Symantec Antivirus keeps its list of files/folders to exclude into the registry.
This is no doubt a good and consistent practice, however, it also weakness the server as users and administrators could unwittingly BSOD their machines.
In normal Windows machine, this weakness don’t manifest so readily, but in machines where some of the folders can contain thousands of files, this can be a problem. By itself this is not a problem, but if there is a need to, say, exclude such folders, one could accidentally selected each individual file in that folder instead of just excluding that contents of that folder.
For example, someone comes to you to get a particular FTP folder excluded. That folder contains a lot of huge files and realtime scan is slowing down their process. The files are already prescanned elsewhere so it not an issue. So you go into the SAV realtime configuration option and select that folder. The first visual will be a (+)plus with a check mark (this creates an inherited exclusion). You clicked the folder again, you saw that now its only a check mark (this creates an individual file/folder exclusion). “Hmmm… not sure which I should apply”, you think to yourself, “Should not matter too much, let’s try and see”. You hit enter and the SAV sort of freezes as it desperately tries to fill up the registry with entries of the thousand of files you just selected!
The next thing you know… Windows BSOD
Well, it sort of happened to one of the servers I worked with! It was a dumb mistake on my part because I saw how SAV wrote to the registry with file/folder exclusions, but was experimenting with exclusions on 2 volumes and clicked OK too fast before I could remove the selection on that huge ftp folder.
I think Symantec should move the exclusion list into a text file. This way, the most it will crash is SAV and the text file, not the whole Windows via writing to the registry.
Incidentally, this happened because I was investigate seemingly an issue with SAVCE10 where my folder exclusion doesn’t seem to work, SAV is still scanning the excluded folder. Found nothing on the newsgroup nor Symantec site about it so far.