/var/log/messages shows "rtvscand: Scan could not open file" entries for excluded files and folders, giving the impression that rtvscand is actually attempting to scan these files.
Jun 8 00:55:37 rhel65 rtvscand: Scan could not open file /sys/module/mbcache/sections/.text [00000003] Jun 8 00:55:37 rhel65 rtvscand: Scan could not open file /sys/module/mbcache/sections/.exit.text [00000003] Jun 8 00:55:37 rhel65 rtvscand: Scan could not open file /sys/module/mbcache/sections/.altinstr_replacement [00000003] Jun 8 00:55:37 rhel65 rtvscand: Scan could not open file /sys/module/mbcache/sections/.init.text [00000003]
Symantec Endpoint Protection for Linux 12.1 (all versions)
The logging was misleading, in that the messages were generated for special types of files that were enumerated but not actually scanned.
Starting Symantec Endpoint Protection for Linux 14, the less than explanatory "rtvscand: Scan could not open file " entries for excluded files and folders that were logged in /var/log/messages were replaced by more explanatory messages referencing the file by their type: block-special, character-special, FIFO, and socket fd.