Excluding a certificate from scans on Windows clients

As of 14.0.1, you can add exceptions for certificates individually to prevent the files that it signs from being scanned and detected as suspicious. For example, a tool that your company developed internally may use a self-signed certificate. Excluding this certificate from scans prevents Auto-Protect, Download Insight, SONAR, or other scans from detecting the files that it signs as suspicious.
The certificate exclusion supports the X.509 and base64 certificate types only. When you add a certificate exception, you need a copy of the public certificate in a DER or base64 encoded file (.cer).
Certificate exclusions are not supported for the following items:
  • Memory Exploit Mitigation
  • Proactive Threat Protection system change events
  • Tamper Protection
  • Certificate-signed files within a compressed file
The excluded certificate does not have to be installed in the certificate store on the client computer in order for the exclusion to work. In the case of a conflict between a certificate exception and a deny list rule, the deny list rule takes precedence.
You can only add a certificate exception through the
Symantec Endpoint Protection Manager
policy, not through the
Symantec Endpoint Protection
client interface settings.
You can only add a certificate exception in
Symantec Endpoint Protection Manager
if it is unenrolled from the cloud console. If
Symantec Endpoint Protection Manager
is enrolled, use the cloud console to add or manage a certificate exception.
  1. To exclude a certificate from scans on Windows clients
  2. On the
    Exceptions Policy
    page, click
    Exceptions
    .
  3. Under
    Exceptions
    , click
    Add > Windows Exceptions > Certificate
    .
    If
    Symantec Endpoint Protection Manager
    is enrolled in the cloud console, this option does not appear. Instead, add certificate exceptions in the cloud console.
  4. Under
    Certificate File
    , click
    Browse
    to navigate to the certificate that you want to exclude, and then click
    OK
    .
  5. Confirm that the values under
    Certificate Information
    are correct for the certificate that you want to exclude, and then click
    OK
    .
    To create exceptions for more than one certificate, repeat the procedure.