Hi,
When a centralized exception (extension) is added in SEPM with action 'ignore' should SEP on clients skip scanning the filetype altogether or simply ignore alerts if a file is infected?
We've specified a centralized exception for the extension 'DAT' on our networks. Looking at a client computer registry I can see the rule is present yet strangely when doing any AV scan RTVScan.exe also opens all users ntuser.dat. By any AV scan I actually mean it, if I scan 'C:\temp' folder (which contains only 1 desktop.ini) sysinternals process monitor shows RTVScan accessing the profilelist registry key and then scanning all user ntuser.dat's.
There's a wider issue this is causing on our networks related to corrupt profiles. Like all windows networks with roaming profiles we occasionally get profile corruptions; and if particularly bad windows attempts to recover the ntuser.dat on the client machine, a process which is often accompanied by an event viewer entry:
EventID: 5
{Registry Hive Recovered} Registry hive (file): '\??\C:\Users\UserAccount\ntuser.dat' was corrupted and it has been recovered. Some data might have been lost.
We resolve these corruptions by resetting/restoring a users network ntuser.dat back to default. In most cases after restoring ntuser.dat the user will then successfully log on as windows can see the network profile is newer than the local corrupted profile on the machine. What we're finding is that when RTVScan accesses the ntuser.dat on local machines it triggers windows to rebuild these corrupt profiles again which in turn updates the modified date on them. On next logon the locally cached copy is seen as newer and is used instead of the fresh network copy. As an AV scan is triggered each time new definitions are loaded these profiles can be rebuilt multiple times throughout the day making it hard to stay on top of corruptions, especially as windows aged profile deletion will never see them as being old enough to remove.
SEPM Version: 11.0.6100.645
Client SEP Version: 11.0.6100.645
Thank you in advance for any help with this matter.
Andrew