Excluding a certificate from scans on Windows clients
As of 14.0.1, you can add exceptions for certificates individually to prevent the files that it signs from being scanned and detected as suspicious. For example, a tool that your company developed internally may use a self-signed certificate. Excluding this certificate from scans prevents Auto-Protect, Download Insight, SONAR, or other scans from detecting the files that it signs as suspicious.
The certificate exclusion supports the X.509 and base64 certificate types only. When you add a certificate exception, you need a copy of the public certificate in a DER or base64 encoded file (.cer).
Certificate exclusions are not supported for the following items:
- Memory Exploit Mitigation
- Proactive Threat Protection system change events
- Tamper Protection
- Certificate-signed files within a compressed file
The excluded certificate does not have to be installed in the certificate store on the client computer in order for the exclusion to work. In the case of a conflict between a certificate exception and a deny list rule, the deny list rule takes precedence.
You can only add a certificate exception through the
Symantec Endpoint Protection Managerpolicy, not through the
Symantec Endpoint Protectionclient interface settings.
You can only add a certificate exception in
Symantec Endpoint Protection Managerif it is unenrolled from the cloud console. If
Symantec Endpoint Protection Manageris enrolled, use the cloud console to add or manage a certificate exception.
- To exclude a certificate from scans on Windows clients
- On theExceptions Policypage, clickExceptions.
- UnderExceptions, clickAdd > Windows Exceptions > Certificate.IfSymantec Endpoint Protection Manageris enrolled in the cloud console, this option does not appear. Instead, add certificate exceptions in the cloud console.
- UnderCertificate File, clickBrowseto navigate to the certificate that you want to exclude, and then clickOK.
- Confirm that the values underCertificate Informationare correct for the certificate that you want to exclude, and then clickOK.To create exceptions for more than one certificate, repeat the procedure.