New/Edit Policy dialog box page

  • Article

Applies To: Forefront Client Security

Use this dialog box to define settings for a Client Security policy. See the applicable section of this topic for help with the tab you are using:

  • General tab

  • Protection tab

  • Advanced tab

  • Overrides tab

  • Reporting tab

For more information about creating or editing policies, see the Client Security Administrator's Guide (https://go.microsoft.com/fwlink/?LinkID=75776).

General tab

Control Description

Name

Specifies the name for the policy.

It is recommended that you use a descriptive name that reflects the purpose of the policy.

Comments

Enter any comments about the policy.

It is recommended that you provide adequate detail to allow other people who share responsibility for editing or deploying the policy to understand its purpose by reading the comments. You can also use the comments to document changes to the policy.

Last modified

(Read only) Specifies the date and time that the policy was last modified.

Modified by

(Read only) Specifies the user name of the person who last modified the policy.

Last deployed

(Read only) Specifies the date and time that the policy was last deployed.

Deployed by

(Read only) Specifies the user name of the person who last deployed the policy.

Deployed to

(Read only) Specifies the targets to which the policy was last deployed.

Protection tab

Control Description

Virus protection

Specifies whether virus protection is active. You have three options:

  • On—Enforces virus protection for all client computers protected by this policy.

  • Off—Disables virus protection for all client computers protected by this policy.

  • User controlled—Allows users to control virus protection for all client computers protected by this policy.

Important

Users can control virus protection only if you have made the appropriate selections under Client Options on the Advanced tab. For more information, see the Client Security Administrator's Guide.

By default, this list is set to On.

Spyware protection

Specifies whether spyware protection is active. You have three options:

  • On—Enforces spyware protection for all client computers protected by this policy.

  • Off—Disables spyware protection for all client computers protected by this policy.

  • User controlled—Allows users to control spyware protection for all client computers protected by this policy.

Important

Users can control spyware protection only if you have made the appropriate selections under Client Options on the Advanced tab. For more information, see the Client Security Administrator's Guide.

By default, this list is set to On.

Use real-time protection (scan programs and services when they are accessed)

Select this check box if you want to enable real-time scanning for viruses and spyware for all computers protected by this policy. Clear this check box if you want to disable real-time scanning.

This check box is available only when either the Virus protection list or the Spyware protection list is set to On.

Furthermore, real-time virus protection can be enabled only if the Virus Protection list is set to On, and real-time spyware protection can be enabled only if the Spyware Protection list is set to On. For example, if the Virus Protection list is set to On but the Spyware protection list is set to Off, selecting this checkbox only enables real-time virus protection.

Run a scan at this time

Select this check box if you want the policy to enforce a scheduled scan for malware. Clear this check box if you do not want the policy to enforce a scheduled scan.

By default, this check box is selected.

This check box is available only when either the Virus protection list or the Spyware protection list is set to On.

Start time

The list on the left specifies the day that scheduled scans occur. You can select:

  • A specific day of the week

  • Every day (the default selection)

  • User controlled

Important

Users can control the days on which scheduled scans occur only if you have made the appropriate selections under Client Options on the Advanced tab. For more information, see the Client Security Administrator's Guide.

The list on the right specifies the time of day that scheduled scans occur. You can select:

  • A specific hour of the day (the default selection is 12 hours)

  • User controlled

Important

Users can control the hour at which scheduled scans occur only if you have made the appropriate selections under Client Options on the Advanced tab. For more information, see the Client Security Administrator's Guide.

These lists are available only when either the Virus protection list or the Spyware protection list is set to On.

Scan type

Specifies whether the scheduled scan is a quick or full scan.

For information about the differences between quick and full scans, see the Client Security Administrator's Guide.

This list is available only when either the Virus protection list or the Spyware protection list is set to On.

Run a Quick Scan at set interval (hours)

Select this check box to run a quick scan at regular intervals.

The spin box to the right of the check box specifies the length of the interval, in hours.

This check box and spin box are available only when either the Virus protection list or the Spyware protection list is set to On.

Scan at set interval (hours)

Select this option if you want security state assessments to occur at a regular interval.

The spin box to the right of the option specifies the length of the interval between scans, in hours.

By default, this option is selected and the spin box is set to 12 hours.

Scan at this time

Select this option if you want security state assessments to occur at a scheduled time every day.

Use the list to the right of the check box to specify the hour at which security state assessments occur.

If scan was not run when scheduled, run as soon as possible

Select this check box if, in cases when a scheduled scan cannot be performed on a client computer, you want Client Security to perform a security state assessment as soon as possible. Clear this check box if you want to prevent Client Security from retrying a scheduled assessment that did not occur.

This check box is available only when the Scan at this time option is selected.

Do not run security state scan

Select this option if you want to disable security state assessments. It is recommended that you run security state scans; however, consider disabling security state scans when the policy is deployed to computers that have intentional vulnerabilities, such as FAT file systems required by legacy software.

By default, this check box is cleared.

Advanced tab

Important

The settings on the Advanced tab are available only when, on the Protection tab, either the Virus protection list or the Spyware protection list is set to On.

Control Description

Check for updates before starting a scan

Select this check box if you want Client Security agents to check for malware definition updates before beginning a scheduled scan. Clear this check box if you want Client Security agents to perform scheduled scans without first checking for definition updates.

By default, this check box is selected.

Check for updates at set interval (hours)

Select this check box if you want Client Security agents to check for malware definition updates at regular intervals. Clear this check box if you do not want Client Security agents to check for updates at regular intervals.

The spin box to the right of the check box specifies the length of the interval.

By default, this check box is selected and the spin box is set to 6 hours.

Check for updates on Microsoft Update when WSUS is unavailable

Select this check box if you want Client Security agents to check for updates on Microsoft Update when they cannot contact the Client Security distribution server. Clear this check box if you do not want Client Security agents to check for updates on Microsoft Update.

If you have not previously saved a policy that enables fallback to Microsoft Update, a message confirms your decision to use Microsoft Update.

  • If you agree that client computers can fallback to Microsoft Update, select the Check for updates on Microsoft Update when client computers cannot connect to the WSUS server check box.

    If you do not agree that client computers can fallback to Microsoft Update, clear the Check for updates on Microsoft Update when client computers cannot connect to the WSUS server check box.

  • Click OK to continue configuring the policy.

Important

If you select this check box and save the policy, Client Security records your decision. When you create new policies or re-enable fallback to Microsoft Update on existing policies, you are never again prompted to confirm this decision.

The default setting of this check box depends upon whether you have previously enabled Microsoft Update fallback in a policy, confirmed that decision, and then saved the policy. If you have never done so, this check box is cleared; otherwise, this check box is selected.

Scan archive files

Select this check box if you want virus and spyware scans to inspect archive files. Clear this check box if you want scans to exclude archive files.

Client Security identifies whether a file is an archive by the file's data type, not by the file name extension. The types of files that Client Security regards as archive files are extensible by updates. Archive files include (but are not limited to) the following file types:

  • ACE

  • ARC

  • ARJ

  • CAB

  • CHM

  • CPIO

  • CPT

  • HAP

  • ISO

  • InstallShield packages

  • LHA

  • LHZ

  • LZH

  • Nullsoft installer packages

  • OLE2

  • PDF

  • Q (Quantum)

  • RAR

  • SIT (but not SITX)

  • TAR

  • Wise Installer packages

  • ZIP

  • ZOO

Note

If you exclude an archive file type by using the Extensions box, Client Security does not scan that type of archive file, even when you have selected the Scan archive files check box.

By default, this check box is selected.

Use heuristics to detect suspicious files

Select this check box if you want Client Security agents to use heuristics, in addition to malware definitions, to detect possible malware. Clear this check box if you want Client Security agents to use only malware definitions.

By default, this check box is selected.

Delete quarantined files

Select this check box if you want Client Security agents to delete files that they have quarantined as a result of a malware scan. Clear this check box if you do not want Client Security agents to delete quarantined files.

By default, this check box is cleared.

Delete after (days)

Specifies how long, in days, a Client Security agent waits to delete a quarantined file.

By default, this spin box is set to 90 days.

This spin box is available only when the Delete quarantined files check box is selected.

File and folder paths

Specifies the files and folders excluded from virus and spyware scans.

Click the Add button if you want to open a dialog box and browse for each file or folder that you want to exclude from scans.

Click the Remove button if you want to delete a selected file or folder exclusion from the list.

By default, this list is empty.

Extensions

Specifies the file types excluded from virus and spyware scans, as defined by file name extensions.

Click the Add button if you want to open a dialog box and specify a file name extension to exclude from scans.

Click the Remove button if you want to delete a selected file name extension from the list.

By default, this list is empty.

Users can view all Client Security settings and messages

Select this option if you want to grant local administrators access to the Client Security agent user interface (UI). In addition to being able to view the system tray icon and status messages, local administrators can see the Client Security agent UI and run scans.

Important

It is recommended that you configure the settings under Client options carefully. For more information about controlling the end-user experience, see the Client Security Administrator's Guide.

Users can only view system tray icon and status messages

Select this option if you want to limit all users to minimal access. Denies all users, including local administrators, access to the Client Security agent UI.

By default, this option is selected.

Only administrators can change Client Security agent settings

Select this check box if you want only local administrators to see the Client Security agent UI and to run scans (only when access to the Client Security agent UI is allowed). Clear this check box if you want to allow all users to see the Client Security agent UI (only when access to the Client Security agent UI is allowed).

By default, this check box is cleared.

Allow users to add exclusions and overrides

Select this check box if you want to allow local administrators to add exclusions and overrides (only when access to the Client Security agent UI is allowed). Clear this check box if you want no one to use the agent UI to add exclusions and overrides.

By default, this check box is cleared.

Prompt user when unclassified software is detected

Select this check box if you want to enable the Client Security agent to prompt users when it detects unclassified software. Clear this check box if you do not want the agent to prompt users when it detects unclassified software.

This feature is not affected by other settings under Client options.

By default, this check box is cleared.

Overrides tab

Important

The settings on the Overrides tab are available only when, on the Protection tab, either the Virus protection list or the Spyware protection list is set to On.

Control Description

Overrides based on threat

This table displays malware or potentially unwanted applications that are allowed to run on client computers.

Important

Response overrides for specific threats take precedence over responses to malware category or severity. Response overrides for malware category take precedence over malware severity.

Click the Add button if you want to add an override.

Click the Remove button if you want to delete a selected override.

By default, this list is empty.

Drop-down lists in Name column

Specifies the malware or potentially unwanted application for which the override is configured.

Threat ID

(Read only) The ID of the malware threat, as specified by the malware definitions.

Category

(Read only) The category of the malware threat, as specified by the malware definitions.

Severity

(Read only) The severity of the malware threat, as specified by the malware definitions.

Overrides based on category and severity

This table displays override responses based on the category or severity of malware threats.

Important

Response overrides for specific threats take precedence over responses to malware category or severity. Response overrides for malware category take precedence over malware severity.

Click the Add button to add to the table an override, which you can edit.

Click the Remove button to delete a selected override from the list.

By default, this list is empty.

Drop-down lists in Classification column

Specifies whether an override is based on category or severity.

Drop-down lists in Type column

Specifies the category or severity of the override.

The contents of this list vary based on the selection made in the Classification list. If you selected Category, the Type list contains the possible malware types. If you selected Severity, the Type list contains the possible severities.

Drop-down lists in Override Response column

Specifies the response that a Client Security agent should take when it detects malware of the specified category or severity, regardless of the response identified in malware definitions.

Reporting tab

Control Description

Specify the alert level

Specifies the frequency with which alerts are generated by computers protected by this policy. Alert level 5 results in the most alerts, and alert level 1 results in the fewest.

The alert level you assign to a policy affects how Client Security notifies you of issues with client computers. In general, the higher you set the alert level of a policy, the more events Client Security will issue alerts for. Also, at higher alert levels, individual events receive alerts, whereas at lower alert levels, many events may be combined into a single alert, such as a successful response to malware discovered on many client computers that are assigned a low alert level.

The alert level you assign a policy should reflect the importance of the computers to which you deploy the policy. For example, if you intend to deploy a policy to mission-critical servers, you may want to set the policy's alert level to 5, which will provide you the highest degree of notification of issues with the servers.

By default, this slider is set to 3.

Do not log events for files marked "Unknown"

Select this check box if you do not want Client Security agents to generate events when they detect files of an unknown type. Clear this check box if you do not want agents to generate events when they detect files of an unknown type.

If you want to reduce the number of events logged in client computer event logs, you can configure the policies deployed to those computers to not log events for files marked unknown.

By default, the Client Security agent does not log events for unknown files.

SpyNet reporting

Specifies whether client computers participate in SpyNet, which is the online community that helps you choose how to respond to potential malware threats. SpyNet also helps stop the spread of new malware infections.

This list is available only when either the Virus protection list or the Spyware protection list is set to On.

You can select one of the following:

  • Off—Disables participation in SpyNet.

  • Basic—Enables basic membership in SpyNet. Client Security sends basic information about detected items and the actions you apply. In some instances, personal information may be sent but no information is used to contact users.

  • Advanced—Enables advanced membership in SpyNet. Client Security sends your choices and additional information about detected items. Your decisions regarding detected items can help Microsoft create new definitions and better detect malware. In some instances, personal information may be sent but no information is used to contact users.

By default, this list is set to Basic.

Use Internet Explorer settings

Select this option if either of the following is true:

  • Client Security agents use the same settings as Internet Explorer to connect to the Internet.

  • Client Security agents do not need to use a proxy setting.

This option is available only when both of the following are true:

  • On the Protection tab, either the Virus protection list or the Spyware protection list is set to On.

  • The SpyNet Reporting list is set to Basic or Advanced.

Use other proxy server and port

Select this option if you want to specify custom proxy server settings to allow client computers to connect to the Internet. In the text box, type the server name and port number. For example, proxyserver.contoso.com:8080

This option is available only when both of the following are true:

  • On the Protection tab, either the Virus protection list or the Spyware protection list is set to On.

  • The SpyNet Reporting list is set to Basic or Advanced.