locked
Forefront Client Security History Consuming All Available Disk Space! Help! RRS feed

  • Question

  • I have two machines that are in their own domain (isolated DMZ) with no trust relationship to the corporate domain, so MOM cannot authenticate (this is okay for these two machines -- I can live without reporting).  These machines have Forefront Client Security installed with FCS policy deployed through the registry locally and reporting is set to "low" in the policy.

     

    After running FCS for several weeks, I noticed these machines' C: drives were slowly losing all available disk space.  Upon searching for the culprit, I found the following folder had tens (maybe hundreds) of THOUSANDS of files (Explorer would crash when I tried to list them all and "folder properties" or DIR just never ended) consuming gigs of disk space:

     

    C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Scans\History\Results\Resource

     

    FCS is obviously the culprit.  But why?  In all other machines with FCS installed (in the corporate domain with successful communication with MOM), this folder is only a few megabytes of data and maybe a few hundred files max.  I'm guessing it's because these machines are isolated, but again... why?  and more importantly, how do I fix this?

     

    I had to manually delete all files in that folder before the C: completely ran out of space.  Not sure what long term implications there are for doing that, but it was a necessary measure to reclaim space.

     

    After cleaning the folder out, new files popped in at a rate of about 120 at approximately five minute intervals, each at 6k in size.

     

    Help!

    Thursday, October 11, 2007 1:31 PM

All replies

  • I found the culprit, but still don't know how to fix it.


    For some reason, whenever policy is applied (every five minutes as these machines are domain controllers) FCS is logging an entry in the history that says something like the following...

     

    Code Block

    Description:

    This program has potentially unwanted behavior.

     

    Advice:

    Permit this detected item only if you trust the program or the software publisher.

     

    Programs that may compromise your privacy or damage your computer were detected. You can still access the file without removing the threat, although this is not recommended. To do so, select "Always Allow" as the action and click the "Apply Actions" button. If this option is not available, log on as an administrator or ask an administrator for help.

     

    Detected by:

    Definition file

     

    Resources:

    firewallport:

    HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts\List\\80:TCP:*:Enabled:Port 80 TCP

     

    Category:

    Not Yet Classified

     

     

     

     

    Basically, I used Security and Configuration Wizard to create firewall policies that I converted into GPOs to control which ports are opened and closed on these servers.  Since there are about 120 entries (various ports, applications, and services), I get 120 warnings from Forefront every five minutes.

     

    How the heck do I stop this?!  There is no "Always Allow" option I can find as it says in the advice.

     

     

    Thursday, October 11, 2007 1:44 PM
  • Found a work-around. 

     

    In our Group Policy Processing Policy, we have mandatory settings in Administrative Templates\System\Group Policy.

     

    One of the settings is "Registry Policy Processing" which was set to "Process even if Group Policy object have not changed" to make sure that mandatory registry policies are always up-to-date.  Well I guess when the policies are re-applied every five minutes, FCS has to acknowledge it and waste log space.  Disabling this policy made the constant history growth finally stop.


    This issue REALLY needs to be addressed.  FCS history needs some type of log grooming to prevent this.  Also, if the policies are just being re-applied but nothing has actually changed, Forefront should recognize this and not bother logging it.

    Thursday, October 11, 2007 4:51 PM
  • Hi Timothy

    As a side note: Did you install the FCS client on you two isolated machines using the /NOMOM switch with clientsetup.exe?  If not, you can do that to avoid the MOM errors that will show up whe it cannot connect to the server

     

    Thanks for the feedback on the issue with the files filling up - you are correct, those files are groomed out when the data is uploaded to the server.  I've sent this to he dev team for some input and a data point for future releases

     

    Thanks

    Chris

    Forefront Client Security PM

    Friday, October 19, 2007 4:28 PM
  • I have a different problem but caused by the same kind of thing.  Everytime Group Policy is refreshed, my clients are being "prompted" to Permit/Deny Windows Firewall rules.

    Surely Forefront must be able to determine if a registry change is being enforced by Group Policy and thus ignore it?

    Toby.
    Thursday, June 19, 2008 12:21 PM
  • Hi Chris

    Just wondering if this log problem has been resolved in a new release as of yet?  I am experiencing the same problems as Tim.

    Matt
    Monday, March 9, 2009 1:39 AM
  • Hi,

    Did anyone found a resolution for this issue?

    I have the same behavior when group policy with open firewall ports refreshes.

    Few times a day user has to click permit.

    Thank you!

    Thursday, April 1, 2010 2:06 PM
  • I would recommend in your policy for the client that you uncheck logging for unknowns.  This should stop the logs for these types of items.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, April 2, 2010 8:04 PM
  • What bothers me are not logs that I see, but the fact that users have to click Permit always, severel times a day.

    P.S. I noticed that this issue occurs only on Windows XP. Windows Vista, 7 clients and 2008 servers are not "affected" by this issue.

    Friday, April 2, 2010 8:24 PM
  • If you don't want the blue box on the client you can also in your FCS policies uncheck the "Prompt user when unclassified software is detected" on the Advanced tab.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, April 2, 2010 8:30 PM
  • Yeah, thought of this before and this is the last step I wanted to do :( I don't know what else might fall under "unclassified software" in the future, so it's a nice to have feature.

    If you don't have another idea of resolving this, I guess I will have to do it, at least until all computers will be upgraded to Win7.

    Thanks Kurt

    Friday, April 2, 2010 8:36 PM
  • Looking around you can do one other thing with this..

     

    Disabling System Configuration under Tools>Options in the client under Real Time Protection will stop monitoring this behaviour.  I'm not sure what else this monitors as the AM group does not document this so it may be lowering the system security somewhat doing this but unsure how much.  Unfortunately you cannot configure this via FCS policy so you need to import an adm to your FCS Policy GPO's and configure the setting.  I'm pasting an .adm here haven't tested it but it should work.  Let me know if you try it.


    CLASS MACHINE
    CATEGORY !!Components
     CATEGORY !!FCSCategory
         POLICY !!SystemConfigurationAgent_Name
     EXPLAIN !!SystemConfigurationAgent_Explain
     KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Real-Time Protection\"
     VALUENAME SystemConfigurationAgent
     VALUEON NUMERIC 1
     VALUEOFF NUMERIC 0
         END POLICY


     END CATEGORY
    END CATEGORY

    [strings]
    Components=Windows Components
    FCSCategory="Forefront Client Security real-time protection"

    SystemConfigurationAgent_Name="System Configuration (Settings)"
    SystemConfigurationAgent_Explain="This setting instructs the FCS antimalware client to monitor certain system configurations."


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Monday, April 5, 2010 4:35 PM
  • Hi Kurt,

    I didn't tried your suggestion because, as you said, I don't know what impact this can make.

    I removed the mark for unclassified software even if I didn't want to do this. Anyway, the problem we had dissapered for now and as soon as will have no XPs, I will put back the mark.

    Thanks all for your support!

    Wednesday, April 14, 2010 7:19 AM