Servers with Antivirus and Symantec Data Loss Prevention (DLP) Server Software

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Storage Data Loss Prevention Core Package Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enterprise Suite Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Network Web Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Plus Suite Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

Antivirus software running on the same system as Symantec DLP and may or may not be flagging it as a virus or a security threat.

You want to exclude DLP files from being scanned by antivirus software.

Environment

This article covers exclusions for DLP servers; for Agents, see Best Practice: Endpoint Agents with Antivirus Protection (broadcom.com)

Cause

Symantec Data Loss Prevention (DLP) frequently writes to several common directories. Some antivirus solutions may view this behavior like a virus or security threat and may interfere with DLP processes - having unexpected results.

See also this summary for why this is necessary:

About Symantec Data Loss Prevention and antivirus software (broadcom.com)

Resolution

In general, in your antivirus software, you should exclude or omit the following directories from future scans.

Enforce Server Specific - Windows

\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\Account-storage (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\keystore (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\tomcatTemp

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\index
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\scan (with subdirectories)

\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat
\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\work

Where <version> is the Enforce Server version you are running, e.g., 16.0.20000.

Detection Server Specific - Windows

\ProgramData\Symantec\DataLossPrevention\DetectionServer\Account-storage (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\drop (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\spool (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\temp (with subdirectories)

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\index
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\scan (with subdirectories)

\Program Files\Symantec\DataLossPrevention\DetectionServer\Services

Where <version> is the Detection Server version you are running, e.g., 16.0.20000.

Oracle Server - Windows

\app\Administrator\oradata\protect
\app\Administrator\product\<version>\dbhome_1

Where <version> is the Oracle software version you are running.

Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus scanning.

Use OEM to view the location of the following database files:

Data files, which have the file extension *.DBF
Control files, which have the file extension *.CTL
The REDO.LOG file

OCR Server - Windows

\ProgramData\Symantec\DataLossPrevention\OCRServer\<version>
\ProgramData\OmniPage
\SymantecDLPOCR

Where OCR Server version you are running, e.g., 16.0.20000.

Note: Symantec does not recommend that you exclude individual binaries from antivirus applications. The names and locations of binary files may change with new software releases and patches. Additionally, we also create and place files in directories like drop, drop_pcap, etc. Since we do not know what the file names will be, we must exclude the entire directory.

Additional Information

Recently we have been made aware of a unique requirement for Crowdstrike and that is a double asterisk being required "**" which is said to create the exclusion recursively.

DLP requires all of its directories and subdirectories to be excluded from AV monitoring

The screen shot below illustrates the exclusion for endpoint agent, but the same can be extrapolated upon for the above server exclusions.