Continuing in the registry key series, let’s talk about DisableEmailScanning.
By default, the antimalware engine included with FCS will not scan email archives (email archives are file-based containers that contain email messages). FCS is an enterprise-level product – and in an enterprise (business) environment, it’s expected that you are protecting email at the mail server level (using, for example, Forefront Protection 2010 for Exchange Server).
FCS is designed for host-based (client-level) protection. The fact that the email scanning feature is disabled by default is suitable for most customer situations. However, there may be scenarios when email archive files enter the business environment through some means other than the email transport (a saved email message on a USB drive, for example, or POP-based email).
Some of the file-based containers can be directly modified; that is, the engine can open the container, remove the malware, and then recreate the container with no data loss. Some of the file-based containers cannot be directly modified, and depend on the user to manually remove the infected file within the container.
In some cases, the mail archive itself might be quarantined, which may make it appear that the whole of the email archive has been lost. In this instance, this is not the case, and the infected messages will have to be manually removed.
The following table summarizes the file-based containers that would be scanned if you (double negative time) disable the DisableEmailScanning setting), as well as how the containers are treated in the instances of malware detection:
Note: the information above reflects the current antimalware engine behavior; this behavior is subject to change.
The DisableEmailScanning registry key is a double negative key – you must disable the disable in order for email scanning to be enabled.
Permissions on this key prevent direct editing, so you must use one of the two methods described in the KB article referenced below (http://support.microsoft.com/default.aspx/kb/971026#moreinformation).
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!DisableEmailScanning_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan" EXPLAIN !!DisableEmailScanning_Explain ;; Note that instead of disabling a disable we flip-flop the logic to make it proactive VALUENAME DisableEmailScanning VALUEON NUMERIC 0 VALUEOFF NUMERIC 1 END POLICYEND CATEGORY[strings]FCSCategory="Microsoft Forefront Client Security"DisableEmailScanning_Name="Enabling email scanning"DisableEmailScanning_Explain="This setting instructs the FCS antimalware client to scan email archives during full scans"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use EmailScanning.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the DisableEmailScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
"DisableEmailScanning"=dword:0
Trust me, one of these days you will need to exclude a process from being scanned by FCS. Or maybe you already crossed that bridge.
You added a process exclusion using the GUI, it worked like a charm. As you need to have this exclusion set on all your systems, you opened the FCS console and edited the policy… At that time, you probably discovered that process exclusion cannot be set with the FCS policy.
I can hear you asking why not:
FCS is supported on multiple platforms (http://technet.microsoft.com/en-us/library/bb404245.aspx). One of them is Windows 2000 SP4 with Update Rollup 1, and process exclusions are not supported on this platform, because the only way to retrieve the process name is by using PEB (Process Environment Block), which resides in User mode. User mode processes can easily be manipulated (what we don’t want).
If you do set process exclusion on a computer running Windows 2000 with FCS installed, you will notice that the FCSAM service doesn’t want to start, which is something we definitely don’t want to happen.
No need to say what the impact would be if you would deploy a policy with process exclusion on systems running Windows 2000… To prevent this bad scenario, process exclusions cannot be set via an FCS policy.
However, you can deploy (at your own risk) process exclusions via a Group Policy Object (GPO).
A couple of notes for this particular entry:
Below you can find an example of the content of such an ADM file – to save the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINECATEGORY !!FCSCategory POLICY !!Exclusion_Name KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes" EXPLAIN !!Exclusion_Explain Part "ProcessName1" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname1 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName2" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME Processname2 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART Part "ProcessName3" DROPDOWNLIST REQUIRED VALUENAME "<path to program>\program1.exe" ITEMLIST NAME ProcessName3 VALUE NUMERIC 0 DEFAULT END ITEMLIST END PART END POLICYEND CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"Exclusion_Name="FCS Process Exclusion"Exclusion_Description="Setting a process to be excluded from FCS scans."Exclusion_Explain="Allows setting process exclusions for FCS so that it does not scan files touched by certain processes Not supported for Windows 2000"Ignore_Default="Default"
Save the file as an ADM file, making sure to choose All files *.* as the file type, and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
Thanks,
Kurt Sarens SR. Security Support Engineer
Since the August 2009 antimalware engine update we support wildcards in path exclusions for on-demand scans (quick/full/custom scan).
It is important to note that Wildcards in path exclusions will not work for Real Time Protection and will be ignored (this does not apply to extension exclusions).
For on-demand scans, this will allow you to exclude paths such as: "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent"
The above example excludes the same path for all users folders. This can improve performance with scheduled scans and on-demand-scans.
Since Real-Time Protection (RTP) will not honor the wildcards, you will not be able to use the wildcard exclusion to prevent detection or avoid any RTP performance issues. In these cases you will have to use the full path.
Additional information about the use of wildcards:
Character
Exclusion type
Notes
*
One subfolder
Example1:
c:\temp is the same as c:\temp\* and c:\temp\*\
When the wildcard is the last character in the exclusion, it is treated the same as not having the wildcard, and all subfolders will be excluded.
Example2:
C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent
The wildcard within the path can be used to represent a complete folder name.
?
One character or null
Example 1:
If the exclusion is c:\? and you scan c:\e, the file is excluded.
Example 2:
If the exclusion is c:\??car, both eicar and mycar would be excluded.
Eddie Bowers
Senior Support Escalation Engineer
Next up in our registry key series: setting definition update keys via policy.
On the FCS TechNet library, the following registry key is described:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0
There are additional settings that you can use to change the day and time at which definition updates are performed.
In addition to the values in the above table, ScheduleDay can be configured to use the following values:
You can control the value for the time at which definition updates are performed by adding the ScheduleTime registry key to the same location as ScheduleDay.
ScheduleTime should be configured with a DWORD value that represents 12:00 AM – 11:59 PM. The value entered is the number of minutes past midnight (in local time), so specifying 120 would result in a definition update attempt at 2:00 AM. The maximum value is 1439, which would be 11:59 PM.
You may (correctly) note that these keys take the same values as the values for Scan\ScheduleDay and Scan\ScheduleTime, as noted here.
ScheduleDay will already exist in the registry (FCS already publishes it and sets it to 0x8). Your ADM/.reg file will be changing this value, not adding the key. However, as in the first post of this series (http://blogs.technet.com/clientsecurity/archive/2010/01/29/scanning-removable-drives.aspx), you must use either an ADM file via Group Policy or a .reg file to add the ScheduleTime key.
CLASS MACHINECATEGORY !!FCSCategoryPOLICY !!ScheduleKEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates" EXPLAIN !!ScheduleDay_Explain PART !!ScheduleDay_Name DROPDOWNLIST REQUIRED VALUENAME ScheduleDay ITEMLIST NAME "Every Day" VALUE NUMERIC 0 DEFAULT NAME "Sunday" VALUE NUMERIC 1 NAME "Monday" VALUE NUMERIC 2 NAME "Tuesday" VALUE NUMERIC 3 NAME "Wednesday" VALUE NUMERIC 4 NAME "Thursday" VALUE NUMERIC 5 NAME "Friday" VALUE NUMERIC 6 NAME "Saturday" VALUE NUMERIC 7 END ITEMLIST END PART PART !!ScheduleTime_Name DROPDOWNLIST REQUIRED NOSORT VALUENAME ScheduleTime ITEMLIST NAME "12:00am" VALUE NUMERIC 0 NAME "1:00am" VALUE NUMERIC 60 NAME "2:00am" VALUE NUMERIC 120 NAME "3:00am" VALUE NUMERIC 180 NAME "4:00am" VALUE NUMERIC 240 NAME "5:00am" VALUE NUMERIC 300 NAME "6:00am" VALUE NUMERIC 360 NAME "7:00am" VALUE NUMERIC 420 NAME "8:00am" VALUE NUMERIC 480 NAME "9:00am" VALUE NUMERIC 540 NAME "10:00am" VALUE NUMERIC 600 NAME "11:00am" VALUE NUMERIC 660 NAME "12:00pm" VALUE NUMERIC 720 NAME "1:00pm" VALUE NUMERIC 780 NAME "2:00pm" VALUE NUMERIC 840 NAME "3:00pm" VALUE NUMERIC 900 NAME "4:00pm" VALUE NUMERIC 960 NAME "5:00pm" VALUE NUMERIC 1020 NAME "6:00pm" VALUE NUMERIC 1080 NAME "7:00pm" VALUE NUMERIC 1140 NAME "8:00pm" VALUE NUMERIC 1200 NAME "9:00pm" VALUE NUMERIC 1260 NAME "10:00pm" VALUE NUMERIC 1320 NAME "11:00pm" VALUE NUMERIC 1380 END ITEMLIST END PARTEND POLICYEND CATEGORY[strings]FCSCategory="Microsoft Forefront Client Security"Schedule="Sets the time and date for definition updates for Client Security."ScheduleDay_Name="Set the definition update day"ScheduleDay_Explain="This setting sets the day of the week and the time of day when the FCS antimalware client will update definitions."ScheduleTime_Name="Set the definition update time"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use FCSSchedule.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the Schedule Time key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Signature Updates]
"Schedule Time"=dword:value
To confirm that your client has received and configured this policy, you can check in the Windows Task Scheduler. On a Windows Vista or Windows 7 computer, start the Task Scheduler:
If you have a client configured properly, you should see a scheduled task named MP Scheduled Signature Update set to the defined time:
Hey Folks,
I wanted to point out a new resource available to you to find information, and, if you can’t find it, write it! The TechNet Wiki is open for business.
Contribute boldly. Edit gently. It is the TechNet Wiki way.
Enjoy!