Servers with Antivirus and Symantec Data Loss Prevention (DLP) Server Software
Article ID: 160017
Updated On:
Products
Issue/Introduction
Antivirus software running on the same system as Symantec DLP and may or may not be flagging it as a virus or a security threat.
You want to exclude DLP files from being scanned by antivirus software.
Environment
This article covers exclusions for DLP servers; for Agents, see Best Practice: Endpoint Agents with Antivirus Protection (broadcom.com)
Cause
Symantec Data Loss Prevention (DLP) frequently writes to several common directories. Some antivirus solutions may view this behavior like a virus or security threat and may shut down DLP.
Resolution
Complete details can be found in the DLP installation guide: 15.7 / 15.8 / 16.0.
In your antivirus software, exclude or omit the following directories from future scans.
DLP 15.8
Enforce Server Specific
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\scan
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\temp (with subdirectories)
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\temp
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\work
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\index
Detection Server Specific
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\icap_spool
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\packet_spool
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\logs (with subdirectories)
\Program Files\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\temp (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\index
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\scan (with subdirectories)
Oracle Server
\app\Administrator\oradata\protect
\app\Administrator\product\<version>\dbhome_1
Where <version> is the Oracle software version you are running
OCR Server
\ProgramData\Symantec\DataLossPrevention\OCRServer\15.8.00000
\ProgramData\OmniPage
\SymantecDLPOCR
DLP 15.7
Enforce Server Specific
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\temp (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\tomcatTemp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\tomcatWorkDir
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.7\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.7\index
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\tomcat
Detection Server Specific
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\spool\ICAP
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\spool\PacketCapture
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\index
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\logs (with subdirectories)
\Program Files\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\temp (with subdirectories)
Oracle Server
When the Symantec Data Loss Prevention application accesses files and directories, it can appear to antivirus software
as if it were a virus. Therefore, you must exclude certain directories from antivirus scans on Symantec Data Loss
Prevention servers.
Using your antivirus software, exclude the following Oracle directories from antivirus scanning:
• \app\Administrator\oradata\protect
• \app\Administrator\product\12.2.0.1\dbhome_1
Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus scanning.
Use OEM to view the location of the following database files:
• Data files, which have the file extension *.DBF
• Control files, which have the file extension *.CTL
• The REDO.LOG file
OCR Server
\SymantecDLPOCR\
DLP 15.5
Enforce Server Specific
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\logs
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\temp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatTemp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatWorkDir
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\scan
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat
Detection Server Specific
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\logs
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\temp
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\scan
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\spool
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents
Oracle
\oracle
- You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
- You can confirm this folder by running the following command while logged in as the 'protect' user:
echo %TEMP%. - Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
- For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.
DLP 15.1
Enforce Server Specific
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\temp
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatTemp
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatWorkDir
\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\scan
\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat
Detection Server Specific
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\drop
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\temp
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\scan
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\spool
\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents
Oracle
\oracle
- You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
- You can confirm this folder by running the following command while logged in as the 'protect' user:
echo %TEMP%. - Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
- For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.
DLP 11.6.x through 15.0.x
\drop
\drop_discover
\drop_ep
\drop_pcap
\drop_ttd
\icap_spool
\packet_spool
\SymantecDLP\Protect\incidents
\SymantecDLP\Protect\logs
\SymantecDLP\Protect\temp
\SymantecDLP\Protect\tomcat
\SymantecDLP\Protect\scan
\oracle
Note: Symantec does not recommend that you exclude individual binaries from antivirus applications. The names and locations of binary files may change with new software releases and patches. Additionally, we also create and place files in directories like drop, drop_pcap, etc. Since we do not know what the file names will be, we must exclude the entire directory.
Feedback
