Definition updates: scan on update and update on startup

Hi folks, There have been some questions about these two areas of definition updates, so I wanted to clarify this a bit. Whenever FEP does a definition update, a silent rescan of all running processes and loaded modules is performed. If there is malware running that is now detected by the new definitions, that malware…


Miscellaneous Real Time agent keys

The final installment in our series on registry keys for FCS is a big one – there are a lot of registry keys that can be used to control the behavior of the FCS real-time protection agent. The following tables describe the keys (these are in addition to the ones described here and here, in…


Scanning email archives

Continuing in the registry key series, let’s talk about DisableEmailScanning. By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server…


Setting a process exclusion in your network

Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge. You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console…


Wildcards in path exclusions: FCS

Since the August 2009 antimalware engine update we support wildcards in path exclusions for on-demand scans (quick/full/custom scan). It is important to note that Wildcards in path exclusions will not work for Real Time Protection and will be ignored (this does not apply to extension exclusions). For on-demand scans, this will allow you to exclude…


Setting definition update keys via policy

Next up in our registry key series: setting definition update keys via policy. On the FCS TechNet library, the following registry key is described: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0 Description Registry Key New value when deployed in policy Default value when no policy deployed Scan types effected Specifies the day and time that Client Security will update…


Checking for definition updates when starting

Next up in our registry key series: enabling definition updates upon service start. By default (out of box), the FCS client will check for definition updates: Before starting a scan At the configured interval Manually However, there is a registry key available that you can use to cause the FCS client to check for definition…


Scanning reparse points

Next in our series: how to enable scanning of reparse points, also known as junctions, or mount points.   (For more information about what exactly reparse points, junctions and mount points are, see http://msdn.microsoft.com/en-us/library/aa365006(VS.85).aspx and http://msdn.microsoft.com/en-us/library/aa365503(VS.85).aspx)     Out of box, FCS does not scan reparse points. However, there is a registry key that you…


Scanning removable drives

In response to a recent question via this blog, I’d like to explain a setting for antimalware scanning in Forefront Client Security that you can configure via a registry key.   FCS scans removable drives at certain times. When you insert a removable drive, the boot sector of that drive is scanned. After that, when…