Servers with Antivirus and Symantec Data Loss Prevention (DLP) Server Software
search cancel

Servers with Antivirus and Symantec Data Loss Prevention (DLP) Server Software

book

Article ID: 160017

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Data Loss Prevention API Detection for Developer Apps Virtual Appliance Data Loss Prevention API Detection Virtual Appliance Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Cloud Storage Data Loss Prevention Core Package Data Loss Prevention Endpoint Discover Data Loss Prevention Endpoint Prevent Data Loss Prevention Endpoint Suite Data Loss Prevention Enterprise Suite Data Loss Prevention Form Recognition Data Loss Prevention Network Discover Data Loss Prevention Network Email Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Email Virtual Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Network Web Data Loss Prevention Oracle Standard Edition 2 Data Loss Prevention Plus Suite Data Loss Prevention Sensitive Image Recognition

Issue/Introduction

Antivirus software running on the same system as Symantec DLP and may or may not be flagging it as a virus or a security threat.

You want to exclude DLP files from being scanned by antivirus software.

Environment

This article covers exclusions for DLP servers; for Agents, see Best Practice: Endpoint Agents with Antivirus Protection (broadcom.com)

Cause

Symantec Data Loss Prevention (DLP) frequently writes to several common directories. Some antivirus solutions may view this behavior like a virus or security threat and may interfere with DLP processes - having unexpected results.

See also this summary for why this is necessary:

About Symantec Data Loss Prevention and antivirus software (broadcom.com)

Resolution

In general, in your antivirus software, you should exclude or omit the following directories from future scans.

Enforce Server Specific - Windows

\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\tomcatTemp

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\index
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\scan (with subdirectories)

\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat
\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\work

Where <version> is the Enforce Server version you are running, e.g., 16.0.00000.

 

Detection Server Specific - Windows

\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\drop (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\logs (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\scan (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\spool (with subdirectories)
\ProgramData\Symantec\DataLossPrevention\DetectionServer\<version>\temp (with subdirectories)

\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\incidents
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\index
\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\<version>\scan (with subdirectories)

\Program Files\Symantec\DataLossPrevention\DetectionServer\Services

Where <version> is the Detection Server version you are running, e.g., 16.0.00000.

 

Oracle Server - Windows

\app\Administrator\oradata\protect
\app\Administrator\product\<version>\dbhome_1

Where <version> is the Oracle software version you are running.

Most of the Oracle files to be excluded are located in these directories, but additional files are located in other directories.
Use the Oracle Enterprise Manager (OEM) to check for additional files and exclude their directories from antivirus scanning.

Use OEM to view the location of the following database files:

  • Data files, which have the file extension *.DBF
  • Control files, which have the file extension *.CTL
  • The REDO.LOG file

OCR Server - Windows

\ProgramData\Symantec\DataLossPrevention\OCRServer\<version>
\ProgramData\OmniPage
\SymantecDLPOCR

Where OCR Server version you are running, e.g., 16.0.00000.

Note: Symantec does not recommend that you exclude individual binaries from antivirus applications. The names and locations of binary files may change with new software releases and patches. Additionally, we also create and place files in directories like drop, drop_pcap, etc. Since we do not know what the file names will be, we must exclude the entire directory.