locked
FCS has detected change - Custom exemption RRS feed

  • Question

  • Hi,

    We use internal tools to push out software, and another program runs as an agent on our client machines. Forefront reports when these applications make a change, as the clients are set to the default alert level 3. Is there any way to maintain the alert level, but make an exception to the tools we use, so that Forefront does not report this?

    Thanks.

    Friday, September 30, 2011 3:52 PM

Answers

  • Hi bevox,

    I assume that you use tools A to push software B, please follow steps below:

    1.Install software B on test client, FCS will prompt several message like Detected changes with pathA/fileA,pathA/fileB,pathC/fileC.
    2. Edit your FCS policy, add pathA/fileA, pathA/fileB, pathC/fileC to File and folder paths exclusions where like you mentioned.
    3. Verify if the exclusion add into register via GPMC:
    PathA, pathC under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths
    FileA, fileB,fileC under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes
    4. Verify all clients updated new policy, then push software B out

    That means you need to exclude path and file for each software when FCS identified it as unclassified software. Please read About user prompts and unclassified software in this article.


    Regards,
    Rick Tan
    • Marked as answer by Rick Tan Monday, October 10, 2011 2:01 AM
    Thursday, October 6, 2011 7:58 AM

All replies

  • Hi bevox,

    Thank you for your post.

    Is there any way to maintain the alert level
    You could set alert level via FCS policy--reporting tab--Alert Level. A new policy is set to alert level 3 by default, so no need to change it.

    but make an exception to the tools we use, so that Forefront does not report this?
    Yes, FCS does not log and report exceptions.

    If there are more inquiries on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Tuesday, October 4, 2011 3:00 AM
  • I'm able to make an exception from malware scans, but Forefront still notifies users that changes have been made. We'd like to whitelist these exe's so that if they make changes, it's not reported. How would you do this?

    Thanks.

    Tuesday, October 4, 2011 3:17 PM
  • Hi bevox,

    That's ok to add exception files or processes.


    Regards,
    Rick Tan
    Wednesday, October 5, 2011 9:06 AM
  • The agent still reports changes made by the exe to the client, even though they are an exception. Is there another location to set these approved exe's? All I'm seeing is the Exclude from malware scans option, which doesn't solve the issue of the client being notified.
    Wednesday, October 5, 2011 3:04 PM
  • Hi bevox,

    I assume that you use tools A to push software B, please follow steps below:

    1.Install software B on test client, FCS will prompt several message like Detected changes with pathA/fileA,pathA/fileB,pathC/fileC.
    2. Edit your FCS policy, add pathA/fileA, pathA/fileB, pathC/fileC to File and folder paths exclusions where like you mentioned.
    3. Verify if the exclusion add into register via GPMC:
    PathA, pathC under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths
    FileA, fileB,fileC under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes
    4. Verify all clients updated new policy, then push software B out

    That means you need to exclude path and file for each software when FCS identified it as unclassified software. Please read About user prompts and unclassified software in this article.


    Regards,
    Rick Tan
    • Marked as answer by Rick Tan Monday, October 10, 2011 2:01 AM
    Thursday, October 6, 2011 7:58 AM