locked
MS Forefront EndPoint Protection - Scanning Network drives using real-time protection on XP. How can this be disabled? RRS feed

  • Question

  • I have MS ForeFront Endpoint Protection 2010 installed with the latest build installed on servers and workstations. On XP workstations, the real-time protection is scanning network drives and files when opened, moved etc. On Win 7, this does not happen. I notice an extra setting in place on Win 7 installs of FEP under real-time protection; 'enable network inspection system'. The XP installs do not have this.

    Given the servers have AV real-time protection enabled, this is unnecessary behaviour to scan network drives as part of real-time protection and it's causing performance and functionality problems with certain files and applications. 

    I do not want to add exclusions for all network shares users access as these are vast, varied and constantly changing. This thread from MSE relates to the same issue but the same thing is occurring in MS FEP 2010 but only on XP machines: http://answers.microsoft.com/en-us/protect/forum/protect_start/mse-and-windows-shares/3813d5f3-76f6-44b0-9174-4cec85cb904d

    How can I get the XP to behave the same as Win7? 

    Thanks in advance

    Chris


    • Edited by bishnz Monday, March 19, 2012 3:07 AM
    Monday, March 19, 2012 12:08 AM

Answers

  • Chris,

    The NIS feature is not available on WinXP because it requires the Windows Filtering Platform in order to run, which is only available in Win7 and Vista.

    Regarding WinXP and scanning of  files with the offline attribute, I believe you will see that Rick Tan has previously addressed this issue at http://social.technet.microsoft.com/Forums/en-HK/FCSNext/thread/e330ff6e-26f4-415d-aa7e-4203bb604137 :

    "Please try to uncheck the FEP settings--Advanced--scan archive files or scan removable drives option."

    Scan archive files
    If you disable this setting, archive files will not be scanned.

    Scan removable drives
    If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during a quick scan and a custom scan.

    http://technet.microsoft.com/en-us/library/gg412481.aspx


    Regards,

    Al

    Al Knecht, CISSP®, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003,
    Security Support Engineer
    Microsoft CTS Security Support

    • Proposed as answer by Al Knecht Thursday, March 22, 2012 6:51 PM
    • Marked as answer by Rick TanModerator Wednesday, March 28, 2012 9:22 AM
    Thursday, March 22, 2012 6:51 PM

All replies

  • Hi,

    Thank you for the post.

    Please try to disable FEP policy Scan network files on your client.

    Scan network files
    If you disable or do not configure this setting, network files will not be scanned.

    http://technet.microsoft.com/en-us/library/gg412481.aspx

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    Monday, March 19, 2012 9:27 AM
    Moderator
  • Thanks Rick. More detail on the requirement as I've just discovered a more detailed behavioural difference between XP and Win7:

    Many of the files stored on the network file share are 'offline' files. It is specifically these files that I want to exclude from being scanned by the RTP of FEP.

    Using Proc Mon, I can see that the FEP install on Windows 7 does not scan (via RTP) any file that has the offline attribute during a move or view properties. This is what we want and what I would expect the behaviour to be. The FEP install on Windows XP however does scan files that have an offline attribute.

    Offline files feature is enabled on XP and Win7. If I disable the offline files feature on Windows XP, this fixes the problem and FEP RTP does not scan offline files during a move.

    So, works fine on Windows 7 but not on XP. How can this behaviour be controlled on XP if the offline files feature is enabled?


    • Edited by bishnz Tuesday, March 20, 2012 12:29 AM
    • Proposed as answer by Al Knecht Wednesday, March 21, 2012 10:47 PM
    • Unproposed as answer by Al Knecht Wednesday, March 21, 2012 10:47 PM
    • Proposed as answer by Al Knecht Wednesday, March 21, 2012 10:58 PM
    • Unproposed as answer by Al Knecht Wednesday, March 21, 2012 10:59 PM
    Monday, March 19, 2012 10:28 PM
  • Thank you for your questions.

    It is currently not a feature of FEP2010 to be able to disable scanning of mapped/networked drives during either a Realtime scan or a Custom scan.  This is only possible with a Full or Quick scan.

    A design change feature request has been previously submitted for this ability. This type of fix would require considerable research and testing due to its impact on the FEP management server and the FEP client.  For these reasons, this request was postponed for FEP 2010.  It was earmarked for consideration for FEP 2012.  As always, Microsoft Support does not provide comment on any product that is not yet RTM. 

    Regards,

    Al

    Al Knecht, CISSP®, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003,
    Security Support Engineer
    Microsoft CTS Security Support

    • Proposed as answer by Al Knecht Wednesday, March 21, 2012 11:01 PM
    Wednesday, March 21, 2012 11:01 PM
  • Thanks for the detailed response Al. 

    Can you  comment on the behaviour of FEP Realtime scan scanning offline files on XP when the offline feature is enabled where as on 7 it does not? And when the offline feature is disabled on XP, FEP Realtime no longer scans them?

    Is there any setting to override this without disabling the XP offline files feature?

    Thanks in advance


    Chris


    • Edited by bishnz Thursday, March 22, 2012 7:54 AM
    • Proposed as answer by Al Knecht Thursday, March 22, 2012 6:51 PM
    • Unproposed as answer by Al Knecht Thursday, March 22, 2012 6:51 PM
    Thursday, March 22, 2012 7:52 AM
  • Chris,

    The NIS feature is not available on WinXP because it requires the Windows Filtering Platform in order to run, which is only available in Win7 and Vista.

    Regarding WinXP and scanning of  files with the offline attribute, I believe you will see that Rick Tan has previously addressed this issue at http://social.technet.microsoft.com/Forums/en-HK/FCSNext/thread/e330ff6e-26f4-415d-aa7e-4203bb604137 :

    "Please try to uncheck the FEP settings--Advanced--scan archive files or scan removable drives option."

    Scan archive files
    If you disable this setting, archive files will not be scanned.

    Scan removable drives
    If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during a quick scan and a custom scan.

    http://technet.microsoft.com/en-us/library/gg412481.aspx


    Regards,

    Al

    Al Knecht, CISSP®, MCSE 2008, MCTS Server 2008 & FCS, MCITP Server 2008, MCSA 2003,
    Security Support Engineer
    Microsoft CTS Security Support

    • Proposed as answer by Al Knecht Thursday, March 22, 2012 6:51 PM
    • Marked as answer by Rick TanModerator Wednesday, March 28, 2012 9:22 AM
    Thursday, March 22, 2012 6:51 PM
  • Hi All, 

    We had a similar issue at a client with Windows XP SP3 / Offline Files & DFS file shares. If a user writes to a file which is marked for sync, you immediately disconnect and Work Offline. Creating path exclusions ( \\dfs.root ) and process exclusions ( mobsync.exe ) does not help. Disabling "Scan archive files" does not fix the issue with offline files either.

    The way to fix this is by using a GPO to disable "Realtime Protection -> Behavior Monitoring" and assigning it to the OU where these XP computers reside. Hope this helps all those experiencing the issue & hopefully microsoft has a solution to this problem in a future hotfix/sp.

    # Behavior Monitoring checks for certain patterns of suspicious activity.

    Regards,

    Navs Mudely

    Principal Systems Engineer

    Microsoft Business Unit

    Business Connexion South Africa

    Friday, August 3, 2012 11:09 AM