Verifying Endpoint Protection exceptions for Windows Server 2008 and Windows Server 2003 Domain Controllers


Article ID: 177910


Updated On:


Endpoint Protection


Symantec Endpoint Protection (SEP)

Microsoft Windows 2008 or Microsoft Windows 2003 servers are acting as Domain Controllers in an Active Directory environment. What files and folders need to be excluded from Symantec Endpoint Protection's AV scanning so that SEP won’t impact the Domain Controller performance?



The Symantec Endpoint Protection client software automatically detects the presence of certain third-party applications: Active Directory Domain Controller is one such application. After the SEP client detects that it is running on a Domain Controller (DC), it automatically creates the necessary exclusions for sensitive files and folders. These files and folders are excluded from all antivirus and antispyware scans.

  • Steps to verify the exclusions for Domain Controllers:
    1. Start Run
    2. Type Regedit
    3. Browse to the registry key:

    Windows 2003 32bit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller

    Windows 2008 64bit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Domain Controller

    Symantec recommends that you examine the Microsoft article below for additional exclusions.

    Virus scanning recommendations for computers that are running Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000, Windows XP, or Windows Vista



How to Create Scanning Exceptions for both Managed and Unmanaged Symantec Endpoint Protection Clients


How to Verify if an Endpoint Client has Automatically Excluded an Application or Directory