About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products
search cancel

About the automatic exclusion of files and folders for Microsoft Exchange server and Symantec products

book

Article ID: 151290

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What file and folder exclusions are created automatically when Symantec Endpoint Protection (SEP) client is installed on a server that runs Microsoft Exchange server or certain Symantec gateway scanning products? 

Resolution

If Microsoft Exchange servers are installed on a computer with Symantec Endpoint Protection client, the client software automatically detects the presence of Exchange. When the client software detects a Microsoft Exchange server, it creates the appropriate file and folder exclusions for File System Auto-Protect and all other scans. Microsoft Exchange servers can include clustered servers. The client software checks for changes in the location of the appropriate Exchange files and folders at regular intervals. If Exchange is installed on a computer where the client software is already installed, the exclusions are created when the client checks for changes. The client excludes both files and folders; if a single file is moved from an excluded folder, the file remains excluded.

The latest available release of the Symantec Endpoint Protection client software creates automatic file and folder scan exclusions for the following Microsoft Exchange server versions:

  • Exchange 2010 (introduced with SEP 11 RU6 MP1)
  • Exchange 2013 (introduced with SEP 12.1 RU3)
  • Exchange 2016 (introduced with SEP 14)
  • Exchange 2019 (introduced with SEP 14.3 RU1 MP1)

Symantec recommends that the Exchange server's OS always be protected by the latest available release of SEP.  The Exchange server's message flow and Information Store must be protected by a dedicated mail security product, such as https://www.broadcom.com/products/cybersecurity/email/mail-security-exchange

For Exchange 2007, 2010, 2013, 2016, see the user documentation for information about compatibility with antivirus software. It may be necessary to create scan exclusions for some Exchange folders manually. For example, cluster servers or non-default locations for folders require specific exclusions. Also, folders that are part of a Database Availability Group (DAG) are not automatically excluded. For more information, see the Microsoft TechNet article Anti-Virus Software in the Operating System on Exchange Servers and https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exchange-server-antivirus-exclusions/ba-p/3751464

The client also creates appropriate file and folder scan exclusions for the following Symantec products when they are detected:

  • Symantec Mail Security for Microsoft Exchange (SMSMSE) 4.0, 4.5, 4.6, 5.0, 6.0 and 6.5

  • Symantec AntiVirus/Filtering 3.0 for Microsoft Exchange

  • Norton AntiVirus 2.x for Microsoft Exchange

  • Symantec Endpoint Protection Manager embedded database and logs


 


Note: To see the exclusions that the client creates, examine the contents of the HKEY_LOCAL_MACHINE\Software\Symantec\Symantec Endpoint Protection\AV\Exclusions registry.  Do not edit this registry key directly.  Any additional exclusions can be configured by using centralized exceptions.

On a 64 bit server using Exchange 2007, 2010, 2013 or 2016, the path in the registry to confirm auto exclusions is slightly different. The path includes the WOW6432node key.
HKLM\Software\WOW6432node\Symantec\Symantec Endpoint Protection\AV\Exclusions\.

For 14.3 RU1 + see: https://knowledge.broadcom.com/external/article/151606/verify-if-an-endpoint-client-has-automat.html

Critical note:
**The client does not exclude the system temporary folders from scans because doing so can create a significant security vulnerability on a computer.
**Sep 14.2 RU1 and above do not store client-side exceptions in the registry, they are encrypted and stored in a way that prevents access.



If client email applications use a single inbox
The applications that store all email in a single file include Outlook Express, Eudora, Mozilla, and Netscape. If client computers use any email applications that use a single inbox, create a centralized exception to exclude the Inbox file. The exception applies to all antivirus and antispyware scans as well as Auto-Protect.

The Symantec Endpoint Protection client quarantines the entire Inbox and users cannot access their email if the following statements are true:

  • The client detects a virus in the Inbox file during an on-demand or scheduled scan.
  • The action that is configured for the virus is Quarantine.


Symantec does not usually recommend excluding files from scans. When you exclude the Inbox file from scans, the Inbox cannot be quarantined; however, if the client detects a virus when a user opens an email message, it can safely quarantine or delete the message.