Excluding root of macOS file system does not work as expected in Endpoint Protection for Mac

book

Article ID: 195378

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You may wish to temporarily exclude file system root ("/"), thus the entire file system, and test the effect of SEP scan exceptions on performance issues. But excluding root of macOS file system does not work as expected in SEP (Symantec Endpoint Protection for Mac). Test scans will continue to detect EICAR, indicating that the exception is not working.

Cause

This may be due to the fact that macOS 10.15 is hardened so that the root of the file system is read-only unless macOS SIP (System Integrity Protection) is disabled.

It is not recommended that you disable SIP.

Environment

SEP for Mac

OS X, macOS

Resolution

You may achieve the same desired effect on a managed SEP client by excluding all of the root folders. Since SEP for Mac supports wildcards, you may exclude "/*" (slash-asterisk, no prefix variable). You can do this in Exceptions policy, Mac settings, in SEPM (SEP Manager). Remember also to choose "Scan everywhere except in specified folders" in Virus and Spyware Protection Policy, Mac Settings, Global Scan Options. As an alternative to excluding root folders, you could also choose "Scan only in the following folders" in Global Scan options and specify an empty or non-existent folder.

On an unmanaged SEP for Mac client, scan exceptions are configured in client GUI SettingsScan Zone Settings. You cannot directly type in an exclusion here (you must browse to and select one or more existing files/folders) but you can create an empty folder anywhere in file system and choose Scan Only and select that folder.