Understanding how Forefront Client Security responds to potentially unwanted software

Analysts at the Microsoft Malware Protection Center (MMPC) apply objective criteria to software to determine if it should be classified as malicious or potentially unwanted. When software is classified as malicious or potentially unwanted, Microsoft adds it to a definition library used by Client Security during scans. Once the software is added to the definition…


Miscellaneous Real Time agent keys

The final installment in our series on registry keys for FCS is a big one – there are a lot of registry keys that can be used to control the behavior of the FCS real-time protection agent. The following tables describe the keys (these are in addition to the ones described here and here, in…


Scanning email archives

Continuing in the registry key series, let’s talk about DisableEmailScanning. By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server…


Setting a process exclusion in your network

Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge. You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console…


Wildcards in path exclusions: FCS

Since the August 2009 antimalware engine update we support wildcards in path exclusions for on-demand scans (quick/full/custom scan). It is important to note that Wildcards in path exclusions will not work for Real Time Protection and will be ignored (this does not apply to extension exclusions). For on-demand scans, this will allow you to exclude…


Setting definition update keys via policy

Next up in our registry key series: setting definition update keys via policy. On the FCS TechNet library, the following registry key is described: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0 Description Registry Key New value when deployed in policy Default value when no policy deployed Scan types effected Specifies the day and time that Client Security will update…


Checking for definition updates when starting

Next up in our registry key series: enabling definition updates upon service start. By default (out of box), the FCS client will check for definition updates: Before starting a scan At the configured interval Manually However, there is a registry key available that you can use to cause the FCS client to check for definition…


Scanning reparse points

Next in our series: how to enable scanning of reparse points, also known as junctions, or mount points.   (For more information about what exactly reparse points, junctions and mount points are, see http://msdn.microsoft.com/en-us/library/aa365006(VS.85).aspx and http://msdn.microsoft.com/en-us/library/aa365503(VS.85).aspx)     Out of box, FCS does not scan reparse points. However, there is a registry key that you…


Scanning removable drives

In response to a recent question via this blog, I’d like to explain a setting for antimalware scanning in Forefront Client Security that you can configure via a registry key.   FCS scans removable drives at certain times. When you insert a removable drive, the boot sector of that drive is scanned. After that, when…


FCS KB 976668 and 976669 fail to install on Windows 2000 when the installation is run as Local System

We’re tracking an issue where the latest FCS antimalware client update won’t install on Windows 2000 when the installation is run as Local System (i.e. Automatic Updates installing at 3am).   When this issue occurs, the update uninstalls the previous version of the antimalware client, and then tries to install the new version and fails,…