I am finding that on RDSH hosts (computer assigned appstacks, no writeable volumes), the SCEP client is not detecting anti-malware (ie Eicar) in real-time.  Scheduled scans do detect it as expected.

I have added the following to snapvol.cfg on each appstack -

# Microsoft System Center Endpoint Protection exclusions

exclude_path=\Program Files\Microsoft Security Client

exclude_path=\Program Files (x86)\Microsoft Security Client

exclude_path=\ProgramData\Microsoft\Microsoft Antimalware

exclude_process_path=\Program Files\Microsoft Security Client

exclude_process_path=\Program Files (x86)\Microsoft Security Client

exclude_process_name=MsMpEng.exe

exclude_process_name=msseces.exe

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup

exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client

On these hosts, if I assign no appstacks, real-time SCEP detection does work.

Perhaps i have added these exclusions incorrectly?  I updated the appstack and assigned to the provisioning host (does have AV agent installed), then modified snapvol.cfg and completed the appstack.

RDSH hosts on W2K12R2.  App Volumes 2.16.

Thanks!