Protect\incidents
\SymantecDLP\Protect\logs
\SymantecDLP\Protect\temp
\SymantecDLP\Protect\tomcat
\SymantecDLP\Protect\scan
\oracle

Note: Symantec does not recommend that you exclude individual binaries from antivirus applications. The names and locations of binary files may change with new software releases and patches. Additionally, we also create and place files in directories like drop, drop_pcap, etc. Since we do not know what the file names will be, we must exclude the entire directory.

Additional Information

Additional exclusion list of additional directories and processes:

 

Scan Exclusion      Include sub-directories (Yes/No)
 
**\Oracle\         No      
 
D:\DATA\Server Platform Common\15.1\incidents\    No    
 
D:\DATA\Server Platform Common\15.1\scan\     No     

D:\DATA\Enforce Server\15.1\logs\      No  

D:\DATA\Enforce Server\15.1\temp\      No   

D:\DATA\Enforce Server\15.1\tomcatTemp\    No  

D:\DATA\Enforce Server\15.1\tomcatWorkDir\     No  

D:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\   No   

D:\DATA\Detection Server\15.1\drop\      No 

D:\DATA\Detection Server\15.1\logs\      No   

D:\DATA\Detection Server\15.1\temp\      No 

D:\DATA\Detection Server\15.1\scan\      No 

D:\DATA\Server Platform Common\15.1\incidents\    No

D:\DATA\Detection Server\15.1\spool\      No  

**\drop_ep\         No 

**\icap_ttd\         No  

**\users\protect\AppData\Local\Temp\      No  

**\Icap_spool\        No  

**\drop_ttd\         No 

**\drop_discover\        No 

D:\SymantecDLPOCR\       Yes 
 


Low-Risk Processes:

VontuMonitor.exe 
java.exe 
SymantecDLPDetectionServer.exe 
SymantecDLPDetectionServerController.exe 
SymantecDLPIncidentPersister.exe 
SymantecDLPManager.exe 
SymantecDLPNotifier.exe 
lsm.exe