How to add extra scheduled scans or definition updates for FCS

The default option for scheduled scans in FCS is kind of sparse currently and it's something we get requests about so I'm posting a possible workaround to get more scheduled scans.  Below is the shot of the FCS policy setting.. you can either pick "every day" or an individual day and a certain time and which type of scan that you want to do. 

image

So what happens say if I wanted to do a full scan on the 1st Sat of the month or say a Full scan on Saturday's and quick scans at 6pm every day or any other number of other scenarios you could think of?  The answer is your kind of stuck if you have your mind dead set on using the current FCS v1 policies.

So how do we get around this limitation?  The answer lies in how those scans are accomplished in the first place.  If you go into Task Scheduler on your system and turn on "Show Hidden Tasks" you will see how your scheduled scans are actually occurring:

image

If you dig deeper and look at these tasks you will see that they are all using the following .exe with various options to perform scans

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe

So basically from an understanding point of view.. the FCS policy writes reg keys that tell which type of Scans and what schedules to use.. the FCS client takes those reg keys and creates scheduled tasks based on them.

The following is a list of the options we are interested in:

Quick Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges -ScanType 1

Full Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges

Signature Update

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" SignatureUpdate

So the obvious result here is that I can take these command lines and create any schedule that I want in my environment.

But you ask ok how do I push that task out to all my 5k workstations/servers etc. Well I guess there are any number of methods from using a group policy with a system logon script that creates it to SMS/SCCM jobs to any other type of desktop management software etc.  The one I'll focus on here is using Group Policy Preferences.  This is a new feature of Vista/2008 however there is a Group Policy Preferences Extensions that you can install on your XP/2003 systems.  Just taking a look at WSUS it is there as an update that you can deploy easily via WSUS (which hopefully you are using if you have FCS)

image

Note that it is in the classification "Feature Packs" so you may need to sync that on your WSUS server.  Also as an FYI you don't need a 2008 DC/Forest etc for these.  You do need a 2008 server or a Vista system in order to edit and create policies that use these extensions but the settings are stored in the normal GPO folders inside SYSVOL for your domain.

So once you have Group Policy Preferences installed in the environment and you have a system capable of editing these in your environment create a new Group Policy and start editing.  You should see a new section titled "Preferences"

image

We are specifically looking for the Scheduled Tasks area.  Right click on it and select New Scheduled Task. From this point on it should be self-explanatory.  Pick which command line options you want to use from the list before and assign the schedules that you want.

image

So just some thoughts here; you can't in one task schedule item set it to run multiple times per day, so for example if you wanted to run 3 definition updates at certain times of the day you would need 3 different task scheduler items.  The only reason I point out that example is that we typically seem to release about AV definitions about 3 times a day from looking at my WSUS history and they typically seem to come in around  2am, 10am, and 6pm so if you wanted to be really .. um precise you could correlate both your WSUS with getting the definitions at the right time from us along with scheduling your clients to get the updates relatively soon after your WSUS server received them.

Well hopefully this was helpful I'm sure there are other ways as well to accomplish this but figured this would be an easy one to document and implement. Good luck in your scheduling efforts :)

Kurt