locked
Forefront Client Security Scheduled Scnas Not Running RRS feed

  • Question

  • I found out a strange problem where the scheduled scans of forefront are not at all running.I checked out the scheduled tasks where in

    normally there will be task scheduler jobs regarding the forefront scans. but i was unable to find any of the scheduled tasks in the task

    scheduler folder.The task scheduler service is also running fine.I had also undeployed the forefront policy from the forefront dashboard

    and again created a new policy and deployed it but even then the same old result. so please can any one help me out
    Wednesday, August 26, 2009 10:25 AM

Answers

  • There are two methods to solve this problem.

    First Method is as follows:
     1.In the Conficker GPO that you created earlier, moved to the following folder: Computer Configuration\Windows Settings\Security Settings\File System.
     2.Right-click File System, and then click Add File.
     3.In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
     4.Click OK.
     5.In the dialog box that opens, selected the check boxes for Full Control, Modify, and Write for both Administrators and System.
     6.Click OK.
     7.In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
     8.Click OK.

     The second Method is to remove the Conficker Block GPO from group policy
    • Marked as answer by SriCharan_S Thursday, September 3, 2009 6:10 AM
    Thursday, September 3, 2009 6:06 AM

All replies

  • the Task Sheduler service is running as local system account?
    Wednesday, August 26, 2009 12:02 PM
  • Hi,

     

    Thank you for your post.

     

    Do you have any update about Dmitriy‘s question? And I will share you the following article related to scheduled scans and you may have a look at it.

     

    http://blogs.technet.com/kfalde/archive/2008/10/23/how-to-add-extra-scheduled-scans-or-definition-updates-for-fcs.aspx

     

    Regards,


    Nick Gu - MSFT
    Friday, August 28, 2009 8:50 AM
  • Hello Dmitriy

    I have checked out the system and found out that the Task Scheduler is running as a local system account.

    Saturday, August 29, 2009 8:10 AM
  • Hai Nick,

             Thanks for the reply but I had already checked out the site mentioned. But i would like to know where the problem is actually.

     I can deploy the mentioned procedure  in the above stated website  through GPO but i will not be knowing what was the reason for the

    scheduled scan not to run from forefront policy.
    Saturday, August 29, 2009 8:23 AM
  • Hi Sscharan,

     

    ·         Thank you for your update.

    ·          

    From you description, I’d like to confirm some questions to help me understand the issue:


    1) Does the problem affect all FCS client machines?
    2) Is Scheduled scan configured via policy or on the client side?
    3) Is the Scheduled scan doing a “Full or Quick” scan?

    4) Does this reproduce if you trigger the scan manually?

    5) Make sure the Task Scheduler service was enabled and running on client computers on which you want to run scheduled and interval scans.

     

    Configuring scheduled and interval malware scans

    http://technet.microsoft.com/en-us/library/bb418861.aspx

     

    Regards,


    Nick Gu - MSFT
    Monday, August 31, 2009 5:59 AM
  • Hi Nick,

            Ya this problem is with all the client machines and the scheduled scan is deployed via policy from forefront

    dashboard.The scheduledscan is a full system scan.the task scheduler service is running fine on the client end and when we run

    a manual scan from forefront dashboard the scan runs fine.

           Yesterday after searching a lot I found out a reason . I would just like to know whether that is the reason or not.Last time

    when the client was effected with conficker virus we have implemented a policy called conficker block  in which the scheduled

    tasks folder will not have administrative rights.so as a result of which any of the task scheduller jobs where not being created.

    so today i had given the administrative rights to the system account of  thescheduled task folder.so i hav to wait till tomorow in

    order to know whether this is the problem or not.

    Any way thanks for the reply and i will let you once the problem is resolved.

    Monday, August 31, 2009 11:25 AM
  • Unfortunately that is a side effect of implementing that GPO for conficker :( which is why we recommend reversing that GPO as soon as you have Conficker contained in your environment.  Restarting your system or FCSAM service and the GUI should also cause the service to reread GPO settings for scan intervals and recreate the task scheduler jobs.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by Nick Gu - MSFT Thursday, September 3, 2009 1:31 AM
    • Unproposed as answer by SriCharan_S Thursday, September 3, 2009 6:11 AM
    Monday, August 31, 2009 2:05 PM
  • There are two methods to solve this problem.

    First Method is as follows:
     1.In the Conficker GPO that you created earlier, moved to the following folder: Computer Configuration\Windows Settings\Security Settings\File System.
     2.Right-click File System, and then click Add File.
     3.In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
     4.Click OK.
     5.In the dialog box that opens, selected the check boxes for Full Control, Modify, and Write for both Administrators and System.
     6.Click OK.
     7.In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
     8.Click OK.

     The second Method is to remove the Conficker Block GPO from group policy
    • Marked as answer by SriCharan_S Thursday, September 3, 2009 6:10 AM
    Thursday, September 3, 2009 6:06 AM