Overriding default responses to malware

Applies To: Forefront Client Security

The definitions provide Client Security with a default action to take against each type of malware. It is highly likely that nearly all default actions will be acceptable; however, Client Security lets you set different responses, both for specific malware (based on threat) and by category or severity of malware. By default, a new policy contains no overrides.

When you edit or create a policy, use the Overrides tab to configure overrides to default malware responses and to view the category and severity of malware. You can also view the category and severity for any malware in the definitions file, with the exception of any malware considered to be a virus.

When you create an override based on threat, you are creating a whitelist that allows specific defined malware to run on a client without notification to the user. Overrides based on threat generally take precedence over all other overrides; however, any severity-based override that is set to Ignore will always take precedence over threat and category overrides.

Client Security applies the following order of precedence to determine which override to apply when there is more than one applicable override for detected malware:

  • Threat—Takes precedence over other overrides except when a severity override is set to Ignore.

  • Category—Applies only when there are no overrides for the specific malware detected (threat) and when there are no severity overrides set to Ignore.

  • Severity—Applies when there are no overrides for the specific malware detected (threat) or for the category of the detected malware, unless the severity override is set to Ignore. Any severity override set to Ignore takes precedence over other overrides.

To view the category and severity for specific malware

  1. In the Client Security console, create or edit a policy. For more information about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Overrides tab.

  3. Under Overrides based on threat, click Add. A new row appears in the table of overrides for specific malware.

  4. In the new row, from the Name list, select the malware whose category and severity you want to see. Client Security displays the information about the malware you select.

  5. When you have finished viewing information about malware, click Cancel.

To set an override based on threat

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Overrides tab.

  3. Under Overrides based on threat, in the table of overrides, add a new row or locate the row you need to modify. To add a new row, click Add.

  4. In the row you added or located, from the Name list, select the malware for which you want to create an override. Client Security shows the category and severity for the malware you selected.

  5. After you finish creating or editing the policy, click OK.

  6. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.

To set an override for a malware category or severity

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Overrides tab.

  3. Under Overrides based on category and severity, in the table of overrides, add a new row or locate the row you need to modify. To add a new row, click Add.

  4. From the Classification list, select Severity or Category, as appropriate for the type of override you want to create.

  5. From the Type list, select the severity or category for which you want to create an override. The choices on the Type list reflect the selection you made on the Classification list.

  6. From the Override Response list, select the response that Client Security agents should take against malware of the category or severity you selected. For more information about responses, see About scans.

    Note

    If you select Ignore, the Client Security agent UI on client computers protected by the policy may incorrectly show the action as "Default action (definition-based)".

  7. After you finish creating or editing the policy, click OK.

  8. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.

To remove an override

  1. In the Client Security console, edit a policy. For details about how to edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the Edit Policy dialog box, click the Overrides tab.

  3. Under Overrides based on threat or Overrides based on category and severity, select the row you need to modify.

  4. Directly below the table containing the row that you selected, click Remove.

  5. After you finish creating or editing the policy, click OK.

  6. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.