Best Practice: DLP Endpoint Agents with Antivirus Protection
Article ID: 160045
Updated On:
Products
Issue/Introduction
The DLP Endpoint Agent and other program files may be blocked, or cause issues when installed on a system where an antivirus (AV) application is installed, or Endpoint Detection and Response (EDR) software.
Environment
This article covers exclusions for DLP Agents. For servers, see Antivirus flagging Symantec Data Loss Prevention (DLP) as a virus or security threat (broadcom.com).
Resolution
With a typical antivirus program or endpoint detection and response solution, excluding a folder prevents the AV and EDR program from monitoring data that are written to, or read from, the folder.
Excluding a binary or executable file prevents the AV engine and EDR from monitoring executable during read and write operations.
It is recommended to whitelist all of the processes, files, folders, and subfolders that are listed below.
Windows
| Endpoint Agent Installation Location | C:\Program Files\Manufacturer\Endpoint Agent\* |
| Processes |
edpa.exe |
| Drivers | vfsmfd.sys vrtam.sys vnwcd.sys |
| Files | C:\Program Files\Manufacturer\Endpoint Agent\*.ead |
MacOS
| Endpoint Agent Installation Location | /Library/Manufacturer/Endpoint Agent |
| Endpoint Agent Temp Folder Location | /Library/Manufacturer/Endpoint Agent/Temp |
| Processes * |
edpa |
| Drivers | N/A |
| Files | /Library/Manufacturer/Endpoint Agent/*.ead |
* Process exclusions are not necessary if the AV program being used is the Symantec Endpoint Protection agent (SEP, SESE or SESC)
Additional Information
If using Symantec Endpoint Protection (SEP), use the tech docs below to create the exclusions:
Excluding a file or a folder from scans
Excluding file extensions from virus and spyware scans on Windows clients and Linux clients
Feedback
