Symantec Endpoint Protection (SEP) Clients installed on an Exchange server appear to have Exchange locations properly excluded, but files within the excluded directory structures are still scanned by AutoProtect or scheduled scans.
The behavior can be observed by downloading eicar.zip and extracting the eicar.com test file to the locations.
The algorithm responsible for excluding Exchange file system locations will create different types of exclusions depending on Microsoft's recommendations. In some situations, directories and all their sub-directories are excluded. In other situaitons, only specific directories are excluded leaving sub-directories to be scanned. Some other exclusions are specific to a particular file and will not apply to any other files in those directories.
These exclusions are represented by DWORD registry values in the following keys:
- 32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server\NoScanDir
- 64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Exclusions\Exchange Server\NoScanDir
The Automatic Exchange Exclusions created by the SEP client are properly created as per Microsoft's public recommendations. SEP will detect the mailbox role and set the required base exclusions for Exchange 2003/2007/2010. Exclusions for additional roles and clustering should be added manually as needed.
For information on Microsoft's recommendations for Microsoft Exchange exclusions, see http://technet.microsoft.com/en-us/library/bb332342.aspx.
This issue has been observed on Microsoft Exchange 2003, 2007, and 2010 servers with Symantec Endpoint Protection (SEP) 11.x, 12.0.x SMB and 12.1.x clients.