Configuring checks for definition updates

  • Article

Applies To: Forefront Client Security

When malware protection is enabled, a Client Security policy determines how often client computers check for malware definition updates, as well as whether the Client Security agent checks for definition updates before beginning a scheduled malware scan. If the Client Security agent finds that an update newer than the current definitions is available, it will download the update and use the newer definitions.

When you edit or create a policy, use the Advanced tab to configure when client computers check for definition updates.

If the policy you are creating or editing enables real-time malware protection, it is recommended that you enable interval checks for malware definition updates. Because of the frequency with which users access files and start new processes and services, it is not reasonable for the Client Security agent to check for definition updates every time it scans a file. Interval checks for definition updates help ensure that computers performing real-time protection have definitions that are current within 24 hours (which is the maximum interval for definition-update checks).

If you have enabled real-time protection and either interval or scheduled malware scans, and you are comfortable with definition-update checks happening only when scans occur, you can disable interval checks.

Generally, it is recommended that policies that protect critical computers should be configured to check for updates more often; however, if you also schedule more frequent scans for critical computers, interval checks for definitions may still be unnecessary if you configure a policy to check for updates prior to scans.

If a policy relies on real-time protection to protect client computers and therefore enforces less frequent scheduled scans (such as only once or twice a week), it is recommended that you use interval definition-update checks to help ensure that real-time protection can detect recently identified malware.

Also, consider how long you are comfortable waiting to check for definition updates after Microsoft releases them. For example, if you configure a policy to enforce definition-update checks only before scans and to perform a scan only once a day, and then Microsoft releases definition updates that identify new malware just after a daily update check, your client computers remain unprotected against the new malware for almost a full 24 hours. This is especially unfortunate if real-time protection is being used and does not stop the propagation of the new malware in your organization until the next day. Depending on your organization's security policies and on how critical the operations of various client computers and servers are to your organization, you may find such a delay in definition-update checks to be unacceptable.

When you make changes that affect how often and when Client Security checks for updates, you may want to monitor the impact of the distribution of updates on your network. If network use is too high when Client Security checks for updates, consider making adjustments to the settings for definition-update checks.

By default, a new policy enforces definition-update checks prior to malware scans and at six-hour intervals.

To enable checks for definition updates

  1. In the Client Security console, create or edit a policy. For information about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Advanced tab.

  3. If you want to enable a definition-update check before scheduled scans, under Malware definition updates, select the Check for updates before starting a scan check box.

    If you want to enable update checks at intervals, under Malware definition updates, select the Check for updates at set interval check box and type the number of hours between definition-update checks.

  4. After you finish creating or editing the policy, click OK.

  5. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.

To disable checks for definition updates

  1. In the Client Security console, create or edit a policy. For information about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Advanced tab.

  3. If you want to disable a definition-update check before scheduled scans, under Malware definition updates, clear the Check for updates before starting a scan check box.

    If you want to disable update checks at intervals, under Malware definition updates, clear the Check for updates at set interval check box and type the number of hours between definition-update checks.

  4. After you finish creating or editing the policy, click OK.

  5. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.