locked
Microsoft Forefront Client Security Real-Time Protection agent has detected changes

    Întrebare

  • How do I override the Group Policy processing on a Terminal server so I don't get 5000 of these warning messages:

    Microsoft Forefront Client Security Real-Time Protection agent has detected changes...  when the users log in and Group Policy is applied on a Terminal Server.  Below are some samples:

     

    Scan ID: {0268AC51-21E4-44F2-8870-1285E3431BB6}
      Agent: IE Configuration
      User: XXXXXX-INT\username
      Name: Unknown
      ID:
      Severity: Not Yet Classified
      Category: Not Yet Classified
      Path Found: iemain:HKCU@S-1-5-21-1123561945-1035525444-682003330-1159\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page
      Alert Type: Unclassified software
      Process Name:
      Detection Type:

     

    Scan ID: {D66F9CEC-1ED3-4ABE-8E47-DC97B1D13E19}
      Agent: IE Configuration
      User: XXXXX-INT\username

      Name: Unknown
      ID:
      Severity: Not Yet Classified
      Category: Not Yet Classified
      Path Found: iemain:HKCU@S-1-5-21-1123561945-1035525444-682003330-1159\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL
      Alert Type: Unclassified software
      Process Name:
      Detection Type:

     

    Scan ID: {DE77274B-53F7-4AF3-B142-A032DBA02BFE}
      Agent: System Configuration
      User: XXXXXX-INT\username

      Name: Unknown
      ID:
      Severity: Not Yet Classified
      Category: Not Yet Classified
      Path Found: firewallokfile:HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\\%WINDIR%\System32\msra.exe:*:Enabled:Remote Assistance
      Alert Type: Unclassified software
      Process Name:
      Detection Type:

     

    ANYONE???

     

     

    Thanks a bunch!

    27 mai 2008 21:01

Toate mesajele

  • I am also wondering how to disable the SystemConfiguration(settings) piece under real-time protection. It can be disabled on the client side but its all or nothing on the server side. I tracked the registry change and exported the fix but was then unable to import it and when the policy kicks in it doesnt matter anyway. Its almost impossible to do unattended\silent installations because they are no longer unattended or silent.  A fix for this known issue would be greatly appreciated.
    6 ianuarie 2009 18:18
  • I'm also looking at how to disable the System Configuration Agent for Real Time Protection. Every time GPO's get applied I get alerts! Stop this maddness..
    16 decembrie 2009 20:15
  • Hi Chris,

    I was able to stop Forefront from flagging .reg imports and gp by adding an exception to the client policy.

    Open Microsoft Forefront Client Security Console and choose "Policy Management" Choose client policy and click edit.
    In the bottom window "Overrides based on category and severity" Click "add"

    It should look like this:

    Classification                 Type                Override Response

       Category             Settings Modifier       Default Response

    We have been running this for almost a year without problems and I havent seen a blue exclamation point since.

    I hope this helps.
    • Propus ca răspuns de Roy_ 16 decembrie 2009 22:05
    16 decembrie 2009 21:56
  • That didn't do it for us. We had some FF updates on Friday 19/03/10 and after that GPO updates brings up the warnings. Tried the above setting, and the same again but with Ignore set instead of Default Response. Also tried that for Browser Modifier.

    This is not only on Terminal Server, it's on all our FF cliented machines.

    Anyone have a solution for this?

     

    Thanks

     

    Rgds,

    Peter

    22 martie 2010 11:47
  • Same here...

    I set up a Group Policy Setting to make sure that our Intranet is the default homepage and that IE opens in the morning on startup.  That way the powers that be can guarentee staff see the Intranet Alerts.  The problem is that every time the Group Policy Applies, we get this:

    Summary:

    Internet Explorer Configurations change occurred.

    This agent monitors end user and security related configuration changes made to Internet Explorer, including the default home page.

    Detected changes:
    New: http://sherlock/
    Original: Not available
    iemain (New):
    HKCU@S-1-5-21-1796986399-257074395-2151796307-1113\SOFTWARE\Microsoft\Internet Explorer\Main\\Default_Page_URL
    Advice:
    Permit this configuration change only if you trust its origin. It is recommended that you run a quick scan if you choose to deny this change.
    Detected by:
    Definition file
    Checkpoint:
    Internet Explorer Home Page
    Category:
    Configuration Change

    I made the changes Roy suggested and re-deployed the policy but alas no change, the clients still get the blue question mark which is paralysing them with fear, they all want their nice neat green ticks back.

    It's unbelievable as it's all Microsoft Apps involved, it's not like it's another software vendors bad code at work.

     

    25 martie 2010 15:30
  • Unfortunatly I did not try this with IE settings, just a few Firewall Ports. It sounds like you should set "browser modifier" to Default Response. I havent tested this so you'll want to apply this on your test OU first. Remember to gpupdate /sync or /force from the client to insure the policy was recieved when testing.

    I also have the following settings checked:

    Advanced>Client Options

    Users can view all client Security agent settings and messages

    Only administrators can change Client Security agent settings

    Allow users to add exclusions and overrides

    Hope this helps.

     

    25 martie 2010 19:07
  • Tried this too.  Havent found a way to stop this issue from alerting.
    23 aprilie 2010 23:13
  • I am also looking for a way to suppress similar alerts.  The FCSAM 3004 event below occurs on the client PC each time PSEXEC is launched on the client remotely.

    Scan ID: {25A9F3B8-9E90-435D-9A53-F5E02B53CE69}
      Agent: Services and Drivers
      User: <omitted by poster>
      Name: Unknown
      ID:
      Severity: Not Yet Classified
      Category: Not Yet Classified
      Path Found: driver:PSEXESVC
      Alert Type: Unclassified software
      Process Name:
      Detection Type:

     

    3 iunie 2010 17:43