The final installment in our series on registry keys for FCS is a big one – there are a lot of registry keys that can be used to control the behavior of the FCS real-time protection agent.

The following tables describe the keys (these are in addition to the ones described here and here, in the FCS Technical Reference).

For the registry keys located in HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection, all data types are RED_DWORD, and by default are enabled. To disable the setting, you must create the registry key, and then set the DWORD value to 0x00000000 (0) (which sets the value to false):

Registry Key Description
AutoStartAgent If enabled or set to true, the agent will watch/scan autostart related resources.
SystemConfigurationAgent If enabled or set to true, the agent will watch/scan system configuration related resources.
IEAddInsAgent If enabled or set to true, the agent will watch/scan Internet Explorer add in related resources.
IEConfigurationAgent If enabled or set to true, the agent will watch/scan Internet Explorer configuration related resources.
IEDownloadsAndOutlookAttachementsAgent If enabled or set to true, the agent will watch/scan Internet Explorer download and Outlook attachment related resources.
ServicesAndDriversAgent If enabled or set to true, the agent will watch/scan services and drivers related resources.
ApplicationExecutionAgent If enabled or set to true, the agent will watch/scan application execution related resources.
ApplicationRegistrationAgent If enabled or set to true, the agent will watch/scan application registration related resources.
WindowsAddOnAgent If enabled or set to true, the agent will watch/scan Windows add on related resources.
OnAccessAgent If enabled or set to true, the agent will watch/scan on-access related resources.

How would you use these keys? Well, for example, you may have a need to prevent FCS from scanning the IE add-ins area – perhaps you are a developer working on a new add-in.

NOTE:
Don’t disable these configurations unless you have a clear need to do so. Disabling these reduces your security and increases the chance that FCS won’t detect a piece of malware.

You could create an ADM file, using the following format:

CLASS MACHINE
CATEGORY !!FCSCategory
              POLICY !!AgentKeys_Name
                     KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection"
                     EXPLAIN !!AgentKeys_Explain
                     VALUENAME ValuetoConfigure
                       VALUEON NUMERIC 0
                       VALUEOFF NUMERIC 1
              END POLICY
END CATEGORY

[strings]
FCSCategory="Microsoft Forefront Client Security"
AgentKeys_Name="Configuring Real-time protection agent"
AgentKeys_Explain="This setting configures the FCS antimalware real-time protection agent."

Replace the ValuetoConfigure with the actual name of the key to you want to change (from the table above).

One of our support engineers, CraigW, has already blogged about the DisableCatchupScan key here. He included a sample ADM in his article as well – so for more information about catch-up scans, take a look.

Thanks!