locked
Regarding FCS Client Console... RRS feed

  • Question

  • Hi All,

    Just a simple question. I've deployed my clients under the option that they can view the FCS Client console but cannot modify the settings. I've enabled their Full UI.

    But I noticed that users can easily disable FCS on the system tray with a right click and exit.
     
    I would prefer that the exit option is disabled (pretty much the same when deployed with Minimum UI in terms of right-click is disabled) but still has the option to run manual scans on the machine or run the manual update through the UI.

    Is this possible?

    Regards,
    Kim Carl
    Wednesday, March 18, 2009 9:51 AM

Answers

  • To answer both of the last 2 here..

    So yes technically EICAR get's written to disk that's the way all AV works.. they do not have a memory cache where they hold all IO to disk and then later write to disk after scanning that as this would kill memory usage on your system.

    So file gets written to disk > minifilter detects this write to disk > minfilter passes file handle off to engine says hey scan this> meanwhile minifilter is also controlling access to anything else that tries to write/read to this file and if someone tries they are waitlisted until our engine gets done scanning the file (typically you are talking about milliseconds here) > engine determines this is eicar and takes checks what action it should take based on the default action set for that threat and whether you have any specific overrides for that threat > engine pops the UI says hey found X what do you want to do with it > waits on user input for 10 min and then takes the default action on it in this case I believe it's remove.  During this entire time once it's detected as malware the FCS RTP minifilter is still controlling access to this file and since it was determined to be malware will intercept all other file io requests and basically return an ACCESS DENIED to any requests.

    So yes you will see EICAR on the disk.. you shouldn't be able to interact with it.. it should get removed after 10 min timer goes by or your use the GUI to take action on it.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, May 28, 2010 7:22 PM

All replies

  • Hi!

    To be honest i'm not 100% sure why the "Exit" options is even there (i'll try to find out). However if you klick on the exit button it only exits the UI, your computer is still protected and the services are running. And you can start the UI again through the programs menue.
    To my knowledge there is no way of disabling the exit option....and if you lock down the client the user cannot run manual scans or updates.

    /Johan
     
    MCSE, forefront spec | www.msforefront.com
    Wednesday, March 18, 2009 10:39 AM
  • As Johan pretty much stated we only have a few controls with regards to the system tray and what you can do there.

    They are under the "Advanced tab>Client Options section"  Unfortunately if you have the radio button set on "Users can view all Client Security agent settings and messages" then this also enables the right click>exit functionality as well.  As Johan stated though this does not unload the mini-filter or the AV engine though just the GUI.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Wednesday, March 18, 2009 2:23 PM
  • Thanks for the urgent replies.

    So in any case, the whole engine (with services) is still running but the user won't be notified of any threats or scans if you click the exit on the system tray?

    I wanted to ask this because one of our employees have encountered the 99% CPU consumption of MsMpEng.exe (which is discussed in other topics) when compiling and crippled his machine. He claimed that by disabling FCS in the system tray, he can compile with no problems.

    Are there any other processes terminated when you exit the UI?

    Regards,
    Kim Carl
    Thursday, March 19, 2009 12:59 AM
  • Hi Kim,

    From what i have exerienced, the AV engine (MsMpEng.exe) will not be terminated when you exit the FCS UI on the system tray.   

    There is only one process will be terminated is MSASCui.exe. I think if you disable the "real time protection" on the "options", your colleague wouldnt have the problem when compiling.  I had a similar problem before, but that was because I had another AV engine installed at same time. The problem solved after i removed that another AV product. But in the meanwhile, i always disabled real-time protection to make my machine work.

    I think if the client has the MOM agent installed and the two FCS services are still running ( State Assessment service and antimalware service), your management console reports should still be able to show the client status including malware.


    Monday, March 30, 2009 12:08 PM
  • Hi All,

    I'm deploying FCS on my infra-structure, and i've done a test.

    With the UI enabled on the taskbar, i've created an text document with the "eicar" string to test the working of FCS, when i save the file, the FCS client shows a message (as supposed to) saying that there is a threat on that file.

    Then i've closed de UI on the taskbar and did the same test, here's what happend -> No message of threats... and the file got saved on disk with no problem.


    I'm curious, what happend? when i close FCS UI from taskbar, does it disables Real Time Protection?

    I've notticed that only one process get's closed, but should it let the "eicar" file be saved, right?


    Thanks

    Pipas


    Wednesday, January 13, 2010 10:33 AM
  • Well, I know this topic is a bit antiquated but I thought I'd jump in.  In my tests, I could kill the UI and then when trying to save the EICAR file I would get an error indicating that I did not have the proper permissions.  I could not get around it.  When I created a text file on the desktop and put the 68 character code in for EICAR, saved, and then tried to open it, I got message indicating "Access Is Denied".

    While running the Forefront GUI I got the same "Access is Denied" message except it was accompanied by a description and some options out of the system tray.

    Just my 2 cents.  Thanks.

    Brad

    Friday, May 21, 2010 9:44 PM
  • To answer both of the last 2 here..

    So yes technically EICAR get's written to disk that's the way all AV works.. they do not have a memory cache where they hold all IO to disk and then later write to disk after scanning that as this would kill memory usage on your system.

    So file gets written to disk > minifilter detects this write to disk > minfilter passes file handle off to engine says hey scan this> meanwhile minifilter is also controlling access to anything else that tries to write/read to this file and if someone tries they are waitlisted until our engine gets done scanning the file (typically you are talking about milliseconds here) > engine determines this is eicar and takes checks what action it should take based on the default action set for that threat and whether you have any specific overrides for that threat > engine pops the UI says hey found X what do you want to do with it > waits on user input for 10 min and then takes the default action on it in this case I believe it's remove.  During this entire time once it's detected as malware the FCS RTP minifilter is still controlling access to this file and since it was determined to be malware will intercept all other file io requests and basically return an ACCESS DENIED to any requests.

    So yes you will see EICAR on the disk.. you shouldn't be able to interact with it.. it should get removed after 10 min timer goes by or your use the GUI to take action on it.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, May 28, 2010 7:22 PM