Hi!
Microsoft has released a kb article http://support.microsoft.com/?id=977939 explaining the details of what's in the definition update package for Forefront client security.
Microsoft Forefront Client Security regularly downloads updates to the definition files that are used to identify viruses, to identify spyware, and to identify other potentially unwanted software. Forefront Client Security may also periodically download detection engine updates. Microsoft delivers these updates by using Microsoft Update and by using Windows Server Update Service. To manually download the updates, visit the following Microsoft Web site: Microsoft Malware Protection Center Portal
I know you are happy to hear about this right before the weekend so you have something to read :-)
Enjoy
/Johan
Hello World!
Is FCS slowing down your system?
Ther are some default exceptions you should make running any AV on your Windows systems.
Find out here what exceptions should me made: http://support.microsoft.com/kb/943556
However these might not be enough. This is especially true if you are dealing with inhouse applications.
Luckily there is help! FCS logs "Expensive" files. You can find the log localy here:
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Support
Look for a logfile called MPLog-########-######.log
Read the full article from Kurt here: http://blogs.technet.com/kfalde/archive/2009/12/30/determining-the-cause-of-fcs-client-performance-issues.aspx
See Ya!
/Johan
Here is a "funny" Christmas greeting from the guys/girls behind the malicious Koobface worm.
Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:
- Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
- Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
- Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
- Cisco for their 3rd place to our software in their annual "working groups awards";
- Soren Siebert with his great article;
- Hundreds of users who send us logs, crash reports, and wish-lists.
In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.
By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!
Always yours, "Koobface Gang"
My company now has an office in the US. :-)
I'll be delivering Forefront training in select cities in the US, first out is New York. January 26-28, 2010. http://en.truesec.com/training/forefront_security_and_malware_cleaning_
I'm really excited to go back to NYC. I lived there from 2000 to 2003 in a small studio apt on 38 and Park Ave. I LOVE that city!
Hope to see you there!
/Johan
Hi guys and girls!
this week i migrated a customers FCS implementation from one ad forest to another and thougt i'd share the experience with you.
It was pretty easy actually. They had about FCS 1000 clients (server and client OS) and using SCCM for app distribution.
First of, i had to rebuild the server in the new domain since that cannot be migrated any other way. I reused the computer name so i didn't have that problem.
Prior to this, the client had migraed all it's clients to the new domain with existing FCS still installed. They where protected in the new domain but not manageble since the MOM agent was trying to connect to the old FCS server.
Now since the mom agent reads it's config only at install, i had to uninstall and reinstall the mom agent. (important is that you have deployed the FCS policies in the new domain befoer you do this step).
For the clients i used two cmd files and the mom.msi from the FCS setup package.
cmd 1. msiexec /i MOMAGENT.msi REMOVE="MOMXAgent" /q [this uninstalls the mom agent quietly]
cmd 2. msiexec /i MOMAGENT.msi CONFIG_GROUP="name of config group [default=forefrontclientsecurity]" MANAGEMENT_SERVER="FQDN of new collection server" AM_CONTROL="Full" /q
package allt that into SCCM and make cmd1 run as a pre installation action.
After deployment via SCCM they started to pop up in the new FCS console...worked like a charm :-)
/Johan
Hi!
I'll be going to TechED EMEA in Berlin.
I'm going to work int TLC (Technical Learning Center) section (formerly known as ATE). I have not goten my schedule yet but you will find me in the Forefront Booth
If you are going to TechEd, please stop by and say hi!
See you there!
/Johan
As i posted a while ago Microsoft Security Essentials is released.
When i whent back to the download page it just stated that it was not available in my country..que? I sent some emails and found out that it will be available just not yet, Microsoft is working on getting it localized and they ust have not had the time to finish it all...yet. thats why it's only available in selected countrys. We will probably se another release this year and the rest during next year.
/johan
Hi!
Som major news about Forefront Anti-malware poped in from the Forefront team blog. I was very surprised and am not sure what this means technically yet...so i'm going to bug my MS contacts and find out :-). Unfortunatly this means there will be another release delay.
From the Forefront Team:
Today we are announcing a schedule and strategy update for Forefront Endpoint Protection 2010, a component of the upcoming Forefront Protection Suite (previously codenamed “Stirling.”)
We are delaying the release Forefront Endpoint Protection 2010 - anti-malware for Windows desktops and servers - until the second half of 2010. Based on customer feedback and market trends, we have made the strategic decision to build Forefront Endpoint Protection (FEP) on System Center Configuration Manager, Microsoft’s solution to comprehensively assess, deploy, and update servers, clients, and devices. This approach better aligns our customers’ client management and security infrastructure, helping simplify deployment and reduce costs.
We are confident this is the right decision for our customers. In the interim, we will continue to offer our current Forefront Client Security (FCS) solution, which supports and protects both Windows 7 and Windows Server 2008 R2. We are developing the necessary tools and guidance to facilitate the future upgrade from Forefront Client Security to Forefront Endpoint Protection and will help customers with the migration process.
We also remain committed to providing integrated management for the Forefront Protection Suite. We will release Forefront Protection Manager in the first half of 2010, as scheduled, providing multi-server management for Forefront Protection 2010 for Exchange Server and Forefront Protection 2010 for SharePoint. We will provide information about endpoint security management in Forefront Protection Manager at a later time.
We are on track to release all other Forefront products on schedule, as part of our Business Ready Security strategy:
o Fourth quarter 2009: Forefront Protection 2010 for Exchange Server, Forefront Online Protection for Exchange, Forefront Threat Management Gateway 2010 and Forefront Unified Access Gateway 2010
o First half 2010: Forefront Protection 2010 for SharePoint, Forefront Identity Manager 2010.
Microsoft Security Essentials, the new no-cost, anti-malware service that helps protect consumers against viruses, spyware and other malicious software is available, Today! Tuesday, Sept. 29. It requires no registration, trials or renewals and will be available for download directly from Microsoft at http://www.microsoft.com/security_essentials.
Great stuff!
/johan
Issues that this hotfix package fixes
Issue 1
Firewall rules for programs in Windows 7 and in Windows Server 2008 R2 are not accurately reported in Security State Assessment reporting. Reporting shows exceptions are configured but does not display or assess them.
Issue 2
The Forefront Client Security State Assessment process (FcsSas.exe) crashes on Windows Vista-based, Windows 2008-based, Windows 7-based, or Windows 2008 R2-based computers that are using Windows Firewall.
http://support.microsoft.com/default.aspx/kb/974253
/johan
Hi folks!
Microsoft has released a new and improved version of the Malware Protection Portal. One of the major difference is that you can sign in (using your MS passport) and a profile is created for you. This streamlines the malware submission process alot since the general info can be pre-populated.
Furthermore, you can find out what the latest malware treats are and the latest definition file numbers and much more...
Check it out! https://www.microsoft.com/security/portal
Vacation is almost over!
/Johan
So, it's up and running. Microsoft Security Essentials Beta.
Here is a few screenshots from the setup and the UI.
A new icon appears on the desktop and in the system tray :
...and opening the UI there are 4 main tabs....
that's all for now. stay tuned!
/Johan
Hi all!
Microsoft has released Microsoft Security Essentials Beta.
I have not tried it yet but am just about to do so.
YOu can read more about it here: http://blogs.msdn.com/securitytipstalk/archive/2009/06/23/what-is-microsoft-security-essentials-what-s-happening-to-onecare.aspx
...and get the Beta here: http://www.microsoft.com/security_essentials/market.aspx Unfortunatly it's not available for every country (Not Sweden). So, just be inventive and i'm sure you'll figure out how to get the Beta :-)
Installing as i type :-)
/Johan
Great post from the Forefront Client Security Team
A catch-up scan is a scan that is initiated because a regularly scheduled Forefront Client Security antimalware scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. The FCS documentation at http://technet.microsoft.com/en-us/library/bb418896.aspx states:
Scheduled malware scans enable you to choose the time of day when the Client Security agent on each managed computer begins a scan. This enables you to select a time that is likely to have minimal impact on users. You can also configure whether a scheduled scan is a full scan or a quick scan. If a client computer is offline for two consecutive scheduled scans, Client Security starts a scan the next time someone logs on to the computer. For more information, see Configuring scheduled and interval malware scans.
To expand on this, scans can be scheduled to run either daily or weekly and either full or quick scans. If there is no scheduled scan configured, there will be no catch-up scan run. If the scheduled scan is configured for daily, then after two days of being missed the next time the antimalware service starts, after a short delay of about ten to twenty minutes, the missed scheduled scan will be run. The scan type will be based upon the scan type of the scheduled scan: if a full scan is scheduled the catch-up scan will be a full, if the scheduled scan is a quick scan the catch-up scan will also be a quick. If the scan is configured for weekly, then after missing the scan two consecutive weeks the next time the antimalware service starts, after a short delay of about ten minutes, the missed scheduled scan will be run. The number scans missed(two) before the catch-up scan is invoked is non-configurable.
In the current version, the Forefront Client Security antimalware client differentiates scans initiated through the UI from scans initiated through the command line of scheduled tasks. Scans invoked through the antimalware UI do not count as “scheduled” and cannot can be used to avoid catch-up scans. The only exception to this is if a computer has never run a scheduled scan; this helps prevent prevent newly installed clients from running a catch-up scan when they receive policy.
If you miss a scheduled scan and want to run your own catch-up scan so it will run at a convenient time, you should invoke the scan through the command line:
“%programfiles%\Microsoft Forefront\Client Security\Client\antimalware\mpcmdrun.exe” –Scan
Additionally, catch-up scans are only applicable to scans that are scheduled for a particular time, they do not apply to interval-based scans as shown below
An interval scan is essentially just a timer that starts roughly when the service starts. If the computer is rebooted, the service is restarted, or the scan interval changes the timer is reset.
By default catch-up scans will be enabled. If you do not wish to run catch-up scans you may use an ADM file and set the following registry key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan – DisableCatchUpScan . You can cut-and-paste the below example into a text file and rename it to an ADM to test this:
CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!CatchUp_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
EXPLAIN !!CatchUp_Explain
VALUENAME DisableCatchupScan
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft FCS Scan Override"
CatchUp_Name="Disable Catch-up Scan"
CatchUp_Explain="This setting instructs the FCS antimalware client not to re-attempt a missed scan"
More Posts
Next page »