Forefront Client Security

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of years back, Microsoft bought a load of security companies and since then we’ve seen them continue to offer FrontBridge services as Microsoft Exchange Hosted Services; Windows Defender was born out of the previous Giant Company anti-spyware product, and a couple of months back they released Forefront Client Security (FCS) – which I believe is based on the technology gained from the purchase of Sybari.

Yesterday, I spent some time working though a hands-on lab for Forefront Client Security and it seems pretty good. What follows is not a full product review (a demo is available on the Microsoft web site), but some of the highlights I picked out from the lab.

  • In line with most anti-virus clients, Forefront Client Security displays a taskbar icon to indicate status. Depending on the policies applied (from an FCS management console), this will allow a user to launch the client software.
  • Quick scans check for viruses and spyware in:
    • Processes loaded in memory.
    • User profile, Desktop, system folders and Program Files folder.
    • Common malware infection points (auto start registry entries, etc.)
  • FCS does not scan removable or network disks
  • Periodic quick scans should be scheduled in order to make use of the latest definitions to detect any malware that may have infected a computer between the previous scan and the application of new definitions.
  • Real time protection detects and prevents malware attacks immediately
  • Quarantined files are stored as encrypted files inside a .CAB in a subfolder under C:\Documents and Settings\All Users
  • Event log messages may include the acronym MCPAVAS (Microsoft Client Protection Anti-Virus Anti-Spyware)
  • Definition updates are stored at C:\Users\All Users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{GUID}
  • To reduce the size of definition file transfers, FCS uses a system of base and delta definition files. Key files are:
    • mpengine.dll – malware scanning engine
    • mpasbase.vdm – antivirus base definition file
    • mpasdlta.vdm – antvirus delta definition file
    • mpavbase.vdm – antivirus base definition file
    • mpavdlta.vdm – antvirus delta definition file
  • Definition updates are available from Microsoft Update (or WSUS for internal deployments). Because WSUS uses a daily synchronisation schedule, FCS installs a service (the Microsoft Forefront Client Security Update Assistant service) that automatically connects WSUS to Microsoft Update every hour to retreive definition updates. This service also automatically approves updates for distribution and installation so that updates are always available within one hour of release (although it should be noted that there may be a further delay before updates are retrieved depending on the frequency of client update checks).
  • FCS policies (e.g. to control the level of user interaction and reporting, or to specify allowed applications) are managed using the Microsoft Forefront Client Security Console.
    • FCS policies can be deployed to organizational units (OUs), security groups, or manually (using a registry file). Group policy objects (GPOs) may also be created manually.
    • Upon deployment via OU or security group, FCS uses the group policy management console (GPMC) API to create a new GPO (named fcspolicyname-{guid} which is applied to the appropriate OU or filtered based on security group membership. This policy is unlinked and deleted when the FCS policy is undeployed. Group policy updates may need to be forced using the gpupdate /force command and Kerberos ticket renewal may delay group-based policy application.
    • For local policy file deployment (e.g. using a registry file), a tool is provided on the FCS product CD-ROM (fcslocalpolicytool.exe).
    • As with other group policies, settings deployed via FCS policies are unavailable to users (greyed out).
  • FCS also includes a report viewer for management purposes, e.g. for security state analysis.

It may be useful to note that the European expert group for IT security (EICAR) produces an anti-virus test file that can be useful for fine-tuning anti-virus processes and procedures. The Microsoft Malware Protection Center includes threat research and response information (similar to the services offered by other anti-virus vendors) as well as details of the latest definition updates.


Forefront Client Security team blog.

Kernel panic

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve written before about how, according to Apple, reason number 1 to get a Mac is because “all the hardware and software just works, and works well together“. I can’t be bothered to get into the whole Mac vs. [Windows] PC (vs. Linux) thing now… I’ve written plenty on that subject before, and anyway – it’s just a PC – but no sooner had I just commented to Alex about how a certain podcast presenter is very quick to criticise Windows for it’s blue screens of death (of which I’ve seen very few in recent years – and only then because I’ve done something stupid like installing the wrong device driver or removing a hard disk before powering down the computer), did I witness my first OS X kernel panic (actually, from looking at /Library/Logs/panic.log, I seems that I had one a few days ago as well, which explains why the Mac had strangely shut itself down whilst I was at work one day last week).

Mac OS X kernel panic

So, my point is that Macs don’t “just work”. They run software, created by humans, that crashes from time to time, just like non-Apple PCs running any other operating system. Now, if Apple really could create “the world’s most advanced operating system” and it did “just work”, I’d be very impressed.

Tab completion in Windows

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Many people will be familiar with the command line tab completion functionality that can be used to complete folder and filenames in recent versions of Windows, but what I wasn’t aware of (until I just used it, following some instructions from Microsoft in a hands-on lab training manual) was that wildcards like *.reg <tab> can be used to tab-complete filenames. This technique can even be used as arguments to a longer command, e.g. notepad *.reg <tab>.

Dustin L makes a good point in his comment on the Lifehacker article that discusses command line tab completion – Unix admins will already be familiar with the concept but there are a couple of differences between the Windows and Unix/Linux CLI tab completion implementations:

  • “In the Windows command line, if there is more than one match for what you’ve typed, successive presses will cycle through all of the matches rather than just display a list of the matches.
  • Windows will not complete commands, only files and directories.”

Useful digital photography utilities

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve just got back from a weekend in the Peak District National Park and, rewarded with clear blue skies as dawn broke yesterday morning, I rushed to the top of Mam Tor to rekindle my long-dormant desire to make great landscape photographs (I’m no Joe Cornish, but there has to be some reward for leaving my tent at 5.15).

It gave me a chance to try out a number of things that I’ve wanted to do for a while – shooting camera raw (.NEF) images and using the Lee Filters 0.6 ND graduated filter that I bought a couple of years ago. I have to say, that I am definitely a convert to these features (although they would not be practical for the majority of my photography which falls into the “snapshots of the kids” category). Both the OS X Preview application and my post-production tool of choice (Adobe Photoshop CS2) had no difficulty opening the camera raw files and the quality is excellent (Windows users might find this post useful). Meanwhile, whilst using a large graduated filter on a camera with only a 24mm image sensor makes it slightly difficult to position, using the 0.6 ND filter to tone down the sky by two stops meant that I was able to take pictures with a well-exposed foreground, without washing out the highlights.

Renamer4MacI also found a couple of little programs came in useful when I got home. Firstly, having had some issues with my CF card before leaving home, I formatted it and the file numbering recommenced from DSC_0001.* – thanks to a little recommendation from my buddy Alex, I used Renamer4Mac to bulk rename the files. Also useful (although not for the RAW files) was Simple EXIF Viewer for Mac OS XAli Ozer’s Simple EXIF Viewer for Mac OS X, which let me easily examine the EXIF data on my images (something sadly lacking in the OS X Finder).

Finally, whilst writing about OS X and digital photography (apologies to Windows readers but my digital photography workflow is based on a Mac) it’s worth mentioning one little tip that can come in useful (much as I hate to publicise anything from Scott Bourne, whose “advice” often serves only to fuel Apple elitism and general Mac vs. PC bigotry, I think I picked this up from an iLifeZone podcast). Previewing multiple images in Mac OS XUnlike the Windows Preview function, which lets viewers page forwards and backwards through a directory of files, the OS X Preview default is to open just a single file. Switchers are often frustrated by this (I know I was) but it is possible to open multiple images in Preview (by selecting multiple files, then choosing to open with Preview), after which the cursor keys can be used to scroll through the list.

Virtualised demonstrations eating all your memory? Try a ReadyBoost USB key

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Even though Windows Vista will run on lower-specification PCs (it’s fine on my ThinkPad T40 with 512MB RAM), once you add a few applications (like Office 2007), it really starts to bog down and I was struggling recently with 1GB RAM on my work notebook (it’s been fine since I added another gig). If you also run virtual machines (e.g. for product testing or demonstrations), then its not long before the requirements for physical RAM run up against the limits of a 32-bit address space.

Last week, my colleague Alistair (soon to be an ex-colleague as he’s off to Conchango – where I used to work, proving that the UK IT industry is a very small world!) was raving about the Corsair Flash Voyager USB drives. Not only are they shock and water-resistant, but the GT model is ReadyBoost compatible, meaning that if you need a bit of extra RAM in your PC you can plug in your USB key. USB will be slower than on-board memory, and other ReadyBoost compatible drives are available, but the Flash Voyager GT is heralded as one of the fastest such devices available today. Even better, the ReadyBoost memory is a separate address space, so you can exceed the 4GB limit for a 32-bit architecture.

There’s a useful ReadyBoost FAQ at Tom Archer’s blog.

Recovering images from a Compact Flash card

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My Nikon D70 uses Compact Flash (CF) storage – not the smallest form factor but certainly one of the more established types (and when I bought the camera it was important for my camera to also support IBM/Hitachi microdrives, although with the increasing availability of large-capacity flash cards that’s no longer an issue). I use Lexar Professional cards – usually a 2GB 133x speed card with write acceleration – but this week I’ve had some problems.

In the middle of taking photos of my children, struggling to get them to sit still with my grandparents and for everyone to look towards me (I hate taking portraits), my camera reported an error before it decided that the card was not formatted. I turned the camera off and on again, then shot off a few frames, before the battery indicator told me that I needed to recharge (maybe that was the issue all along). I switched to my spare battery and then continued taking photos with no issues.

When I tried to read the card on my Mac, everything seemed fine (pictures were all there), except that when I ejected it (by right clicking and selecting eject, waiting for the icon to disappear and then waiting a few more seconds) OS X told me that I had removed a device incorrectly and there could be some damage to files. That would be fine if I had just removed the card, but as I had ejected the card properly and the icon had disappeared, it was logical to think that it was safe to remove (Windows may have many faults but at least it confirms when it’s safe to remove a device).

This afternoon, I wanted to copy files from the card before wiping it for a new shoot. Strangely, instead of all my files being neatly numbered DSC_xxxx.JPG, I had DWC_xxxx.JPG and DSC[xxxx.JPG files. They all seemed to preview with no issues in-camera, but some of the files failed to copy to the Mac. I tried again on a Windows Vista PC but with similar issues (at least Windows let me skip the offending files and continue the copy) then, after removing the card and looking again in-camera, I switched back to the Windows machine, where Vista told me that the media appeared to have some damage – did I want to scan and fix it. Thinking that might help me, I let Windows do it’s stuff and, after a very brief interval, it told me that it had succeeded; however all I could see was one 32KB file where the folder used to be with over 700 images in it!

After a mild panic (I had most of those images backed up but there were 16 still to recover), I remembered the Lexar Image Rescue 2 software that came pre-loaded on the CF card when I bought it. I loaded that up on a Windows XP machine (in case there were compatibility issues with Vista) and successfully recovered 747 files from a low level search (which took about an hour for my 2GB card). The 747 resulting .THM files appeared to be JPEGs – at least renaming them *.JPG seemed to work. Then I tried a high-level search – this time I got a number of .CHK files including 712 which corresponded to JPEGs – the difference would appear to be the number of files present in the directory compared with files on disk marked for deletion but not yet overwritten.

Crucially, the recovered files still have the EXIF data letting me work out when they were taken (and therefore helping to narrow down the search for my missing pictures). Once renamed to *.JPG, I could also preview the images with the exception of one files which appear to have been irretrievably corrupted, either by my camera losing power during a write, or by my Mac failing to eject the card properly.

A call for open standards in digital rights management

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Digital rights management (DRM) is a big issue right now. Content creators have a natural desire to protect their intellectual property and consumers want easy access to music, video, and other online content.

The most popular portable media player is the Apple iPod, by far the most successful digital music device to date. Although an iPod can play ordinary MP3 files, its success is closely linked to iTunes’ ease of use. iTunes is a closed system built around an online store with (mostly) DRM-protected tracks using a system called FairPlay that is only compatible with the iTunes player or with an iPod.

Another option is to use a device that carries the PlaysForSure logo. These devices use a different DRM scheme – Windows Media – this time backed by Microsoft and its partners. Somewhat bizarrely, Microsoft has also launched its own Zune player using another version of Windows Media DRM – one that’s incompatible with PlaysForSure.

There is a third way to access digital media – users can download or otherwise obtain DRM-free tracks and play them on any player that supports their chosen file format. To many, that sounds chaotic. Letting people download content without the protection of DRM! Surely piracy will rule and the copyright holders will lose revenue.

But will they? Home taping has been commonplace for years but there was always a quality issue. Once the development of digital music technologies allowed perfect copies to be made at home the record companies hid behind non-standard copy prevention schemes (culminating in the Sony rootkit fiasco) and DRM-protected online music. Now video content creators are following suit, with the BBC and Channel 4 both releasing DRM-protected content that will only play on some Windows PCs. At least the BBC does eventually plan to release a system that is compatible with Windows Vista and Macintosh computers but for now, the iPlayer and 4 on Demand are for Windows XP users only.

It needn’t be this way as incompatible DRM schemes restrict consumer choice and are totally unnecessary. Independent artists have already proved the model can work by releasing tracks without DRM. And after the Apple CEO, Steve Jobs, published his Thoughts on Music article in February 2006, EMI made its catalogue available, DRM-free, via iTunes, for a 25% premium.

I suspect that the rest of the major record companies are waiting to see what happens to EMI’s sales and whether there is a rise in piracy of EMI tracks; which in my opinion is unlikely. The record companies want to see a return to the 1990s boom in CD sales but that was an artificial phenomenon as music lovers re-purchased their favourite analogue (LP) records in a digital (Compact Disc) format. The way to increase music sales now is to remove the barriers online content purchase.

  • The first of these is cost. Most people seem happy to pay under a pound for a track but expect album prices to be lower (matching the CDs that can be bought in supermarkets and elsewhere for around £9). Interestingly though, there is anecdotal evidence that if the price of a download was reduced and set at around $0.25 (instead of the current $0.99), then people would actually download more songs and the record companies would make more money.
  • Another barrier to sales is ease of use and portability. If I buy a CD (still the benchmark for music sales today), then I only buy it once regardless of the brand of player that I use. Similarly, if I buy digital music or video from one store why should I have to buy it again if I change to another system?

One of the reasons that iTunes is so popular is that it’s very easy to use – the purchase process is streamlined and the synchronisation is seamless. It also locks consumers into one platform and restricts choice. Microsoft’s DRM schemes do the same. And obtaining pirated content on the Internet requires a level of technical knowledge not possessed by many.

If an open standard for DRM could be created, compatible with both FairPlay and Windows Media (PlaysForSure and Zune), it would allow content owners to retain control over their intellectual property without restricting consumer choice.

[This post originally appeared on the Seriosoft blog, under the pseudonym Mark James.]