locked
'Smart Clean' option does nothing (Client Security Warning Dialog Box) RRS feed

  • Question

  • Hi,
    I just started demoing Microsoft Forefront Client Security today
    J

    I've noticed a strange characteristic of the software....
    When it identifies harmful or potentially unwanted software on our client computers, it suspends the file and a window appears asking the user to either 'Smart Clean' or 'Cancel'.
    When the client chooses 'Smart Clean', apart from the window closing nothing else really happens and the icon stays red to alert the user that the problem still exists.
    If they continue working and ignore the red icon, the software seems to deal with the issue on its own after around 10 minutes or so and then the icon turns back to green.
    If they then double click the icon in the task bar and choose 'Smart Clean' from the main window, it immediately deals with the infection and the icon turns green again.

    I don't find it acceptable that my users are presented with an offer to clean an infection but then their choice is ignored.
    If this normal behaviour ? or do I have a problem with my configuration ?

    My client options :
    ‘Users can view all Client Security agent settings and messages’ = YES
    ‘Only administrators can change Client Security agent settings’ = NO
    ‘Allow users to add exclusions and overrides’ = NO
    ‘Prompt user when unclassified software is detected’ = NO

    Please help !

    Regards
    Jonathan

    Thursday, June 10, 2010 3:00 PM

Answers

  • Hi,

     

    Thank you for the post.

     

    As far as I know, there is a 10 minutes time-out value for the default action to happen. The file is being suspended during that time so nothing is able to execute/touch that file until  

    1.) A user click any of the action buttons    

    2.) The timer hits the 10 minutes value and then the policy default action will occur(without requiring user interaction).

     

    And  Smart Clean’ is a feature that further helps to protect users when taking actions on threats. The problem is that on occasion threats can’t be acted upon by the action the user selected to take. Rather than throw an error message, Smart Clean has the ability to cascade to the next suitable action. If the Policy Defined Action or Signature Defined Action specifies ‘Clean’ or ‘Remove’ and that action fails to apply, MFCS will cascade to ‘Quarantine’.

     

    Regards,

     


    Nick Gu - MSFT
    Tuesday, June 15, 2010 9:16 AM

All replies

  • I would like to configure the software to remove threats immediatley and ONLY notify the client with the results of the removal.
    I don't want any choices to be given to them and I don't like the idea of the threat being 'frozen' for 10 minutes before any action automatically takes place.

    Pop-up's with choices will only confuse the clients and increase support calls :-(

    I have also tried changing my policy to 'Users can only view system tray icon and status massages' = YES
    That made no difference to the popup situation which still appeared after a threat offering the choice to 'Smart Clean' or 'Cancel'.
    It seems like that option only disables the main window where you view various details like definition versions etc which i think is important and shouldn't be hidden.

    Is this possible to configure the clients to act upon threats immediatley without requiring user interaction ?
    Or do i need to look for an alternative Antivirus solution ?


    Regards
    Jonathan

    Friday, June 11, 2010 10:47 AM
  • Bump....

    Over 130 views and no responses ?
    Monday, June 14, 2010 9:34 AM
  • Hi,

     

    Thank you for the post.

     

    As far as I know, there is a 10 minutes time-out value for the default action to happen. The file is being suspended during that time so nothing is able to execute/touch that file until  

    1.) A user click any of the action buttons    

    2.) The timer hits the 10 minutes value and then the policy default action will occur(without requiring user interaction).

     

    And  Smart Clean’ is a feature that further helps to protect users when taking actions on threats. The problem is that on occasion threats can’t be acted upon by the action the user selected to take. Rather than throw an error message, Smart Clean has the ability to cascade to the next suitable action. If the Policy Defined Action or Signature Defined Action specifies ‘Clean’ or ‘Remove’ and that action fails to apply, MFCS will cascade to ‘Quarantine’.

     

    Regards,

     


    Nick Gu - MSFT
    Tuesday, June 15, 2010 9:16 AM
  • Hi,

     

    I'm trying to do the same thing as Jonathan.  I keep hearing of this "10 minute" rule, but in my test, there's a low threat Starware item that has been sitting in the "action" queue for about 2 weeks.  Is it because it's low threat, or is it simply not automatically cleaning the item?  I'd like, specifically on student machines, for the AV to run itself automatically with zero user interaction.

     

    Thanks,

    Patrick

    Thursday, July 1, 2010 5:49 PM
  • So, how do you control this behavior?  I management doesn't want user interaction with the client on the desktop, how do you set this to always smart clean?  I'm looking at the policy editor and I don't see a method to manipulate to policy default action.  Where do you change this?

    Thank you

    Ted

    Thursday, August 19, 2010 2:29 PM
  • I've installed Forefront as standalone ( /NOMOM) on a Citrix server, where users will be using a published desktop. I don't want the users to be forced to choose any action, I just want the virus or malware file to be quarantined. In the standalone mode, my options are limited. I've unchecked the box for 'Allow Everyone to use this program', but that seems to be the only option in regards to how a regular user would interact with this software. When testing with eicar, the user is asked to take an action. This threat is marked as Severe, yet it still waits for some input as to what to do with it.

    Looking at the app as an Admin, under Default Actions, there isn't even a choice for 'Severe' alerts, just High Low Medium. There also isn't any choice as to where a quarantine folder would exist. I assume it'll be created once it's needed, or should it exist now?

    How do I configure it to deal with viruses automatically, without the user being asked anything?

    Thanks,

    Sean

    Monday, August 23, 2010 7:57 PM
  • To clarify - I can confirm the 10 minute wait, then the file is removed. But I'm just wondering if it's possible to not involve the user, as they'll just keep calling the helpdesk every time they get some kind of virus warning.

    Additionally, in this standalone install, is there a method to send an alert via SMTP? Is there a log that can be checked for virus activity?

    -Sean

    Monday, August 23, 2010 8:28 PM
  • Thats the only issue preventing my company from purchasing this product too!
    I can't deploy something which questions the user on every infection or suspends it for 10 minutes.

    Hopefully the functionality is different in 'Microsoft Forefront Endpoint Protection 2010' which is currently in beta....
    (http://technet.microsoft.com/en-gb/evalcenter/ff182914.aspx)

    I would appreciate some feedback if anyones tested it yet ?

    Tuesday, August 24, 2010 2:39 PM