Share via


Planning your policies

Applies To: Forefront Client Security

To plan policies for your organization, you should understand the settings included in a policy.

Default policy settings

All of the following options are available in the New Policy and Edit Policy dialog boxes in the Client Security console. For more information about these settings and why you might want to enable or disable them, see the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkID=88221). Additional options are available only as registry keys. For more information about the registry key settings, see the Client Security Technical Reference Guide (https://go.microsoft.com/fwlink/?LinkID=86991).

General tab default settings

Option Default setting Note

Name

  • Blank

Identifies the policy. Requires a unique name.

Comments

  • Blank

Optional. It is recommended that you use this option to summarize the:

  • Settings of the policy.

  • Computers to which you intend to deploy the policy.

  • Change history of the policy.

Comments can include approximately 32,000 characters.

Protection tab default settings

Area Default setting Note

Malware protection

  • Virus protection is on

  • Spyware protection is on

When these settings are not enabled, Client Security will not scan for viruses or spyware, or identify them using real-time protection (shown as RTP on the Protection tab).

Malware scanning

  • RTP is on

  • A full scan is scheduled every day at 2:00 AM

  • Running a Quick Scan at an interval is disabled

Full scans provide a backup defense to real-time protection. A full scan can detect unknown malware that is not detected by real-time protection after you have an updated definition file that identifies the malware. Full scans search the entire computer, except for files, folders, or file extensions that you exclude.

Security state assessment

  • Scan for vulnerabilities every 12 hours

Scanning for vulnerabilities is a preventive measure that helps you identify computers potentially at risk of malware infection.

Advanced tab default settings

Area Default setting Note

Malware definition updates

  • Checking for updates before starting a scan is on

  • Checking for updates at an interval is on, for every 6 hours

  • If checking for updates on Microsoft Update was previously enabled on a saved policy, checking for updates on Microsoft Update when WSUS is unavailable is on

Client Security relies on up-to-date definitions to effectively identify new instances of malware.

By enabling client computers to check Microsoft Update when WSUS is unavailable, your remote users keep their definitions up to date even when disconnected from your internal network.

Until you save a policy that enables checking for updates on Microsoft Update when WSUS is unavailable, this option is disabled by default.

Malware scan options

  • Scan archive files (such as .zip and .cab files)

  • Use heuristics to scan for suspicious files and treat detected files as infected

  • Do not delete quarantined files

By including archive files, you ensure that these files are scanned for malware.

Heuristic scans help protect against malware that has not yet been identified in a definition file. Turning this off leaves client computers more vulnerable to new malware.

By not deleting quarantined files, you can restore files that you did not want quarantined.

Exclusions from malware scans

  • Blank

Optional settings that you can use to exclude specific files, folders, and file extensions from malware scans.

Client options

  • End user can only view icon in the system tray and associated status messages

  • End user is not prompted when unclassified software is detected

By locking down the user interface on the client computer, you can ensure that no changes are made to the settings.

Overrides tab default settings

Area Default setting Note

Overrides based on malware threat

  • Blank

Optional settings that you can use to change how Client Security reacts upon detecting specific malware or falsely detecting an application you trust.

Overrides based on category or severity

  • Blank

Optional settings that you can use to change how Client Security reacts upon detecting malware of a specific category or severity.

Reporting tab default settings

Area Default setting Note

Alert level

  • Alert Level 3 - Medium

Alert levels determine whether a specific event or set of events (such as responding successfully to a malware infection) generates an alert.

Logging

  • Events for files marked "Unknown" are logged

None.

SpyNet

  • Basic SpyNet reporting is enabled

  • Internet Explorer network connection settings are used

None.

Customizing your policy settings

You can customize all of the settings described in the preceding tables for your policies. When customizing your policy settings, consider the following issues for the computers to which the policy is being applied:

  • How important is the security of these computers? For example, an executive computer might require additional security measures, yet a rarely used computer without Internet access might need fewer security measures.

  • How important is it that you are notified of a potential security issue? Mail server and database servers likely require a higher alert level than standard computers.

  • Do malware scans impact the performance of client computers too severely? There are several settings you can modify to reduce the impact of Client Security on client computer performance.

  • How frequently should computers check for definition updates and should they fall back to Microsoft Update when the Client Security distribution server is unavailable?

  • Has Client Security identified as malware specific pieces of software that you want to allow on your computers?

The following sections discuss policy settings that you can change in response to these questions.

For more information about these settings, see the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkID=88221).

Policy settings for scanning

For most client computers, the default settings for scans are likely to be appropriate or to need few changes; however, there are common scenarios that may lead you to change policy settings affecting malware and SSA scans.

Settings for computers with higher security requirements

You may have computers requiring a high degree of protection, such as database servers or computers running mission-critical applications. Also, you may want the computers used by important end users to receive a high degree of protection.

The default settings for a Client Security policy reflect a conservative security stance, such as scheduled daily full scans; however, when configuring a Client Security policy for computers that need greater protection, consider the following changes to default settings.

Tab Area Recommended setting Note

Protection

Malware scanning

  • Run a Quick Scan at set interval

Enabling quick scans at a short interval, such as every four hours, ensures that the following areas on the computer are checked several times a day:

  • In-memory processes

  • Files in the following folders:

    • User profiles

    • Desktop

    • System folder

    • Program files

  • Other items specified by malware definitions

Advanced

Malware definition updates

  • Check for updates at set interval

If, on the Protection tab, you enable quick scans at a frequent interval and use the default setting for update checks prior to scans, consider disabling checks for updates at a set interval.

Note

Interval checks for updates help ensure the effectiveness of real-time protection against new threats. It is strongly recommended that you do not disable interval checks for updates unless you use frequent interval scans and check for updates prior to scans.

Reporting

Alert level

  • Alert Level 4 or 5

Specifying a higher alert level than the default level of 3 results in alerts for more events, ensuring that you are more thoroughly informed about the security status of the computer. For more information about alert levels, see Policy setting for alert level.

Settings for computers with lower security requirements

You may have computers with lesser security requirements, such as computers without Internet access. When configuring a Client Security policy for computers that need less protection, consider the following changes to default settings.

Tab Area Recommended setting Note

Protection

Malware scanning

  • A full scan is scheduled once a week

  • Run a Quick Scan at set interval

A weekly full scan is likely adequate for computers at lower risk for infection; however, it is strongly recommended that you use the default settings for real-time protection and checks for definition updates.

Instead of a daily full scan, consider daily quick scans, that is, a quick scan at an interval of 24 hours.

Protection

Security state assessment

  • Scan for vulnerabilities every 24 hours

Twenty-four hours is the longest interval you can configure for SSA scans. It is recommended that you leave SSA scans enabled, so that SSA-related reports show potential vulnerabilities for the computers protected by the policy.

Reporting

Alert level

  • Alert Level 2 or 1

Specifying a lower alert level than the default level of 3 results in alerts for fewer events, which is likely desirable for less important computers.

Settings to improve performance of computers

You may have computers on which you want to minimize the performance impact of scans. When configuring a Client Security policy to improve computer performance, consider the following changes to default settings.

Tab Area Recommended setting Note

Protection

Malware scanning

  • A full scan is scheduled once a week, at an optimal time of day

Of all Client Security features, full scans have the largest performance impact. Reducing the frequency to once a week should greatly reduce the effect of Client Security on computer performance.

Important

It is also strongly recommended that all computers receive full scans, even if it is only once a week.

Consider optimizing the time of day that a scheduled full scan occurs, too. By default, scheduled full scans occur at 02:00 (2:00 A.M.); however, if this time interferes with other scheduled tasks, such as backups, consider modifying the policy to use a different time.

Advanced

Malware scan options

  • Do not scan archive files

Consider omitting archive files from scans. For more information about this setting, see Determining whether to scan archive files (https://go.microsoft.com/fwlink/?LinkId=88928).

Advanced

Exclusions from malware scans

  • Exclude large data files from scans

If there are large data files on scanned computers, you can omit them from scans.

Important

It is recommended that you set exclusions carefully. Exclusions set without forethought might lead to undetected malware, such as a virus present in an excluded data file.

Settings to improve SSA report scores

SSA scans search for potential vulnerabilities by using SSA checks, which describe aspects of the operating system and common applications that can be better configured to protect a computer. Client computers can appear in Client Security SSA reports because of software configuration that is desirable for a variety of reasons but which an SSA scan detected as a potential vulnerability.

For example, the Password Expiration SSA check scans for local user accounts that have passwords that don't expire. Client Security assigns this vulnerability a score of Medium and logs an event if a client computer permits user accounts to have passwords that don't expire. Medium scores appear in Client Security reports, which is not helpful if you intend to allow a local user account to have a password that does not expire.

Client Security policies provide you only the ability to turn on SSA scans using all checks. Also, you cannot configure how Client Security determines the scores for an SSA check.

To reduce reporting about intentional configurations, it is recommended that you use Group Policy to enforce the settings that allow the configuration. Typically, when settings examined by an SSA check are configured by Group Policy, the resulting score is Informational, which is a score that is excluded in Client Security SSA reports. It is assumed that configurations enforced by Group Policy conform to your organization's standards and are therefore intentional.

Policy setting for alert level

You can configure a Client Security policy with one of five levels of alerting. Depending on the importance of the computers to which you deploy the policy, you can select the appropriate alert level. For example, it may be highly desirable to receive an alert for every detection of malware on database, Web, and e-mail servers, but less desirable for standard computers.

Tab Area Setting Note

Reporting

Alert level

  • Select an alert level appropriate for the computers receiving the policy

For alert level information, see the following table.

The following table describes the five alert levels.

Alert level Description

5

This level results in the highest number of alerts. Alerts at this level are applicable to executive and management computers, critical data servers and assets, and critical operations servers that require high availability or contain crucial data.

4

This level results in a high number of alerts. Alerts at this level are applicable to high-priority operational servers, data servers, or important computers.

3

This level is the default setting and results in a moderate number of alerts. Alerts at this level are applicable to high-priority computers.

2

This level results in a low number of alerts. Alerts at this level are applicable to typical user computers.

1

This level results in the lowest number of alerts. Only global outbreaks and flooding detection cause an alert at this level. Alerts at this level are applicable to computers that contain less critical data. For example, you might set this level for a policy covering a set of computers that is very large or includes no computers that require immediate response.

Policy settings that control the end-user experience

You can determine what end users can do with the Client Security agent user interface (UI). Because Client Security policies apply to computers rather than users, the settings affecting what an end user can do affect all users of a computer.

For information about these settings, see Controlling the end-user experience (https://go.microsoft.com/fwlink/?LinkID=86661).

Settings to allow end users to run scans

The New Policy or Edit Policy dialog box settings in the following table allow end users to run scans but not to change other settings.

Tab Area Setting Note

Protection

Malware scanning

  • A scheduled scan is configured for specific day and time, not set to "User controlled"

  • An interval quick scan is configured

By specifying scheduled and interval scans in a policy, you ensure that your users cannot configure them, despite having access to the Client Security agent UI.

Advanced

Client options

  • End user can view all Client Security agent settings and messages

This enables the user to open the Client Security agent UI and run scans.

Settings to deny end users access to the Client Security agent UI

The default setting in a policy is to deny end users access to the Client Security agent UI. The following table shows the setting that controls whether users can access the Client Security agent UI. Users still see status messages and the Client Security icon in the notification area.

Tab Area Setting Note

Advanced

Client options

  • End user can only view icon in the system tray and associated status messages

This prevents the user from opening the Client Security agent UI and running scans.

Settings to prompt end users about unclassified software

You can configure Client Security to prompt end users when the Client Security agent detects unclassified software, which is software that is not explicitly identified in malware definitions as malware or as trusted software.

Note

It is strongly recommended that you use a test environment to determine if Client Security detects suspicious actions by applications that are common and legitimate in your organization. To avoid prompting the user for these applications, you should exclude them from scans in policies that enable the Client Security agent to prompt users about unclassified software.

The following table shows the settings for enabling user prompts for unclassified software and for configuring scan exclusions.

Tab Area Setting Note

Advanced

Client options

  • Prompt user when unclassified software is detected

When you enable this setting, the Client Security agent displays balloon messages when it detects unclassified software.

Advanced

Exclusions from malware scans

  • Add file and folder paths as needed

  • Add file extensions as needed

Excluding an unclassified program prevents users from being notified when Client Security detects it.

For more information about exclusion settings, see Excluding files, folders, and file types from scans (https://go.microsoft.com/fwlink/?LinkId=88609).

Policy settings to exclude files, folders, and file types

You can configure a policy to omit specific files, folders, and file types (by file extension) from malware scans. This is primarily useful if Client Security falsely detects acceptable software as malware.

Note

It is strongly recommended that you use a test environment to determine if Client Security detects acceptable software as potential malware. Identifying such occurrences prior to deploying Client Security to a production environment can help reduce spurious reporting and end-user frustration.

The following table shows the settings for enabling user prompts for unclassified software and for configuring scan exclusions.

Tab Area Setting Note

Advanced

Exclusions from malware scans

  • Add file and folder paths as needed

  • Add file extensions as needed

Excluding an unclassified program prevents users from being notified when Client Security detects it.

For more information about exclusion settings, see Excluding files, folders, and file types from scans (https://go.microsoft.com/fwlink/?LinkId=88609).

When Client Security detects acceptable software as malware, consider submitting a sample of the software to Microsoft so that the software can be considered for approval as a known good application in future malware definitions. For more information, see Sending malware samples to Microsoft (https://go.microsoft.com/fwlink/?LinkId=89635).

Policy setting for Microsoft Update

It is important that all client computers be able to receive updates reliably, because malware definition files are updated frequently to protect your computers against new threats.

You can safeguard against the unavailability of your WSUS server by configuring the Client Security policy setting regarding Microsoft Update. The setting enables client computers to contact Microsoft Update if contacting your WSUS server fails. For portable computers, this setting is especially important, because portable computers can be disconnected from your organization's network and still receive updates through the Internet outside of your network perimeter.

Tab Area Setting Note

Advanced

Malware definition updates

  • Check for updates on Microsoft Update when WSUS is unavailable

This setting enables client computers to receive updates when WSUS is not available. Using Microsoft Update requires an Internet connection.

For more information about this setting, see Configuring fallback for updates (https://go.microsoft.com/fwlink/?LinkId=88590).