I am finding that on RDSH hosts (computer assigned appstacks, no writeable volumes), the SCEP client is not detecting anti-malware (ie Eicar) in real-time. Scheduled scans do detect it as expected.
I have added the following to snapvol.cfg on each appstack -
# Microsoft System Center Endpoint Protection exclusions
exclude_path=\Program Files\Microsoft Security Client
exclude_path=\Program Files (x86)\Microsoft Security Client
exclude_path=\ProgramData\Microsoft\Microsoft Antimalware
exclude_process_path=\Program Files\Microsoft Security Client
exclude_process_path=\Program Files (x86)\Microsoft Security Client
exclude_process_name=MsMpEng.exe
exclude_process_name=msseces.exe
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup
exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Security Client
On these hosts, if I assign no appstacks, real-time SCEP detection does work.
Perhaps i have added these exclusions incorrectly? I updated the appstack and assigned to the provisioning host (does have AV agent installed), then modified snapvol.cfg and completed the appstack.
RDSH hosts on W2K12R2. App Volumes 2.16.
Thanks!