locked
Daily Forefront alerts about Forefront scheduled scan RRS feed

  • Question

  • Some of our users (however not all) are receiving Forefront alerts every morning when they log on to their computers. There does not seem to be any pattern or common factor between these users, they are spread out amongst multiple geographic locations, business units, etc. They all have Forefront Client Security 1.5 installed and are centrally managed by a FCS server. All of these PCs are Windows 7 Enterprise x64. I would say at this point it affects approximately 50 users out of 500 total.

    We have real-time protection enabled but no scheduled scans. A security state assessment is set to scan every 12 hours. Is there a way to stop the users from receiving these alerts? Here is an example:

    Summary:
    Application Registration change occurred.

    This agent monitors the various ways which permit a program, script, or executable to be started independent of an application.

    Path:
    C:\Windows\system32\tasks\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\MP Scheduled Scan

    Detected changes:
    file:
    C:\Windows\system32\tasks\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\MP Scheduled Scan

    taskscheduler:
    C:\Windows\system32\tasks\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\MP Scheduled Scan

    Advice:
    Permit this detected item only if you trust the program or the software publisher.

    Programs that may compromise your privacy or damage your computer were detected. You can still access the file without removing the threat, although this is not recommended. To do so, select "Always Allow" as the action and click the "Apply Actions" button. If this option is not available, log on as an administrator or ask an administrator for help.

    Detected by:
    Definition file

    Publisher:
    Not available

    Digitally Signed By:
    NOT SIGNED

    Product name:
    Not available

    Description:
    Not available

    Size:
    3728 bytes

    Version:
    Not available

    Type:
    file type unknown

    Checkpoint:
    Task Scheduler

    Category:
    Not Yet Classified

    Here are the contents of the file indicated above:

    <?xml version="1.0" encoding="UTF-16"?>
    <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
      <RegistrationInfo>
        <Description>Scheduled Scan</Description>
      </RegistrationInfo>
      <Triggers>
        <CalendarTrigger>
          <StartBoundary>2000-01-01T00:00:00</StartBoundary>
          <EndBoundary>2100-01-01T00:00:00</EndBoundary>
          <Enabled>false</Enabled>
          <ScheduleByWeek>
            <DaysOfWeek>
              <Sunday />
            </DaysOfWeek>
            <WeeksInterval>1</WeeksInterval>
          </ScheduleByWeek>
        </CalendarTrigger>
      </Triggers>
      <Principals>
        <Principal id="LocalSystem">
          <UserId>S-1-5-18</UserId>
          <RunLevel>HighestAvailable</RunLevel>
        </Principal>
      </Principals>
      <Settings>
        <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
        <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
        <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
        <AllowHardTerminate>true</AllowHardTerminate>
        <StartWhenAvailable>false</StartWhenAvailable>
        <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
        <IdleSettings>
          <Duration>PT10M</Duration>
          <WaitTimeout>PT1H</WaitTimeout>
          <StopOnIdleEnd>true</StopOnIdleEnd>
          <RestartOnIdle>false</RestartOnIdle>
        </IdleSettings>
        <AllowStartOnDemand>true</AllowStartOnDemand>
        <Enabled>true</Enabled>
        <Hidden>true</Hidden>
        <RunOnlyIfIdle>false</RunOnlyIfIdle>
        <WakeToRun>false</WakeToRun>
        <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
        <Priority>7</Priority>
      </Settings>
      <Actions Context="LocalSystem">
        <Exec>
          <Command>c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe</Command>
          <Arguments>Scan -RestrictPrivileges -ScanType 1</Arguments>
        </Exec>
      </Actions>
    </Task>


    • Edited by EJ72 Friday, September 28, 2012 12:35 PM
    Friday, September 28, 2012 12:32 PM

Answers

  • Hi,

    Thank you for the post.

    Verify the file/folder used for which process, then add them to FCS exclusions in policy.

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Monday, October 8, 2012 1:42 AM
    Monday, October 1, 2012 2:38 AM

All replies

  • Hi,

    Thank you for the post.

    Verify the file/folder used for which process, then add them to FCS exclusions in policy.

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Monday, October 8, 2012 1:42 AM
    Monday, October 1, 2012 2:38 AM
  • I receive this VERY often and was wondering why it appears with NO publisher / certificate information.  Much of my job involves system security and I'm always suspicious of events/processes/etc. with no publisher.

    Is this normal and if so... why?

    I deal with enough rogue programs to have an issue with unsigned applications.

    Thursday, November 8, 2012 12:05 AM