Endpoint Protection interfering with Docker containers on Windows Server 2016
Article ID: 169698
Updated On:
Products
Issue/Introduction
Cannot create or launch Docker containers on Windows Server 2016 when Symantec Endpoint Protection (SEP) is installed.
Environment
Windows Server 2016
Cause
This is caused by the Application Control component of SEP.
Resolution
To work around this issue, Upgrade to SEP 14 RU1, or newer, and add the following paths as Windows File Exceptions to the Exceptions Policy at the SEPM.
| Prefix Variable | File and Path (Exclude child processes) |
| %[SYSTEM]% | lsass.exe |
| %[SYSTEM]% | svchost.exe |
| %[SYSTEM]% | cexecsvc.exe |
| %[SYSTEM]% | oobe\windeploy.exe |
Ensure to choose "Application Control" (for the type of scan that excludes the file) and select also "Exclude child processes". The new Exceptions Policy should then be deployed to the affected clients.
Note: if experiencing a Docker installation failure before putting these exceptions into place, uninstall the failed package before retrying.
For situations where adding Windows Features to a live container, or installing a service, additional exceptions may be needed. The following example shows the exceptions to both run an MSI install and run the DNS service (Not all of these are necessary for all situations):
| Prefix Variable | File and Path (Exclude child processes) |
| %[WINDOWS]% | servicing\trustedinstaller.exe |
| %[SYSTEM]% | msiexec.exe |
| %[SYSTEM]% | dns.exe |
Feedback
