Endpoint Protection interfering with Docker containers on Windows Server 2016

book

Article ID: 169698

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Cannot create or launch Docker containers on Windows Server 2016 when Symantec Endpoint Protection (SEP) is installed.

Cause

This is caused by the Application Control component of SEP.

Environment

Windows Server 2016

Resolution

To work around this issue, you will need to upgrade to SEP 14 RU1, or newer, and add the following paths as Windows File Exceptions to the Exceptions Policy at the SEPM.

Prefix Variable File and Path (Exclude child processes)
%[SYSTEM]% lsass.exe
%[SYSTEM]% svchost.exe
%[SYSTEM]% cexecsvc.exe
%[SYSTEM]% oobe\windeploy.exe

Ensure that you Choose "Application Control" (for the type of scan that excludes the file) and select also "Exclude child processes". The new Exceptions Policy should then be deployed to the affected clients.

Note: if you were experiencing a Docker installation failure before putting these exceptions into place, you may need to uninstall the failed package before retrying.

For situations where you will be adding Windows Features to a live container, or installing a service, additional exceptions may be needed. The following example shows the exceptions to both run an MSI install and run the DNS service (Not all of these are necessary for all situations):

Prefix Variable File and Path (Exclude child processes)
%[WINDOWS]% servicing\trustedinstaller.exe
%[SYSTEM]% msiexec.exe
%[SYSTEM]% dns.exe