Forefront Client Security TechCenter >
Forefront Client Security Forums
>
Forefront Client Security Malware Technology and Response
>
No other way?
No other way?
- Here is my current policy setup with regards to the area i'm wondering about.
Client Options:
users can view all client security agents and settings
only administrators can change client security agent settings
Currently my domain account is a local admin on my machine. When I run a test scan and it detects I have an option of what I want to do with the alert (remove, ignore etc) which is great. Us admins should be able to choose what they want to do
On a regular users machine (where they are only power users) the same scan will only result in the tray icon turning orange (and appropriate event logged in the event viewer), and they cannot access the gui..nor does the program seem to do anything with the infected file. It's still in the directory I put it in. This is not good at all. Can there not be a default action put in place? As per the ballon tip on the client machine..."A system administrator manages Microsoft Forefront Client Security for all users on this computer. The program will notify you to take actions only if malicious software is detected"
And it certainly doesn't. HELP!
All Replies
- OK, so it was classified as a medium alert item. Which according to my FCS gui, the default action is definition based. Anyway to set that to quarantine?
nm, I got er figured.
- Ok, well I have changed the default override for "medium" threats. However, it does not run automatically. I need to log in as a local admin, and open the gui. There the action is set to quarantine. But how in the heck do I get it to do it automatically!!
- Hi!
Just to be clear on the problem.
Did you set the override for Medium threats in a policy on the FCS server and deployed that...or a local policy usin the FCS UI?
/Johan
MCSE, forefront spec | www.msforefront.com - I set the policy on the server, deployed. When I log in as admin to the machine I can see that the policy has taken effect (tools-options-default actions-medium alert items quaratine) . However, since the user isn't allowed into the FCS UI I want it to quarantine the item automatically. I see that the scan has detected the item (application event log shows this). Yet the item is still in the folder where I put it.
it's almost as if that setting just makes the first available option in the drop down list "quarantine". But again, I have to log in as admin to actually tell it to perform that action. - Ahh..ok.
At time of detection, do you manually take action (right-klicking on the red FCS icon)?
FCS suspends the malware imediately but it does not take default action (definition based) or (override action) until 10 min has pased (unless you take manual action).
Have you tried to wait the 10 min?
If you get the desired result when FCS takes action and not when you take manual action (right-klicking on the red FCS icon) you might have stumbled on a bug.
/Johan
MCSE, forefront spec | www.msforefront.com - When logged in as a regular user they do not have access to the UI. So all I see is the orange exclamation mark (not red), so as a user there is nothing actually saying "hey I detected something". It's not prompting for anything, all it says are the settings are controller by my system admin (me). And the default action of quarartine isn't taking place. When logged in as admin I can open the UI and have it perform an operation (remove, ignore etc) but again, it still isn't performing the default action.
I should mention that the scan was initiated from me via the server.- Edited byRyan Senio Tuesday, July 21, 2009 5:01 AM
- Hmm...
what file do you have on the computer that you are scanning that triggers a medium alert?
/Johan
MCSE, forefront spec | www.msforefront.com - It's the ophcrack iso.
- Proposed As Answer byJohan Blom, Forefront MVPMVPTuesday, October 27, 2009 11:51 PM
