SEP client 'Control Log' shows System Lockdown blocked definitions found in temp folder(s)

book

Article ID: 177957

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

With System Lockdown enabled from the Symantec Endpoint Protection Manager, the Symantec Endpoint Protection client 'Control Log' shows System Lockdown blocked definitions found in a temporary folder. When System Lockdown is in Test Mode and the definitions show blocked, the definitions are still able to process.

Attempting to add the temporary folder(s) to "The following files are approved" section in the System Lockdown settings is not possible because the temporary folders are dynamic.

Symptoms
Examples of definitions being blocked from temporary folder on Windows XP:
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp2f8c.tmp\CCERASER.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp5cef.tmp\CCERASER.DLL
C:\Program Files\Common Files\Symantec Shared\VirusDefs\tmp3061.tmp\CCERASER.DLL
 


Examples of definitions being blocked from temporary folder on Windows 7:
C:\ProgramData\Symantec\Definitions\VirusDefs\tmp56a5.tmp\CCERASER.DLL
C:\ProgramData\Symantec\Definitions\VirusDefs\tmp280.tmp\CCERASER.DLL
C:\ProgramData\Symantec\Definitions\VirusDefs\tmp58ba.tmp\CCERASER.DLL


 

Resolution

Use the following steps to keep System Lockdown from blocking definitions:
1. Open Symantec Endpoint Protection Manager and click Clients tab, select group of concern, click Policies tab, click System Lockdown link.
2. In the section "The following files are approved", click Add.
3. Click on "Use wildcard matching (* and ? supported)" and add one of the paths pointing to the VirusDefs directory including \*\*

C:\ProgramData\Symantec\Definitions\VirusDefs\*\* (For Windows Vista, Windows 2008, Windows 7)

C:\Program Files\Common Files\Symantec Shared\VirusDefs\*\* (For Windows XP, Windows 2003)

3. Click OK twice.
4. Right-click on the group, click Run Command on Group and click Update Content, to update the policy on the Symantec Endpoint Protection clients.