search cancel

Endpoint Protection interfering with Docker containers on Windows Server 2016

book

Article ID: 169698

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Cannot create or launch Docker containers on Windows Server 2016 when Symantec Endpoint Protection (SEP) is installed.

Environment

Windows Server 2016

Cause

This is caused by the Application Control component of SEP.

Resolution

To work around this issue, Upgrade to SEP 14 RU1, or newer, and add the following paths as Windows File Exceptions to the Exceptions Policy at the SEPM.

Prefix Variable File and Path (Exclude child processes)
%[SYSTEM]% lsass.exe
%[SYSTEM]% svchost.exe
%[SYSTEM]% cexecsvc.exe
%[SYSTEM]% oobe\windeploy.exe

 

Ensure to choose "Application Control" (for the type of scan that excludes the file) and select also "Exclude child processes". The new Exceptions Policy should then be deployed to the affected clients.

Note: if experiencing a Docker installation failure before putting these exceptions into place, uninstall the failed package before retrying.

For situations where adding Windows Features to a live container, or installing a service, additional exceptions may be needed. The following example shows the exceptions to both run an MSI install and run the DNS service (Not all of these are necessary for all situations):

Prefix Variable File and Path (Exclude child processes)
%[WINDOWS]% servicing\trustedinstaller.exe
%[SYSTEM]% msiexec.exe
%[SYSTEM]% dns.exe