Configure scan exceptions on Endpoint Protection for Linux from the command line interface

book

Article ID: 177790

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Manually configure scan exceptions on Symantec Endpoint Protection (SEP) for Linux from the command line interface.

Resolution

Exceptions can be configured from the command line in SEP for Linux by using the symcfg tool. This tool must be run as root. For the most up-to-date documentation on symcfg, please refer to the attached SEP for Linux Client Guide. These instructions apply to a managed or unmanaged client. Exceptions that are set this way are not overwritten by the Symantec Endpoint Protection Manager (SEPM); they will be used in addition to any exceptions from the SEPM.

Scan exceptions in SEP for Linux are case sensitive, and use forward slashes instead of back slashes as in Windows paths. Conventional wildcards (*,?) are supported as of SEP version 14.2 RU1. Wildcards are supported only for directory exclusions. You can also specify general exceptions for file extensions like .txt, .html, etc.

Directory exceptions for real time scans

To enable directory exceptions -- Note: Back slashes are used in the configuration key (-k) specification:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionDirs -d 1 -t REG_DWORD   

(use -d 0 instead of -d 1 to disable)

To add excluded directories:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder1 -d 1 -t REG_DWORD
symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2 -d 1 -t REG_DWORD # etc.

Be careful to specify directory exceptions using full paths with a leading slash, otherwise the exception may be ignored.

If you want to exclude a directory but not its sub-directories, use -d 0 in the command line. e.g.:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2 -d 0 -t REG_DWORD

The above example will exclude /my/path/to/folder2, but will not exclude sub-folders.

To remove a single directory exception:

symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /my/path/to/folder2

To remove all excluded directories:

symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir'

File exceptions for real time scans

Note that wildcards are supported only for directory exceptions, not files. To enable file exceptions:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionFiles -d 1 -t REG_DWORD

(use -d 0 instead of -d 1 to disable)

WARNING: HaveExceptionFiles=0 will also disable file extension exceptions; to disable file exceptions without affection file extension exceptions, delete the HaveExceptionFiles value rather than setting it to zero:

symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionFiles

To add excluded files:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file1 -d 1 -t REG_DWORD
symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file2 -d 1 -t REG_DWORD # etc.

File exceptions require full path including leading forward slash.

To remove a single file exception:

symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions' -v /my/path/to/file2

To remove all excluded files:

symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\FileExceptions'

Excluding extensions in real time scans

To enable extension exceptions:

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ExcludedByExtensions -d 1 -t REG_DWORD

(use -d 0 instead of -d 1 to disable. Note also WARNING above for HaveExceptionFiles--HaveExceptionFiles value must be absent or set to one for extension exceptions to work)

To specify excluded extensions (*.abc and *.xyz in this example):

symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v ExcludedExtensions -d 'abc,xyz' -t REG_SZ

Note that the entire list of excluded extensions are specified in one command, as opposed to file and directory exceptions. So, if you need to remove or add a single extension, re-execute the command with the modified list.

Exceptions for scans other than real time

The commands are identical to the ones above, but Storages\FileSystem\RealTimeScan is replaced with the following:

  • LocalScans\ManualScan for exceptions that are applied to all manual scans.
     
  • Custom Tasks\[ScanID] e.g. "Custom Tasks\MySchedScan" for exceptions that are applied to local scan named "MySchedScan". NOTE there is a space in "Custom Tasks". Also, scheduling and exceptions for an admin scan can only be configured at the SEPM. Use the "sav scheduledscan --list" command line to see a list of scheduled scans, names, and which are admin or local. The sav man page describes options for creating local scans using the "sav scheduledscan --create" command.

Technical Information

"Symantec Endpoint Protection\AV" is the key prefix in SEP (and SAV for Linux as of version 1.0.6). Older versions of SAVFL used keys that were prefixed with "VirusProtect6".

Additional information can be found in the Connect Forum article SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide.  

 

Attachments

1590139400096__Command-line interface for the sav tool in Symantec Endpoint Protection for Linux.pdf get_app