Analysts at the Microsoft Malware Protection Center (MMPC) apply objective criteria to software to determine if it should be classified as malicious or potentially unwanted. When software is classified as malicious or potentially unwanted, Microsoft adds it to a definition library used by Client Security during scans. Once the software is added to the definition it is assigned a severity or alert level; severity and alert levels are described here and summarized below:
Severe or High Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent. Medium Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings. Low Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.
Severe or High
Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.
Medium
Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.
Low
Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.
A challenge that the designers of Client Security faced is how to respond to potentially unwanted software. For example, imagine Contoso is a company that publishes a remote management tool named ContosoPro. If Microsoft’s definitions contain a categorization for RemoteAccess:Win32/ContosoPro, the MMPC encyclopedia entry for this type of threat might contain the following text:
The software is a remote control application that allows control of the machine where it is installed. The software can be installed for legitimate purposes, but it can also be installed from a remote location by an attacker with malicious intent.
Given this, should Client Security remove RemoteAccess:Win32/ContosoPro if it is detected? If so, what if the computer is legitimately using the software for remote access? In an effort to secure the computer, has Client Security now made the software inaccessible?
To avoid this and similar problematic situations, Client Security will warn about threats classified with medium or low severity, and a user can choose to take action upon them; however, by default, it will allow them to run. Threats with a severe or high severity will be suspended; a user can choose to take action upon them, or the configured action (configured in the definitions by default, or configured by the administrator) will be taken during routine cleaning.
As this behavior could allow potentially unwanted software to run in your environment, Client Security enables administrators to override this default behavior, depending on their organizations’ risk tolerances. As described in TechNet documentation, spyware and potentially unwanted threats can be overridden by threat, category, or severity. If you want to change the behavior of Client Security to suspend all threats, including potentially unwanted software, but excepting legitimate programs you want to retain on your machines, you should take the following actions:
1. Identify any legitimate potentially unwanted software to be retained on your computers
2. Using the exact name, create a threat override to allow any software discovered in the previous step.
3. Create overrides for medium and low severity threats to remove or quarantine.
When these steps are taken, Client Security suspends all software threats, except those which were excluded in step #2 above. Using the RemoteAccess:Win32/ContosoPro example above, the Client Security policy console would look as shown below:
Thanks, Craig Wiand Microsoft Forefront Escalation Engineer
The FEP 2010 client has the ability to use a UNC share to host updates for the antimalware definitions. A common question from our TAP community is how to setup the UNC share, and how do I keep the share updated - this article focuses on one method for keeping the UNC share up-to-date.
Microsoft release definition files three times a day. In order for the UNC share update method to work, the definition files must be downloaded and placed in a certain folder structure. This structured process is well suited for automation.
To automate this process we can use a simple VB script and the task scheduler in Windows. The VB script, uses three key objects: WinHTTPRequest, FIleSystemObject, and ADODB streams. When downloading the definitions there are actually 4 files to download: 2 for the 32-bit architecture, and 2 for the 64-bit architecture.
The first step is to create the directory structure and set some variable to hold the URLs and the path to the folders:
strMSEx86URL = "http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86" strMSEx86Location = "E:\defs\Updates\x86\mpam-fe.exe" strNISX86URL = "http://download.microsoft.com/download/DefinitionUpdates/x86/nis_full.exe" strNISX86Location = "E:\defs\Updates\x86\nis_full.exe" strMSEx64URL = "http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64" strMSEx64Location = "E:\defs\Updates\x64\mpam-fe.exe" strNISX64URL = http://download.microsoft.com/download/DefinitionUpdates/amd64/nis_full.exe" strNISX64Location = "E:\defs\Updates\x64\nis_full.exe"
Next, using the WinHTTPRequest object, we create a connection to the URL and download the first file (in this case, the x86 antimalware definitions):
Set objWINHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objWINHTTP.open "GET", strMSEx86URL, false objWINHTTP.send
We then check to see if the download was successful, and then open the ADODB stream, set the type to binary to store the file on the stream, and then set the stream pointer back to the beginning:
If objWINHTTP.Status = 200 Then Set objADOStream = CreateObject("ADODB.Stream") objADOStream.Open objADOStream.Type = 1 'adTypeBinary objADOStream.Write objWINHTTP.ResponseBody objADOStream.Position = 0 'Set the stream position to the start
A limitation of the ADODB stream object is that if the file you are trying to save already exists, the method will throw an error. Before saving the file within the script, use the fileSystemObject to see if the file exists, and if so, delete it:
Set objFSO = Createobject("Scripting.FileSystemObject") 'check if file exists if so delete If objFSO.Fileexists(strMSEx86Location) Then objFSO.DeleteFile strMSEx86Location
After confirming the file no longer exists, we can save the contents of the ADODB stream we used earlier to the file and then close the stream:
objADOStream.SaveToFile strMSEx86Location objADOStream.Close
You must then execute this process for each of the remaining files to be downloaded. Once you have created this script and tested it, you can then use the Windows Task Scheduler to run this job three times a day to download the most recent definitions from Microsoft.
WinHTTPRequest : http://msdn.microsoft.com/en-us/library/aa384106(v=VS.85).aspx objWINHTTP.Status: http://msdn.microsoft.com/en-us/library/aa383887(VS.85).aspx ADODB Streams: http://msdn.microsoft.com/en-us/library/ms675032(VS.85).aspx FileSystemObject: http://msdn.microsoft.com/en-us/library/6kxy1a51(VS.85).aspx
Chris Norman Senior Escalation Engineer, CSS
A note from our product group:
The Microsoft® Forefront™ team is pleased to announce that applications are now being accepted for participation in the Forefront Endpoint Protection 2010 Community Evaluation Program (CEP). The goal of this program is to provide early adopters a streamlined approach to evaluating Forefront Endpoint Protection 2010 (FEP).
For customer and partners who want to efficiently manage implementation, test scenarios, discover and contribute to best practices, the CEP provides a structured approach for connecting with the product group and a community of peers. As a member of the Forefront Endpoint Protection CEP community, you will be asked to participate through the sharing of your learnings, questions, and experiences.
Program Participation
Here is what you can expect from the program:
Want to be involved?
If you are interested in participating in the program, please contact your Microsoft account team or visit the Forefront Connect site (you will need to create a Live ID Account if you do not already have one to join Microsoft Connect) and fill out the Forefront Community Evaluation Program Application survey by September 19, 2010. Late applications may be accepted but members added after the program launch will be expected to move through the exercises and themes at their own pace.
Please note: Submitting an application does not guarantee participation in this program. All rights of selection are reserved by the Forefront Endpoint Protection CEP to ensure we have the broadest possible distribution of participants.
Accepted applicants will be informed and invited to the portal by September 21, 2010.
Thanks!
Adwait Joshi, Product Manager
Hello folks,
We wanted to let you know that we’ve got a blog available, the sole purpose of which is notification of antimalware engine updates.
You can find the blog here: http://blogs.technet.com/enginenotifications
We’ve also made sure to link to the instructions on how to create an RSS subscription in Outlook, so you can subscribe to posts on the blog and get emails about the posts. You can find those instructions at the top of the page:
Note: This blog is offered as a best effort notification mechanism. We’ll post notifications for normal releases, but in the event there is an out-of-band release required, notification may be delayed.
Thanks for reading!