Sign in
Microsoft.com
 
Forefront Client Security TechCenter
 
 
 
Forefront Client Security TechCenter > Forefront Client Security Forums > Forefront Client Security Malware Technology and Response > FCS slow removal?
Ask a questionAsk a question
Search Forums:
 

AnswerFCS slow removal?

  • Monday, November 02, 2009 5:57 AMandreasjan Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,
    We have FCS deployed in our network and recently we found a virus conficker. From the FCS log I can find that it took about 11-12 minutes for the FCS to take action:Remove. Please refer to the log below (in the log you can find 2 domain users, meaning on 2 different computers). 
    We wonder why it took a while for the FCS to take Remove action and it did not immediately take Remove action once it detects the virus. Kindly advise. Thank you.

    Regards,
    Januar

    10/27/2009 10:39:55 PM 3005  Microsoft Forefront Client Security Real-Time Protection agent has taken action to protect this machine 

    from spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124
    Scan ID: {76D6031E-8FAE-40F2-89C1-F5396A93205E}
    User: Domain-name\domain-user1
    Name: Worm:Win32/Conficker.B
    ID: 2147618124
    Severity: Severe
    Category: Worm
    Alert Type: Spyware or other potentially unwanted software
    Action: Remove  

    10/27/2009 10:39:50 PM 3005  Microsoft Forefront Client Security Real-Time Protection agent has taken action to protect this machine 

    from spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124
    Scan ID: {7762C745-71DB-45B2-A861-9AB93802F541}
    User: Domain-name\domain-user2
    Name: Worm:Win32/Conficker.B
    ID: 2147618124
    Severity: Severe
    Category: Worm
    Alert Type: Spyware or other potentially unwanted software
    Action: Remove  

    10/27/2009 10:27:47 PM 3004  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft 

    recommends you analyze the software that made these changes for potential risks. You can use information about how these programs 

    operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the 

    software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124
    Scan ID: {5EBC84F0-DD38-41AA-BA83-B9E4C9EEDC19}
    Agent: Application Registration
    User: Domain-name\domain-user1
    Name: Worm:Win32/Conficker.B
    ID: 2147618124
    Severity: Severe
    Category: Worm
    Path Found: file:C:\WINNT\tasks\At1.job;file:C:\WINNT\system32\uhcguem.sf;taskscheduler:C:\WINNT\tasks\At1.job
    Alert Type: Spyware or other potentially unwanted software
    Process Name: 
    Detection Type: Concrete
    Status:  

    10/27/2009 10:27:39 PM 3004  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft 

    recommends you analyze the software that made these changes for potential risks. You can use information about how these programs 

    operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the 

    software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124
    Scan ID: {2D8E3473-C5DA-46D2-8C87-63E14B8F2EAB}
    Agent: Application Registration
    User: Domain-name\domain-user2
    Name: Worm:Win32/Conficker.B
    ID: 2147618124
    Severity: Severe
    Category: Worm
    Path Found: file:C:\WINNT\tasks\At1.job;file:C:\WINNT\system32\uhcguem.sf;taskscheduler:C:\WINNT\tasks\At1.job
    Alert Type: Spyware or other potentially unwanted software
    Process Name: 
    Detection Type: Concrete
    Status:  

    10/27/2009 10:26:48 PM 3004  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft 

    recommends you analyze the software that made these changes for potential risks. You can use information about how these programs 

    operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the 

    software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124
    Scan ID: {204EC5C2-0BBF-415B-95F2-251383DAD752}
    Agent: On Access
    User: NT AUTHORITY\SYSTEM
    Name: Worm:Win32/Conficker.B
    ID: 2147618124
    Severity: Severe
    Category: Worm
    Path Found: file:C:\WINNT\system32\uhcguem.sf
    Alert Type: 
    Process Name: 
    Detection Type: Concrete
    Status: Suspend  

     

Answers

  • Tuesday, November 10, 2009 7:01 AMNick Gu - MSFTMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

     

    Thank you for your update.

     

    As far as I know, FCS will not remove malware when the users are not logging into the OS. And this behavior is by design.

     

    Regards,

    Nick Gu - MSFT
     

All Replies

  • Tuesday, November 03, 2009 7:34 AMNick Gu - MSFTMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Proposed Answer
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

     

    Thank you for the post.

     

    According to your description, I understand that FCS is able to detect and prompt alert when the virus file is being accessed. This means the file is recognized by the engine and definition. And this worm is not able to run on these machines.

     

    I suspect you may have concern why these files are not being removed while they are still detectable. Actually this is expected behavior for FCS. Real-time protection(RPT) of FCS requires user interaction to confirm the action(remove/quarantine/allow) to take on detected files. When there is no user logged on, it will not take action on detected files. However, these files will still be blocked, that is said, the machine is still under protection when there is no user logged on. When there is no user logged on, only a scheduled full scan will take default action on detected malicious software.

     

    Regards,

    Nick Gu - MSFT
     
  • Wednesday, November 04, 2009 11:39 AMandreasjan- Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi Nick,
    Thank you for your response. I just wonder whether we can set the FCS to remove viruses when it detects (Real-time protection) rather than waiting for user interaction or a scheduled full scan. Please elaborate on it. Thank you.

    Regards,
    Januar
     
  • Tuesday, November 10, 2009 7:01 AMNick Gu - MSFTMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     Answer
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

     

    Thank you for your update.

     

    As far as I know, FCS will not remove malware when the users are not logging into the OS. And this behavior is by design.

     

    Regards,

    Nick Gu - MSFT
     
  • Tuesday, November 17, 2009 6:21 PMJohan Blom, Forefront MVPMVPUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi!

    When FCS detects a pice of malware on your system it will imediately suspend the malware. This means that the malware from then on is harmeless to your system. Then FCS waits for 10 minutes before taking an automated action (not configurable amount of time), unless the user takes action within the 10 minutes. FCS do not require user action to clean malware.

    This is like Nick says, by design.
    I'm not 100% sure but i'm guessing the 10 minute graceperiod is a window for the user to act on software detected that the user might want, like VNC or Dameware etc.

    /johan
    MCSE, forefront spec | www.msforefront.com