locked
Forefront still scanning network files even with exclusions RRS feed

  • Question

  • When Forefront does a full scan on our PCs (possibly on quick scan as well - still checking) it is pegging our IBM Netservers CPU at 100%.  We tried exclusions, but they do not appear to be functioning correctly (%username%\recent did not stop all recent folders from scanning).  We tried to install the hotfix, but it fails (mp_ambits.log shows it found a newer version). We think the problem is amplified because the Netserver is refusing the anonymous connection attemps caused by the scans, and our ISA is getting flooded with 10061 no connection could be made errors when the scan occurs.
    Tuesday, March 30, 2010 3:00 PM

Answers

  • So you need two things to fix this :)

    A. make sure you have the latest client hotfix installed on your clients ie KB976668 at this time.

    B. You need to import the following .adm into your FCS policies and set this setting http://support.microsoft.com/kb/971026 look for the .adm down in the KB article regarding disable scanning network files.

    We basically had an issue with anytime we encounter .lnk files that link to file shares we would start scanning content at the target location.  Setting that reg key disables that behaviour.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, April 2, 2010 8:02 PM

All replies

  • Was able to fix the exclusions - I think an invalid variable was preventing them from working (ended up using c:\documents and settings\*\application data\microsoft\office\recent and c:\documents and settings\*\recent), but still Forefront still hits the IBM whenever it runs accross a recent shortcut (or if I turn of the exclusions).
    Wednesday, March 31, 2010 9:15 PM
  • So you need two things to fix this :)

    A. make sure you have the latest client hotfix installed on your clients ie KB976668 at this time.

    B. You need to import the following .adm into your FCS policies and set this setting http://support.microsoft.com/kb/971026 look for the .adm down in the KB article regarding disable scanning network files.

    We basically had an issue with anytime we encounter .lnk files that link to file shares we would start scanning content at the target location.  Setting that reg key disables that behaviour.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, April 2, 2010 8:02 PM