Is "ntuser.dat" and/or "ntuser.*" the entire exclusion? You don't have any path on it?
Where did you specify the exclusion? In the On-Access Scan (OAS), or On-Demand Scan (ODS)? You want it in the OAS exclusions.
Is the exclusion showing up in the ENS client? One thing I found is that the "exclusions" that is shown by default are the ODS scan exclusions; to see the OAS scan exclusions, you need to click "Show Advanced".
Microsoft has a good article giving general recommendations for A/V exclusions here: https://support.microsoft.com/en-au/help/822158/virus-scanning-recommendations-f or-enterprise-computers-that-are-running…
PS: You didn't mention, but I presume you're using ePO to manage your ENS?
ntuser.*. In ENS it shows up as **\ntuser,*
Specified as an OAS exclusions.
Managing the product via ENS. Will check microsoft article and see if any of that helps
You may consider %allusersprofile%\ntuser.pol . More specific you can be with the exclusion, less overhead is placed on OAS.
tao Had a support call logged recently about some OAS exclusions not applying correctly. While speaking to the rep, they told me environment variables in those exclusions can cause problems, so better to use the path instead. Re-reading the document (which I originally read to say system environment vars were fine), it specifically mentions environment variables only in the Access Protection section, not the On-Access Scan section.
And that Microsoft article gives paths, although most of them are using environment vars. You'll have to translate them to full paths, and keep in mind that in WinXP, some of them differ slightly than in newer operating systems.
johnmoe - spot on :-)
- System Environmental Variables such as %SystemRoot% can be used in exclusions. User Environmental Variables such as %UserProfile% cannot because the On‑Access scanner runs under the Windows Local System account.
tao Yeah, read that article, but that's about VSE and MOVE, not ENS. I would have thought a newer product could do everything the old product could and then some, but the support rep and documentation says otherwise. :-S
But now I'm really curious, and tempted to do an environment variable exclusion using EICAR and see if it picks it up or not.