In the document "Virus scanning recommendations for computers that are running currently supported versions of Windows" Microsoft suggests several exclusions that should be configured on 64-bit Domain Controllers. Not all of these are automatically set by Symantec Endpoint Protection.
Symptoms The exclusions not automatically set:
Turn off scanning of DHCP files By default, DHCP files that should be excluded are present in the following folder on the server: %systemroot%\System32\DHCP Exclude the following files from this folder and all its subfolders: *.mdb *.pat *.log *.chk
Turn off scanning of DNS files By default, DNS uses the following folder: %systemroot%\System32\Dns Exclude the following files from this folder and all its subfolders: *.log *.dns BOOT
Turn off scanning of WINS files By default, WINS uses the following folder: %systemroot%\System32\Wins Exclude the following files from this folder and all its subfolders: *.chk *.log *.mdb
Symantec Endpoint Protection automatically detects the presence of key Domain Controller directories and files and sets exclusions automatically.
Automatic exclusion of these additional DHCP, DNS and WINS files and directories was introduced in Symantec Endpoint Protection 11 RU6 MP2. Please upgrade to this version or later to take advantage of these exclusions.