How to Configure Scan Exclusions in SEP for Linux

With the release of 12.1.5337.5003 you can now manage the Linux client from the Symantec Endpoint Protection Manager (SEPM). However, some folder exclusions still have to be configured via the command-line interface (e.g. /sys and /proc). TECH95274 explains the process to do so for the older SAV for Linux client; however, the process can still be applied to SEP for Linux. Below is a walkthrough of the process for setting exclusions as typically recommended for system performance.

Note: Superuser privileges are required to make the following changes.

Basics of Symcfg:

1. symcfg is the command-line utiltiy used to interacting wth the SAVFL/SEPFL "registry" or database
   • Refer to HOWTO101757 for more information.
      
2. Include SAV in your session $PATH variable:
   • export PATH=$PATH:/opt/Symantec/symantec_antivirus/
      
3. Access the symcfg command:
   • symcfg
      
   • if not included in $PATH: /opt/Symantec/symantec_antivirus/symcfg
      
4. This will show you the available options and commands for symcfg

   
    

5. From here we can see the expected usage is as follows:
   • symcfg [OPTIONS] <COMMAND>
      
   • For example: symcfg -r list will show you the entire "registry" used by SAV/SEP for Linux
      
6. With the above, we can start setting the exclusions necessary

Exclude Directories:

1. By default, the SEP for Linux client does not have directory exclusions for Manual Scan, Real Time Scan, or Scheduled Scan types.
2. To enable the exclusions for these scan types, we need to add the entries into the "registry" with symcfg as follows:
   • symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan' -v HaveExceptionDirs -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\LocalScans\ManualScan' -v HaveExceptionDirs -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\Custom Tasks\<scheduled scan name>' -v HaveExceptionDirs -d 1 -t REG_DWORD

     Replace <scheduled scan name> with the name of your Scheduled Scan (e.g. Weekly Scheduled Scan)
     "-d 1" includes the directory and sub-directories, "-d 0" will not include sub-directories.
     Pay close attention to the '\', spaces, casing, etc...
      

3. Now that we have enabled the scan types to allow exceptions, we need to add the folders to exclude from each scan type
   • ​symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /proc -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /sys -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\LocalScans\ManualScan\NoScanDir' -v /proc -d 1 -t REG_DWORD
   • symcfg add -k '\Symantec Endpoint Protection\AV\LocalScans\ManualScan\NoScanDir' -v /sys -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\Custom Tasks\<scheduled scan name>\NoScanDir' -v /proc -d 1 -t REG_DWORD
      
   • symcfg add -k '\Symantec Endpoint Protection\AV\Custom Tasks\<scheduled scan name>\NoScanDir' -v /sys -d 1 -t REG_DWORD

     Make note of the additions/changes in bold.
     You must specify directory exclusions using full paths with a leading slash.
      

4. ​We can verify that these entries are in place via the following command:
   • symcfg -r list | grep 'proc\|sys'

     ​

     This will grep (search) for any values that include proc or sys in them.
     Here you can see the output of the above command. Note that I made a mistake on the third line from the bottom.
      

Removing Directory Exclusions:

1. If you ever have need to remove an excluded directory, you can do so via the following command:
   • symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /sys
      
   • symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir' -v /proc

     The example above would remove /sys and /proc from being excluded for RealTimeScans (Auto Protect)
      

2. If you need to remove all folder exclusions, you can do so via the following commands:
   • symcfg delete -k '\Symantec Endpoint Protection\AV\Storages\FileSystem\RealTimeScan\NoScanDir'
      
   • symcfg delete -k '\Symantec Endpoint Protection\AV\LocalScans\ManualScan\NoScanDir'
      
   • symcfg delete -k '\Symantec Endpoint Protection\AV\Custom Tasks\<scheduled scan name>\NoScanDir'