Document ID:2005060614225348 Last Modified:11/14/2005

Creating exceptions to security risk scanning in Symantec AntiVirus 10.x and Symantec Client Security 3.x

Situation:

You need to know how to prevent Symantec Client Security 3.x or Symantec AntiVirus 10.x from scanning for specific security risks.

Solution:
Follow the directions for each type of computer in your environment.
Click an icon to either expand ( ) or collapse ( ) each section. (If you cannot expand a section, then read the document Cannot expand sections in a Symantec Knowledge Base document.)

Servers

Servers
Follow all of the steps in this section to make sure that Symantec AntiVirus does not quarantine or delete components of a specific security risk.

To prevent Auto-Protect from detecting a security risk

1. Start Symantec System Center.
2. Unlock the server group.
3. Right-click the server group, and then click All Tasks > Symantec AntiVirus > Server Auto-Protect Options.
4. Click Actions.
5. In the left pane, click the type of security risk.
6. On the Exceptions tab, click Add.
7. In the left pane, find and click the name of the security risk.
8. Click the >> button.
   The security risk entry moves to the right pane.
9. Click Next.
10. In the First Action drop-down list, click Exclude.
11. Click Finish.
12. Click OK, and then click OK again.

To prevent a scheduled scan from detecting a security risk

1. Start Symantec System Center.
2. Unlock the server group.
3. Right-click the server, and then click All Tasks > Symantec AntiVirus > Scheduled Scans.
4. On the Server Scans tab, select an existing scan, and then click Edit.
5. Click Scan Settings.
6. Select the drives and folders to scan.
7. Click Options.
8. Click Actions.
9. In the left pane, click the type of security risk.
10. On the Exceptions tab, click Add.
11. In the left pane, find and click the name of the security risk.
12. Click the >> button.
    The security risk entry moves to the right pane.
13. Click Next.
14. In the First Action drop-down list, click Leave alone (log only).
15. Click Finish.
16. Repeat steps 3-15 for all of the server's scheduled scans.

WARNING: A common mistake is to set exceptions for Scheduled Scans, but to forget to set exceptions for manual scans and virus sweeps. You must set exceptions for all on-demand scans.
 

After you update virus definitions, Symantec AntiVirus Corporate Edition 10.0 runs a Defwatch Quick Scan. Symantec AntiVirus quarantines security risks for which you created an exception during this Quick Scan. To fix this problem, disable the Defwatch Quick Scan.

To disable the Defwatch Quick Scan

• Download and import the DefwatchQSOff.reg file.

Managed clients

Managed clients
To ensure that Symantec AntiVirus does not quarantine or delete components of a specific security risk, follow all of the steps in this section that apply to your version of Symantec AntiVirus.
 

Note: You cannot perform these steps for managed clients whose parent server runs NetWare. To work around the problem, use a computer that runs Windows as the parent server, or configure exceptions directly on the managed clients.
 

To prevent Auto-Protect from detecting a security risk

1. Start Symantec System Center.
2. Unlock the server group.
3. Right-click a server, a server group, or a client group, and then click All Tasks > Symantec AntiVirus > Client Auto-Protect Options.
4. Click Actions.
5. In the left pane, click the type of security risk.
6. On the Exceptions tab, click Add.
7. In the left pane, find and click the name of the security risk.
8. Click the >> button.
   The security risk entry moves to the right pane.
9. Click Next.
10. In the First Action drop-down list, click Exclude.
11. Click Finish.
12. On the Actions tab, check Override actions configured for Security Risks, and then click the lock icon so that it appears as locked.
13. Click OK.
14. Click Reset All.
15. Click OK.

To prevent a scheduled scan from detecting a security risk

1. Start Symantec System Center.
2. Unlock the server group.
3. Right-click the parent server or client group, and then click All Tasks > Symantec AntiVirus > Scheduled Scans.
4. On the Client Scans or Client Group Scans tab, click an existing scan to select it, and then click Edit.
5. Click Scan Settings.
6. Select the drives and folders to scan.
7. Click Options.
8. Click Actions.
9. In the left pane, click the type of security risk.
10. On the Exceptions tab, click Add.
11. In the left pane, find and click the name of the security risk.
12. Click the >> button.
    The security risk entry moves to the right pane.
13. Click Next.
14. In the First Action drop-down list, click Leave alone (log only).
15. Click Finish.
16. Repeat steps 3-15 for all scheduled scans.

WARNING: A common mistake is to set exceptions for Scheduled Scans, but to forget to set exceptions for manual scans and virus sweeps. You must set exceptions for all on-demand scans.
 

To disable the startup Quick Scan in Symantec AntiVirus 10.0.1 or later

1. Start Symantec System Center.
2. Unlock the server group.
3. Right-click a server group, a client group, or a server, and then click All Tasks > Symantec AntiVirus > Client Administrator Only Options.
4. On the General tab, under Scan Options, uncheck Run startup scan(s) when user logs in.
5. Click OK.

To remove the startup Quick Scan on Symantec AntiVirus 10.0.0 clients

• Stop any scans that are running, and then download and import the RemoveStartScan.reg file.

Notes:
Using the RemoveStartScan.reg file on a Symantec AntiVirus client removes all user-created scans. After users import the registry file, they must re-create any scans that they created.
This file works only for the user that is currently logged on. On computers that have more than one user, each user must log on and import the file.
 

After you update virus definitions, Symantec AntiVirus Corporate Edition 10.0 runs a Defwatch Quick Scan. Symantec AntiVirus quarantines security risks for which you created an exception during this Quick Scan. To fix this problem, disable the Defwatch Quick Scan.

To disable the Defwatch Quick Scan

• Download and import the DefwatchQSOff.reg file.

Unmanaged clients

Unmanaged clients
Follow all of the steps in this section to make sure that Symantec AntiVirus does not quarantine or delete components of a specific security risk.

To prevent Auto-Protect from detecting a security risk

1. On the Windows taskbar, click Start > Programs > Symantec Client Security > Symantec AntiVirus.
2. Click Configure > File System Auto-Protect.
3. Click Actions.
4. In the left pane, click the type of security risk.
5. On the Exceptions tab, click Add.
6. In the left pane, find and click the name of the security risk.
7. Click the >> button.
   The security risk entry moves to the right pane.
8. Click Next.
9. In the First Action drop-down list, click Exclude.
10. Click Finish.
11. Click OK, and then click OK again.

To prevent a scheduled scan from detecting a security risk

1. On the Windows taskbar, click Start > Programs > Symantec Client Security > Symantec AntiVirus.
2. In the left pane, expand Scheduled Scans, and then click an existing scan to select it.
3. In the right pane, click Edit.
4. Click Options.
5. Click Actions.
6. In the left pane, click the type of security risk.
7. On the Exceptions tab, click Add.
8. In the left pane, find and click the name of the security risk.
9. Click the >> button.
   The security risk entry moves to the right pane.
10. Click Next.
11. In the First Action drop-down list, click Leave alone (log only).
12. Click Finish.
13. Repeat steps 3-12 for all scheduled scans.

WARNING: A common mistake is to set exceptions for Scheduled Scans, but to forget to set exceptions for manual scans. You must set exceptions for all on-demand scans.
 

To remove the startup Quick Scan on Symantec AntiVirus clients

• Stop any scans that are running, and then download and import the RemoveStartScan.reg file.

Notes:
Using the RemoveStartScan.reg file on a Symantec AntiVirus client removes all user-created scans. After users import the registry file, they must re-create any scans that they created.
This file works only for the user that is currently logged on. On computers that have more than one user, each user must log on and import the file.
 

After you update virus definitions, Symantec AntiVirus Corporate Edition 10.0 runs a Defwatch Quick Scan. Symantec AntiVirus quarantines Security Risks for which you created an Exception during this Quick Scan. To fix this problem, disable the Defwatch Quick Scan.

To disable the Defwatch Quick Scan

• Download and import the DefwatchQSOff.reg file.

Restoring quarantined files by using Symantec System Center
After you prevent Auto-Protect from detecting the security risk, you can restore the files by using Symantec System Center. Follow the directions for the type of computer in your environment. To restore quarantined files on managed clients, you must first enable configuration of individual clients in Symantec System Center.

To enable configuration of individual clients in Symantec System Center

1. In Symantec System Center, on the Tools menu, click SSC Console Options.
2. On the Client Display tab, check Allow direct configuration of individual clients.
3. Click OK.

To restore quarantined files on a managed client by using Symantec System Center

1. In Symantec System Center, click the client's parent server.
2. In the right pane, right-click the client, and then click All Tasks > Symantec AntiVirus > Logs > Threat History.
3. In the Threat History pane, right-click the quarantined file that you want to restore, and then click Undo Action Taken.
4. In the Take Action window, click Start Undo.

Note: Other configuration actions should not be performed at the client level in Symantec System Center. Perform other configuration actions at the server group, parent server, or client group level.
 

To restore quarantined files on a server by using Symantec System Center

1. In Symantec System Center, right-click the server, and then click All Tasks > Symantec AntiVirus > Logs > Threat History.
2. In the Threat History pane, right-click the quarantined file that you want to restore, and then click Undo Action Taken.
3. In the Take Action window, click Start Undo.

Technical Information:
Preventing the creation of the startup Quick Scan before you install Symantec AntiVirus 10.0.0 clients
Before you install or migrate managed clients, download and import the PreventStartScan.reg file onto each client. This file works only for the user that is currently logged on. On computers that have more than one user, each user must log on and import the file. In Symantec AntiVirus 10.0.1 and later, the startup Quick Scan is disabled by default.



References:
For information about types of security risks, see the Symantec Web site.


 

Product(s): Symantec AntiVirus Corporate Edition 10.0, Symantec Client Security 3.0, Symantec AntiVirus 10.1, Symantec Client Security 3.1
Operating System(s): Windows 2000, Windows XP Home, Windows XP Professional Edition, Windows XP Tablet PC, NetWare 5.1, NetWare 6.0, NetWare 6.5, Windows XP 64-Bit Edition 2003, Windows Server 2003 32-bit Edition, Windows Server 2003 64-bit Edition, Windows XP Media Center Edition 2005
Date Created: 06/06/2005