search cancel

Preventing PFIL events from occurring on a Domain Controller where SEP is installed

book

Article ID: 162534

calendar_today

Updated On:

Products

Data Center Security Server Advanced

Issue/Introduction

If Symantec Endpoint Protection (SEP) is installed on an agent, many processes access files by the file ID instead of the file path. Due to this behavior, you may notice many PFIL events when SEP is installed in a Domain Controller. 

Cause

The events occur as the processes try to access the Domain Controller data that is specified as No-Access data in the Domain Controller policy. These PFIL events indicate that SEP is not functioning properly when access to files by file ID is blocked by the policy rules.

Resolution

The 6.0 Windows policy contains the following two changes to allow SEP to function properly and to prevent the PFIL events from occurring on a Domain Controller where SEP is installed.

  1. The Obey All Other Application Data Restrictions option is disabled in the Host Security Programs sandbox.
  2. The \Device\HarddiskVolume?\WINDOWS\SYSVOL\* parameter value is moved from the Block all access to the following files list to the Block modifications to the following files list.
    These lists are available in Global Policy Options > Domain Controller Settings > Data Protection > File Data.

Hardening a Domain Controller without SEP installed:  If you do not have SEP installed on a Domain Controller and want to harden the Domain Controller based on the rules in the policy prior to the above changes, you can undo the above changes by editing the policy rules:

  1. Enable the Obey All Other Application Data Restrictions option in the Host Security Programs sandbox.
  2. Go to Global Policy Options > Domain Controller Settings > Data Protection > File Data and move the \Device\HarddiskVolume?\WINDOWS\SYSVOL\* parameter value from the Block modifications to the following files list to the Block all access to the following files list.