ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Antivirus flagging Symantec Data Loss Prevention (DLP) as a virus or security threat

book

Article ID: 160017

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Antivirus software running on the same system as Symantec DLP flags it as a virus or a security threat.

You want to exclude DLP files from being scanned by antivirus software.

Cause

Symantec Data Loss Prevention (DLP) frequently writes to several common directories. Some antivirus solutions may view this behavior like a virus or security threat and may shut down DLP.

Environment

This article covers exclusions for DLP servers; for Agents, see Best Practice: Endpoint Agents with Antivirus Protection (broadcom.com)

Resolution

Complete details can be found in the DLP installation guide.

In your antivirus software, exclude or omit the following directories from future scans.

DLP 15.8

Enforce Server Specific

\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\logs (with
subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\scan
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\temp (with
subdirectories)
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\temp
\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\tomcat\work
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.8.00000\Protect\index

 

Detection Server Specific


\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\icap_spool
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\packet_spool
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\index
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\logs (with
subdirectories)
\Program Files\Symantec\DataLossPrevention\DetectionServer\15.8.00000\Protect\temp (with
subdirectories)

Oracle Server

\app\Administrator\oradata\protect
\app\Administrator\product\version>\dbhome_1
Where <version> is the Oracle software version you are running

DLP 15.7

Enforce Server Specific

\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\temp (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\tomcatTemp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.7\tomcatWorkDir

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.7\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.7\index

\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\tomcat

Detection Server Specific

\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\spool\ICAP
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\spool\PacketCapture
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\incidents
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\index
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\logs (with subdirectories)

\Program Files\Symantec\DataLossPrevention\DetectionServer\15.7\Protect\temp (with subdirectories)

Oracle Server

When the Symantec Data Loss Prevention application accesses files and directories, it can appear to antivirus software
as if it were a virus. Therefore, you must exclude certain directories from antivirus scans on Symantec Data Loss
Prevention servers.


Using your antivirus software, exclude the following Oracle directories from antivirus scanning:


• \app\Administrator\oradata\protect
• \app\Administrator\product\12.2.0.1\dbhome_1


Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus scanning.

Use OEM to view the location of the following database files:

• Data files, which have the file extension *.DBF
• Control files, which have the file extension *.CTL
• The REDO.LOG file

OCR Server

\SymantecDLPOCR\

 

DLP 15.5 

Enforce Server Specific

\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\logs
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\temp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatTemp
\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\tomcatWorkDir

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\scan
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents

\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat

Detection Server Specific

\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\drop
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\logs
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\temp
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\scan
\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\spool

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\incidents

Oracle

\oracle

  • You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
  • You can confirm this folder by running the following command while logged in as the 'protect' user: echo %TEMP%.
  • Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
  • For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.

 

DLP 15.1 

Enforce Server Specific

\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\temp
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatTemp
\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\tomcatWorkDir

\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\scan
\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents

\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat

Detection Server Specific

\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\drop
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\logs
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\temp
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\scan
\ProgramData\Symantec\Data Loss Prevention\Detection Server\15.1\spool

\ProgramData\Symantec\Data Loss Prevention\Server Platform Common\15.1\incidents

Oracle

\oracle

  • You must also exclude the local temporary folder of the user that runs the DLP services (usually "protect").
  • You can confirm this folder by running the following command while logged in as the 'protect' user: echo %TEMP%.
  • Typically the user is named "protect" and by default, the path is C:\Users\protect\AppData\Local\Temp.
  • For Windows Server 2003 and earlier, the default temp folder is C:\Documents and Settings\protect\Local Settings\Temp.

 

DLP 11.6.x through 15.0.x

\drop 
\drop_discover
\drop_ep
\drop_pcap
\drop_ttd
\icap_spool
\packet_spool
\SymantecDLP\Protect\incidents
\SymantecDLP\Protect\logs
\SymantecDLP\Protect\temp
\SymantecDLP\Protect\tomcat
\SymantecDLP\Protect\scan
\oracle

Note: Symantec does not recommend that you exclude individual binaries from antivirus applications. The names and locations of binary files may change with new software releases and patches. Additionally, we also create and place files in directories like drop, drop_pcap, etc. Since we do not know what the file names will be, we must exclude the entire directory.