Symantec Endpoint Protection – Centralized Exception

Set up a centralized policy to prevent Veriato Investigator from being scanned and detected by Symantec Endpoint Protection. You may need to set exceptions for Symantec security risks and Veriato folders, files, and applications.

You may want one policy for the Veriato Server and another for client endpoints receiving the Recorder. We highly recommend trying out exceptions on a test machines for both the Veriato Server and Veriato Recorder. You can adjust your policy based on items caught and quarantined.

  1. Set up a test client
  2. Create a Veriato Setup download folder
  3. Add exceptions for Veriato
  4. Set exceptions for Known Security Risks
  5. Set exceptions for Veriato folders
  6. Set exceptions for Veriato files
  7. Exclude the User Temp File Locally at the Veriato Server
  8. Download and run the Veriato Setup
  9. Add specific Package Cache folder exceptions to the Symantec policy
  10. Remove local Temp and Package Cache exceptions
  11. Deploy the test client

Set up a test client

We highly recommend trying out exceptions on test Veriato server and Recorder client machines. This allows you to adjust your policy based on any items caught and quarantined.  

Testing is particularly important because of the SEP detailed attention to changes in applications. Applications are fingerprinted, and the only way to obtain the hash needed to set exceptions is through detection.  In other words, you must let Symantec’s Application Monitoring detect changes on your test computer and provide you with the “hash” fingerprint needed to set exceptions. Always install Veriato Recorder updates on the test machine to see if any new detections occur.  

Create a Veriato Setup download folder

On the Veriato Server machine, create a folder (for example, VeriatoSetup) before downloading the setup from the Veriato website. You will exclude the folder and the file in the Symantec policy: C:\VeriatoSetup\VeriatoSetup.exe

Add exceptions for Veriato

Do NOT run the Veriato setup until you have set the following exceptions.

  1. Open Symantec Endpoint Protection Manager.
  2. From the left menu, select Policies.  Under Policies, select Exceptions.

  1. Click Add an Exceptions Policy to create and open a new policy.
  2. In the policy, select Exceptions from the left menu.

Set exceptions for Known Security Risks

Symantec maintains its own list of "security risks."  Some of these risks target Veriato Server or Recorder files. Follow these steps to add known risks to your exceptions policy.

  1. In the Centralized Exceptions Policy panel, select Add | Windows Exceptions and Known Risks.

  1. In the Add Known Security Risk Exceptions panel, scroll to find and check the following risk names.  Check your test machines, as risks are subject to change.

SpectorPro
Spyware.Eblaster
Spyware.Eblaster!gen1
Spyware.Spagent
Spyware.Spector
Spyware.Spectre
WS.Security.Risk.3

  1. Click OK to add the risks to the Centralized Exceptions Policy list.  All should have the "Action" value set to Log Only or Ignore.

NOTE: Symantec Security Risks may change. Watch your test machines.

Set exceptions for Veriato folders

Exclude the entire folder from scanning.

  1. In the Centralized Exceptions Policy panel, select Add | Windows Exceptions and Folder.

  1. In the Add Folder Exception panel, enter or copy/paste a folder path from the Deployment Guide list  into the "Folder" field.
    Check Include subfolders.
    Under "Specify the type of scan that excludes this folder," select All.
    Click OK.
  1. Repeat the above step for all folders. Refer to the Veriato Deployment Guide  to verify the folder paths that apply to your version of Veriato.  

Client Recorder Folders to exclude:

C:\Windows\winipbin

C:\Windows\SysWOW64\winipdat   

Veriato Server 9.0 Folders to exclude:  

C:\VeriatoSetup   

C:\VeriatoBackup

C:\VeriatoData

C:\Program Files\Veriato

C:\Program Files\Microsoft\SQLServer\mssql.veriato360

C:\Program Files (x86)\Microsoft\SQLServer\mssql12.veriato30

C:\Program Files (x86)\Veriato

C:\Program Files (x86)\Veriato\Management Console

C:\Program Files\Veriato\WebUIDataService

Veriato Server 8.5:

C:\Spector360Data

C:\Program Files\Veriato

C:\Program Files\SpectorSoft

C:\Program Files (x86)\Veriato

C:\Program Files (x86)\SpectorSoft

C:\Program Files\Microsoft\SQLServer\mssql12.spector360

Set exceptions for Veriato files

In addition to folder exceptions, set exceptions for EACH server and EACH Recorder file. Refer to your Veriato Deployment Guide for files that apply to your version.

  1. In the Centralized Exceptions Policy panel, select Add | Windows Exceptions and File.

  1. Copy and paste a file path from the list below into the "File (include full path)" field.
    Check Also exclude child processes.
    Under "Specify the type of scan that excludes this folder," Check all items.
    Under "Specify the type of security risk scan," select All Scans.
    Click OK.

  1. Repeat the above step for all Veriato Server listed in the Deployment Guide, EXCEPT the files in the Management Console and WebUIDataService folders. The folder exclusions in these cases are sufficient. File paths may differ depending on OS, be sure to include a path for each OS.
  2. Repeat the above step for all Veriato client Recorder files listed in the Deployment Guide.

Exclude the User Temp File Locally at the Veriato Server

The Veriato Setup creates a randomly named temp file that might be detected and stop installation. Before running the setup, exclude the entire local temp folder for the currently logged in user. You can do this within the exceptions policy or at the Symantec client console.

  1. Open the local Endpoint Protection Control Panel. Right-click on the Symantec Endpoint Protection icon in the Windows system tray and select Open Symantec Endpoint Protection. 

  1. In the Symantec Endpoint Protection settings, select Change Settings. Next to Exceptions, click Configure Settings. An Exceptions window opens.
  2.  Select Add |  Security Risk exception | Folder.
  3.  Browse to the local temp folder for the user currently logged in. For example, if jjones is logged in, browse to and select: C:\Users\jjones\AppData\Local\Temp

  1. Select the Exception Type to All scans. Make sure "Include Subfolders" is checked.
  2. Click OK to add the exception.
  3. When the Veriato installation is complete, remove this exception.

 

Download and run the Veriato Setup

The setup should run with the above exceptions set. (Remember to remove the exception for the current user's temp folder.) When you have a Veriato server that does not trigger Symantec notifications, deploy a Veriato Recorder to your test machine. If Symantec blocks traffic from the Veriato website, add the Veriato download URL  to the Trusted Internet Domain exceptions.

download360.veriato.com

Add specific Package Cache folder exceptions to the Symantec policy

When the Veriato Server or server component is successfully installed, add the new Package Cache folders, which are unique to your installation. This step prevents detection on upgrades or changes to the installation.

  1. Open C:\ProgramData\Package Cache. Note the new folders. Eleven of 12 Veriato folders are appended with the Veriato version, i.e., v9.0.2.499939. Look for a 12th folder containing Veriato360Installer.exe.
  2. Open Notepad, and then open a folder. Double-click to select the path at the top of the Explorer window. Copy and paste the folder path into Notepad. Repeat for all 12 folders.
  3. Return to the centralized Symantec Endpoint Protection console and copy and paste each folder as folder-level exception in your Veriato Server policy.

Remove local Temp and Package Cache exceptions

  1. When the policy containing specific folders has been applied to your Veriato Server, remove the general, folder-level exceptions you added locally at the Symantec client:
    C:\ProgramData\Package Cache
    C:\Users\[current_user]\AppData\Local\Temp
  2. Run a scan to test. If additional temp files are detected following a scan, but no longer exist, simply dismiss the notification. Your Veriato Server should now be excluded from Symantec scanning.

Deploy the test client

If all temporary and installed files listed in the Deployment Guide have been excluded, the client Recorder should install without a problem. If you continue to have trouble, try entering client files as "Applications to Monitor." If any applications are detected, you can then add the hash fingerprint to the list of exceptions.

When your test Recorder is operating without triggering Symantec notifications, you are ready to deploy the Veriato client across the network.

 

 

 Veriato Investigator v7.7
©  Veriato, Inc. All rights reserved.