Next up in our registry key series: enabling definition updates upon service start.
By default (out of box), the FCS client will check for definition updates:
However, there is a registry key available that you can use to cause the FCS client to check for definition updates whenever the service (FCSAM) starts. As in the first post of this series (http://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the key.
The key name is UpdateOnStartup, and has two possible settings:
A couple of notes about this key:
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!UpdateOnStartup_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates" EXPLAIN !!UpdateOnStartup_Explain VALUENAME UpdateOnStartup VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY
END CATEGORY[strings]FCSCategory="Microsoft Forefront Client Security"UpdateOnStartup_Name="Enable definition update on startup"UpdateOnStartup_Explain="This setting instructs the FCS antimalware client to update definitions on startup."
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use UpdateOnStartup.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the UpdateOnStartup key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
"UpdateOnStartup"=dword:1
The Client Security BPA was posted to the download center shortly after FCS released. The initial release included five basic checks of an FCS server installation which are described in the TechNet documentation here. This week we released the first additions to those checks.
These new checks focus on the FCS-related configuration of a WSUS server, either with or without the distribution role installed. The new checks are described in KB976986 which will also be updated with descriptions any future revisions or additions to the FCS v1 BPA checks.
To test drive the new additions, visit the download center (http://go.microsoft.com/fwlink/?LinkID=98401) and install the BPA on an FCS server (any role) or a standalone WSUS server used by Client Security clients. After installation, to run the best practice analyzer, execute fcsbpa.exe, which is located in the BPA folder beneath your Client Security installation directory. For example: C:\Program Files\Microsoft Forefront\Client Security\BPA\fcsbpa.exe.
(yes, there is still no shortcut added to the startup menu, that is on the list of future additions)
Thanks and happy analyzing, Craig Wiand Microsoft Forefront Escalation Engineer
Next in our series: how to enable scanning of reparse points, also known as junctions, or mount points.
(For more information about what exactly reparse points, junctions and mount points are, see http://msdn.microsoft.com/en-us/library/aa365006(VS.85).aspx and http://msdn.microsoft.com/en-us/library/aa365503(VS.85).aspx)
Out of box, FCS does not scan reparse points. However, there is a registry key that you can add to your environment to control this behavior. As in the first post of this series (http://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the key.
Some important notes about this setting:
· The FCS custom scan interface honors this setting. That is, if you have added this key, and have it set to 1 (or the setting is missing), then the custom scan interface does not even display the mount points.
· You should test this setting before deploying it in your organization. It is possible to have junctions that link back to themselves – in a circular fashion. If you have such in your environment, you may see scans that never finish, or never complete successfully, after enabling this setting.
The key name is DisableReparsePointScanning, and has two possible settings:
· Missing or 1: Reparse points are not included in full scans.
· 0 (zero): Reparse points are included in full scans.
CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!ReparsePointScanning_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
EXPLAIN !!ReparsePointScanning_Explain
;; Note that instead of disabling a disable we flip-flop the logic to make it proactive
VALUENAME DisableReparsePointScanning
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"
ReparsePointScanning_Name="Enable reparse point scanning"
ReparsePointScanning_Explain="This setting instructs the FCS antimalware client to scan reparse points during full scans."
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use ReparsePoint.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the DisableReparsePointScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]