markwilson.it [formerly known as Mark's (we)Blog]

A couple of years back, Microsoft bought a load of security companies and since then we’ve seen them continue to offer FrontBridge services as Microsoft Exchange Hosted Services; Windows Defender was born out of the previous Giant Company anti-spyware product, and a couple of months back they released Forefront Client Security (FCS) - which I believe is based on the technology gained from the purchase of Sybari.

Yesterday, I spent some time working though a hands-on lab for Forefront Client Security and it seems pretty good. What follows is not a full product review (a demo is available on the Microsoft web site), but some of the highlights I picked out from the lab.

• In line with most anti-virus clients, Forefront Client Security displays a taskbar icon to indicate status. Depending on the policies applied (from an FCS management console), this will allow a user to launch the client software.
• Quick scans check for viruses and spyware in:
• Processes loaded in memory.
• User profile, Desktop, system folders and Program Files folder.
• Common malware infection points (auto start registry entries, etc.)
• FCS does not scan removable or network disks
• Periodic quick scans should be scheduled in order to make use of the latest definitions to detect any malware that may have infected a computer between the previous scan and the application of new definitions.
• Real time protection detects and prevents malware attacks immediately
• Quarantined files are stored as encrypted files inside a .CAB in a subfolder under C:\Documents and Settings\All Users
• Event log messages may include the acronym MCPAVAS (Microsoft Client Protection Anti-Virus Anti-Spyware)
• Definition updates are stored at C:\Users\All Users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{GUID}
• To reduce the size of definition file transfers, FCS uses a system of base and delta definition files. Key files are:
• mpengine.dll - malware scanning engine
• mpasbase.vdm - antivirus base definition file
• mpasdlta.vdm - antvirus delta definition file
• mpavbase.vdm - antivirus base definition file
• mpavdlta.vdm - antvirus delta definition file
• Definition updates are available from Microsoft Update (or WSUS for internal deployments). Because WSUS uses a daily synchronisation schedule, FCS installs a service (the Microsoft Forefront Client Security Update Assistant service) that automatically connects WSUS to Microsoft Update every hour to retreive definition updates. This service also automatically approves updates for distribution and installation so that updates are always available within one hour of release (although it should be noted that there may be a further delay before updates are retrieved depending on the frequency of client update checks).
• FCS policies (e.g. to control the level of user interaction and reporting, or to specify allowed applications) are managed using the Microsoft Forefront Client Security Console.
• FCS policies can be deployed to organizational units (OUs), security groups, or manually (using a registry file). Group policy objects (GPOs) may also be created manually.
• Upon deployment via OU or security group, FCS uses the group policy management console (GPMC) API to create a new GPO (named fcspolicyname-{guid} which is applied to the appropriate OU or filtered based on security group membership. This policy is unlinked and deleted when the FCS policy is undeployed. Group policy updates may need to be forced using the gpupdate /force command and Kerberos ticket renewal may delay group-based policy application.
• For local policy file deployment (e.g. using a registry file), a tool is provided on the FCS product CD-ROM (fcslocalpolicytool.exe).
• As with other group policies, settings deployed via FCS policies are unavailable to users (greyed out).
• FCS also includes a report viewer for management purposes, e.g. for security state analysis.

It may be useful to note that the European expert group for IT security (EICAR) produces an anti-virus test file that can be useful for fine-tuning anti-virus processes and procedures. The Microsoft Malware Protection Center includes threat research and response information (similar to the services offered by other anti-virus vendors) as well as details of the latest definition updates.

Links

Forefront Client Security team blog.