How to go green with FCS

kfalde — Wed, 13 May 2009 23:56:00 GMT

I’m not a treehugger but I can definitely see the $$ with power savings. Having said that I had a customer recently that wanted his computers to wake up from sleep in order to do their scheduled scans for FCS. At first I was like nope not possible we have no such feature. Then I started digging around. Apparently since about XP SP1 or later we have had a feature in Task Scheduler that allows us to wake a computer up via APM/ACPI when we need a scheduled task to run. Unfortunately FCS itself has no way to set this option for “Wake the computer to run this task” but we can work around that.

If you look back to my other article on creating custom scan schedules at http://blogs.technet.com/kfalde/archive/2008/10/23/how-to-add-extra-scheduled-scans-or-definition-updates-for-fcs.aspx we can use the same mechanism.

Once again you don’t need a 2008 domain or Vista clients to use Group Policy Preferences. You just need the client extensions installed on your XP or 2003 systems which are available via WSUS. You need a Vista or 2008 system to edit the GPO, once in place the settings will apply to any system that has Group Policy Preferences extensions installed.

So basically we follow the other article we create the custom scan schedule that we want with the right mpcmdrun options but we make sure to go to the “Settings” tab for the scan and check the “Wake the computer to run this task”

From our testing this seems to work pretty well for computers that go to sleep mode. This will not work on systems that are fully powered off. Good luck let me know if you try this out. Thanks

How to add extra scheduled scans or definition updates for FCS

kfalde — Thu, 23 Oct 2008 22:33:00 GMT

The default option for scheduled scans in FCS is kind of sparse currently and it's something we get requests about so I'm posting a possible workaround to get more scheduled scans. Below is the shot of the FCS policy setting.. you can either pick "every day" or an individual day and a certain time and which type of scan that you want to do.

So what happens say if I wanted to do a full scan on the 1st Sat of the month or say a Full scan on Saturday's and quick scans at 6pm every day or any other number of other scenarios you could think of? The answer is your kind of stuck if you have your mind dead set on using the current FCS v1 policies.

So how do we get around this limitation? The answer lies in how those scans are accomplished in the first place. If you go into Task Scheduler on your system and turn on "Show Hidden Tasks" you will see how your scheduled scans are actually occurring:

If you dig deeper and look at these tasks you will see that they are all using the following .exe with various options to perform scans

c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe

So basically from an understanding point of view.. the FCS policy writes reg keys that tell which type of Scans and what schedules to use.. the FCS client takes those reg keys and creates scheduled tasks based on them.

The following is a list of the options we are interested in:

Quick Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges -ScanType 1

Full Scan

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" Scan -RestrictPrivileges

Signature Update

"C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe" SignatureUpdate

So the obvious result here is that I can take these command lines and create any schedule that I want in my environment.

But you ask ok how do I push that task out to all my 5k workstations/servers etc. Well I guess there are any number of methods from using a group policy with a system logon script that creates it to SMS/SCCM jobs to any other type of desktop management software etc. The one I'll focus on here is using Group Policy Preferences. This is a new feature of Vista/2008 however there is a Group Policy Preferences Extensions that you can install on your XP/2003 systems. Just taking a look at WSUS it is there as an update that you can deploy easily via WSUS (which hopefully you are using if you have FCS)

Note that it is in the classification "Feature Packs" so you may need to sync that on your WSUS server. Also as an FYI you don't need a 2008 DC/Forest etc for these. You do need a 2008 server or a Vista system in order to edit and create policies that use these extensions but the settings are stored in the normal GPO folders inside SYSVOL for your domain.

So once you have Group Policy Preferences installed in the environment and you have a system capable of editing these in your environment create a new Group Policy and start editing. You should see a new section titled "Preferences"

We are specifically looking for the Scheduled Tasks area. Right click on it and select New Scheduled Task. From this point on it should be self-explanatory. Pick which command line options you want to use from the list before and assign the schedules that you want.

So just some thoughts here; you can't in one task schedule item set it to run multiple times per day, so for example if you wanted to run 3 definition updates at certain times of the day you would need 3 different task scheduler items. The only reason I point out that example is that we typically seem to release about AV definitions about 3 times a day from looking at my WSUS history and they typically seem to come in around 2am, 10am, and 6pm so if you wanted to be really .. um precise you could correlate both your WSUS with getting the definitions at the right time from us along with scheduling your clients to get the updates relatively soon after your WSUS server received them.

Well hopefully this was helpful I'm sure there are other ways as well to accomplish this but figured this would be an easy one to document and implement. Good luck in your scheduling efforts :)

Kurt

Stuff n Things : Scheduled Scans

How to go green with FCS

How to add extra scheduled scans or definition updates for FCS