Scanning reparse points

  • Article

Next in our series: how to enable scanning of reparse points, also known as junctions, or mount points.

(For more information about what exactly reparse points, junctions and mount points are, see https://msdn.microsoft.com/en-us/library/aa365006(VS.85).aspx and https://msdn.microsoft.com/en-us/library/aa365503(VS.85).aspx)

Out of box, FCS does not scan reparse points. However, there is a registry key that you can add to your environment to control this behavior. As in the first post of this series (https://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the key.

Some important notes about this setting:

· The FCS custom scan interface honors this setting. That is, if you have added this key, and have it set to 1 (or the setting is missing), then the custom scan interface does not even display the mount points.

 

· You should test this setting before deploying it in your organization. It is possible to have junctions that link back to themselves – in a circular fashion. If you have such in your environment, you may see scans that never finish, or never complete successfully, after enabling this setting.

The key name is DisableReparsePointScanning, and has two possible settings:

· Missing or 1: Reparse points are not included in full scans.

· 0 (zero): Reparse points are included in full scans.

For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:

CLASS MACHINE

CATEGORY !!FCSCategory

              POLICY !!ReparsePointScanning_Name

                     KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"

                     EXPLAIN !!ReparsePointScanning_Explain

                     ;; Note that instead of disabling a disable we flip-flop the logic to make it proactive

                     VALUENAME DisableReparsePointScanning

                       VALUEON NUMERIC 0

                       VALUEOFF NUMERIC 1

               END POLICY

END CATEGORY

[strings]

FCSCategory="Microsoft Forefront Client Security"

ReparsePointScanning_Name="Enable reparse point scanning"

ReparsePointScanning_Explain="This setting instructs the FCS antimalware client to scan reparse points during full scans."

Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use ReparsePoint.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.

 

If you want to deploy the DisableReparsePointScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:

 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]

"DisableReparsePointScanning"=dword:0