Excluding root of macOS file system does not work as expected in Endpoint Protection for Mac


Article ID: 195378


Updated On:


Endpoint Protection


You may wish to temporarily exclude file system root ("/"), thus the entire file system, and test the effect of SEP scan exceptions on performance issues. But excluding root of macOS file system does not work as expected in SEP (Symantec Endpoint Protection for Mac). Test scans will continue to detect EICAR, indicating that the exception is not working.


This may be due to the fact that macOS 10.15 is hardened so that the root of the file system is read-only unless macOS SIP (System Integrity Protection) is disabled.

It is not recommended that you disable SIP.


SEP for Mac

OS X, macOS


You may achieve the same desired effect on a managed SEP client by excluding all of the root folders. Since SEP for Mac supports wildcards, you may exclude "/*" (slash-asterisk, no prefix variable). You can do this in Exceptions policy, Mac settings, in SEPM (SEP Manager). Remember also to choose "Scan everywhere except in specified folders" in Virus and Spyware Protection Policy, Mac Settings, Global Scan Options. As an alternative to excluding root folders, you could also choose "Scan only in the following folders" in Global Scan options and specify an empty or non-existent folder.

On an unmanaged SEP for Mac client, scan exceptions are configured in client GUI SettingsScan Zone Settings. You cannot directly type in an exclusion here (you must browse to and select one or more existing files/folders) but you can create an empty folder anywhere in file system and choose Scan Only and select that folder.