locked
Virus Outbreaks RRS feed

  • Question

  • How is the Forefront team going to handling virus definition updates when a virus outbreak happens?  Will the team release updated virus definitions and set up some type of notify to the system admins that register or something?  Also, how will these definitions be pushed out the clients?  Is there a way to initiate that request to all clients?
    Tuesday, December 19, 2006 7:36 PM

Answers

  • Hi Tim

    Thanks for the question!  I'll break it out into a few parts:

    Q:  How is the Forefront team going to handle virus defn updates during an outbreak?

    A:  The response team that serves FCS also serves the Windows Live OneCare team as well as the antispyware signatures for Windows Defender.  This response team works closely with other AV response vendors as well as all the internal resources at Microsoft (MSRC - Microsoft Security Response Center, PSS - Product Support Services, etc) and other partners to investigate samples and deliver signatures in a timely and efficient manner. 

    Q:  Will we release some set of notifications with these updated signatures?

    A:  We are working out exactly how this process will work.  I will follow up with this thread with additional information

    Q:  How will these updates be delivered to clients?

    A:  That is a multi-part item also:

    • The WSUS server synchronzies with MU (Microsoft Update) hourly
    • Clients can be configured to poll WSUS hourly for signatures

    (so it's a max 2 hour trip from the time signatures are live on MU until they hit the client)

    • To deliver the signatures to the clients, we leverage the Scan Now button (on the top/right side of your dashboard).  Launching a Quick Scan to all targeted computers AND having the (default) setting of "Check for new signatures before running a scan" in your policy enables all clients to not only check for new signatures, but run a Quick Scan to see if the malware exists on their system.  This provides quick coverage for machines that may have already been infected before the signature and now can do a Quick Scan with the update signature set to check for malware

    Thanks!

    Chris

    Forefront Client Security PM

    Wednesday, December 20, 2006 2:28 AM

All replies

  • Hi Tim

    Thanks for the question!  I'll break it out into a few parts:

    Q:  How is the Forefront team going to handle virus defn updates during an outbreak?

    A:  The response team that serves FCS also serves the Windows Live OneCare team as well as the antispyware signatures for Windows Defender.  This response team works closely with other AV response vendors as well as all the internal resources at Microsoft (MSRC - Microsoft Security Response Center, PSS - Product Support Services, etc) and other partners to investigate samples and deliver signatures in a timely and efficient manner. 

    Q:  Will we release some set of notifications with these updated signatures?

    A:  We are working out exactly how this process will work.  I will follow up with this thread with additional information

    Q:  How will these updates be delivered to clients?

    A:  That is a multi-part item also:

    • The WSUS server synchronzies with MU (Microsoft Update) hourly
    • Clients can be configured to poll WSUS hourly for signatures

    (so it's a max 2 hour trip from the time signatures are live on MU until they hit the client)

    • To deliver the signatures to the clients, we leverage the Scan Now button (on the top/right side of your dashboard).  Launching a Quick Scan to all targeted computers AND having the (default) setting of "Check for new signatures before running a scan" in your policy enables all clients to not only check for new signatures, but run a Quick Scan to see if the malware exists on their system.  This provides quick coverage for machines that may have already been infected before the signature and now can do a Quick Scan with the update signature set to check for malware

    Thanks!

    Chris

    Forefront Client Security PM

    Wednesday, December 20, 2006 2:28 AM
  • While on the topic of virus outbreaks, I thought I would quickly mention some best practices to follow during an outbreak.  These settings apply to "Forefront Security for Exchange Server".

     

    In the General Options panel,

     

    1.  Turn on the “Scan on Scanner Update” setting.

    2.  Turn on  the “Enable Background Scan if  Scan on Scanner Update Enabled” setting.

     

    By default “Scan on Scanner Update” is turned off, and should be enabled during a virus outbreak.  This setting applies to messages stored on a Mailbox or Public Folder server. It provides heightened security protection by re-scanning messages that have been previously scanned. When enabled, messages will be re-scanned during every “On-Access” event if new virus signatures have been received since the last time the message was scanned. It ensures that messages are always scanned with the latest signatures before being retrieved.

     

    The “Enable Background Scan if Scan on Scanner Update Enabled” setting will cause a Background scan to be performed each time a scan engine is updated, ensuring messages are scanned with the latest signatures. This option is turned on by default.

     

    Please note, when "Scan on Scanner Update" is selected, the server may experience heavy virus scanning which may impact server performance.

    Wednesday, December 20, 2006 2:45 PM