Share via


FEP ADMX Reference

Applies To: Forefront Endpoint Protection

The table below shows the policy settings available after loading FEP ADMX files. For more information about FEP ADMX files, see Configuring and Viewing FEP Group Policy Settings. For information about configuring policies by using Configuration Manager, see FEP Policies.

Name Setting Title Description Configurable via the Configuration Manager console

Endpoint Protection 2010

Allow antimalware service to start up with normal priority

This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.

If you enable or do not configure this setting, the antimalware service will load as a normal priority task.

If you disable this setting, the antimalware service will load as a low priority task.

No

Endpoint Protection 2010

Turn on spyware definitions

This policy setting allows you to manage whether spyware definitions are used during a scan.

If you enable or do not configure this setting, spyware definitions will be enabled by default and used during scans.

If you disable this setting, spyware definitions will be disabled and will not be used during scans.

No

Endpoint Protection 2010

Turn on virus definitions

This policy setting allows you to manage whether virus definitions are used during a scan.

If you enable or do not configure this setting, virus definitions will be enabled and used during scans.

If you disable this setting, virus definitions will be disabled and will not be used during scans.

No

Endpoint Protection 2010

Configure local administrator merge behavior for lists

This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists, such as threats and exclusions.

If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings.

If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.

Yes

Endpoint Protection 2010

Turn on routine remediation

This policy setting allows you to configure routinely taking action on detected items. It is recommended that you enable this policy.

If you enable this setting, routine remediation will be enabled.

If you disable or do not configure this setting, routine remediation will be disabled.

No

Endpoint Protection 2010

Define addresses to bypass proxy server

This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.

If you enable this setting, the proxy server will be bypassed for the specified addresses.

If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.

No

Endpoint Protection 2010

Define proxy server for connecting to the network

This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates when downloading from the Microsoft Malware Protection Center, and for SpyNet reporting. For definition updates from Microsoft Update or a WSUS server, the system-wide winhttp proxy setting is used. For more information about the winhttp proxy setting, see Microsoft Knowledge Base article 900935.

If the named proxy fails or if there is no proxy specified, the following settings will be used (in order):

  1. Internet Explorer proxy settings

  2. Autodetect

  3. None

If you enable this setting, the proxy will be set to the specified URL.

If you disable or do not configure this setting, the proxy will be set according to the order specified above.

No

Endpoint Protection 2010

Randomize scheduled task times

This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.

If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.

If you disable this setting, scheduled tasks will begin at the specified start time.

Yes

Endpoint Protection 2010

Allow antimalware service to remain running always

This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled.

If you enable this setting, the antimalware service will always remain running, even if both antivirus and antispyware definitions are disabled.

If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware definitions are disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware definitions are enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.

No

Exclusions

Extension exclusions

This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.

Yes

Exclusions

Path exclusions

This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.

Yes

Exclusions

Process exclusions

This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.

Yes

Network Inspection System

Turn on protocol recognition

This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.

If you enable or do not configure this setting, protocol recognition will be enabled.

If you disable this setting, protocol recognition will be disabled.

No

Network Inspection System

Turn on definition retirement

This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all definitions for a given protocol are retired, then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.

If you enable or do not configure this setting, definition retirement will be enabled.

If you disable this setting, definition retirement will be disabled.

No

Network Inspection System

Define the rate of detection events for logging

This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value is defined in minutes. The default interval is 60 minutes.

If you enable this setting, detection events will not be logged if there is more than one similar report (by definition GUID) in the specified number of minutes.

If you disable or do not configure this setting, detection events will be logged at the default rate.

No

Network Inspection System Exclusions

IP address range exclusions

This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of an IP address range. As an example, a range might be defined as: 157.1.45.123-60.1.1.1. The value is not used and it is recommended that this be set to 0.

No

Network Inspection System Exclusions

Port number exclusions

This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a TCP port number. As an example, a range might be defined as: 8080. The value is not used and it is recommended that this be set to 0.

No

Network Inspection System Exclusions

Process exclusions for outbound traffic

This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a process path and name. As an example, a process might be defined as: "C:\Windows\System32\App.exe". The value is not used and it is recommended that this be set to 0.

No

Network Inspection System Exclusions

Threat ID exclusions

This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a Threat ID. As an example, a Threat ID might be defined as: 2925110632. The value is not used and it is recommended that this be set to 0.

No

Quarantine

Configure local setting override for the removal of items from the Quarantine folder

This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Quarantine

Configure removal of items from the Quarantine folder

This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.

If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.

If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.

Yes

Real-Time Protection

Turn on behavior monitoring

This policy setting allows you to configure behavior monitoring.

If you enable or do not configure this setting, behavior monitoring will be enabled.

If you disable this setting, behavior monitoring will be disabled.

Yes

Real-time Protection

Turn on Information Protection Control

This policy setting allows you to configure Information Protection Control (IPC).

If you enable this setting, IPC will be enabled.

If you disable or do not configure this setting, IPC will be disabled.

No

Real-time Protection

Turn on network protection against exploits of known vulnerabilities

This policy setting allows you to configure network protection against exploits of known vulnerabilities.

If you enable or do not configure this setting, the network protection will be enabled.

If you disable this setting, the network protection will be disabled.

Yes

Real-time Protection

Scan all downloaded files and attachments

This policy setting allows you to configure scanning for all downloaded files and attachments.

If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.

If you disable this setting, scanning for all downloaded files and attachments will be disabled.

Yes

Real-time Protection

Monitor file and program activity on your computer

This policy setting allows you to configure monitoring for file and program activity.

If you enable or do not configure this setting, monitoring for file and program activity will be enabled.

If you disable this setting, monitoring for file and program activity will be disabled.

Yes

Real-time Protection

Turn on raw volume write notifications

This policy setting controls whether raw volume write notifications are sent to behavior monitoring.

If you enable or do not configure this setting, raw write notifications will be enabled.

If you disable this setting, raw write notifications will be disabled.

No

Real-time Protection

Turn on real-time protection

This policy setting allows you to configure real-time protection. This setting controls all real-time protection components. It is recommended that you turn on real-time protection.

If you enable or do not configure this setting, real-time protection will be turned on.

If you disable this setting, real-time protection will be turned off.

Yes

Real-time Protection

Turn on process scanning whenever real-time protection is enabled

This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware that could start when real-time protection is turned off.

If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.

If you disable this setting, a process scan will not be initiated when real-time protection is turned on.

Yes

Real-time Protection

Define the maximum size of downloaded files and attachments to be scanned

This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.

If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.

If you disable or do not configure this setting, a default size will be applied.

No

Real-time Protection

Configure the local setting override for turning on behavior monitoring

This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override for monitoring file and program activity on your computer

This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override to turn off the Intrusion Prevention System

This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override for scanning all downloaded files and attachments

This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override to turn on real-time protection

This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override to turn on script scanning

This policy setting configures a local override for the configuration of the script-scanning browser helper object in Internet Explorer. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure the local setting override for monitoring for incoming and outgoing file activity

This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Real-time Protection

Configure monitoring for incoming and outgoing file and program activity

This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration should be evaluated based on the server role.

Note that this configuration is only honored for NTFS volumes. For any other file system type, full monitoring of file and program activity will be present on those volumes.

The options for this setting are mutually exclusive:

  1. 0 = Scan incoming and outgoing files (default)

  2. 1 = Scan incoming files only

  3. 2 = Scan outgoing files only

Any other value, or if the value does not exist, resolves to the default (0).

If you enable this setting, the specified type of monitoring will be enabled.

If you disable or do not configure this setting, monitoring for incoming and outgoing files will be enabled.

Yes

Remediation

Configure local setting override for the time of day to run a scheduled full scan to complete remediation

This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Remediation

Specify the day of the week to run a scheduled full scan to complete remediation

This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.

This setting can be configured with the following ordinal number values:

  • (0x0) Every Day (default)

  • (0x1) Sunday

  • (0x2) Monday

  • (0x3) Tuesday

  • (0x4) Wednesday

  • (0x5) Thursday

  • (0x6) Friday

  • (0x7) Saturday

  • (0x8) Never

If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified.

If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.

Yes

Remediation

Specify the time of day to run a scheduled full scan to complete remediation

This policy setting allows you to specify the time of day to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on the local time on the computer where the scan is executing.

If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.

If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.

Yes

Reporting

Configure time out for detections requiring additional action

This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.

No

Reporting

Configure time out for detections in a critically failed state

This policy setting configures the time, in minutes, before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.

No

Reporting

Configure Watson events

This policy setting allows you to configure whether or not Watson events are sent.

If you enable or do not configure this setting, Watson events will be sent.

If you disable this setting, Watson events will not be sent.

No

Reporting

Configure time out for detections in a non-critical failed state

This policy setting configures the time, in minutes, before a detection in the "non-critically failed" state moves to the "cleared" state.

No

Reporting

Configure time out for detections in a recently remediated state

This policy setting configures the time, in minutes, before a detection in the "completed" state moves to the "cleared" state.

No

Reporting

Configure Windows software trace preprocessor components

This policy configures Windows software trace preprocessor (WPP Software Tracing) components

No

Reporting

Configure WPP tracing level

This policy allows you to configure tracing levels for the Windows software trace preprocessor (WPP Software Tracing).

Tracing levels are defined as:

  • 1 - Error

  • 2 - Warning

  • 3 - Info

  • 4 - Debug

No

Scan

Allow users to pause a scan

This policy setting allows you to manage whether or not end users can pause a scan in progress.

If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.

If you disable this setting, users will not be able to pause scans.

No

Scan

Specify the maximum depth to scan archive files

This policy setting allows you to configure the maximum directory depth level into which archive files, such as .ZIP or .CAB, are unpacked during scanning. The default directory depth level is 0.

If you enable this setting, archive files will be scanned to the directory depth level specified.

If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.

No

Scan

Specify the maximum size of archive files to be scanned

This policy setting allows you to configure the maximum size of archive files, such as .ZIP or .CAB, that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.

If you enable this setting, archive files less than or equal to the size specified will be scanned.

If you disable or do not configure this setting, archive files will be scanned according to the default value.

No

Scan

Specify the maximum percentage of CPU utilization during a scan

This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50.

If you enable this setting, CPU utilization will not exceed the percentage specified.

If you disable or do not configure this setting, CPU utilization will not exceed the default value.

Note

This policy setting is valid only for scheduled scans. It is not used when you perform an on-demand scan.

Yes

Scan

Check for the latest virus and spyware definitions before running a scheduled scan

This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.

This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.

If you enable this setting, a check for new definitions will occur before running a scan.

If you disable this setting or do not configure this setting, the scan will start using the existing definitions.

Yes

Scan

Scan archive files

This policy setting allows you to configure scans for malicious software and unwanted software in archive files, such as .ZIP or .CAB files.

If you enable or do not configure this setting, archive files will be scanned.

If you disable this setting, archive files will not be scanned.

Yes

Scan

Turn on a catch-up full scan

This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.

If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.

Yes

Scan

Turn on a catch-up quick scan

This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.

If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.

If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.

Yes

Scan

Turn on e-mail scanning

This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Microsoft Outlook®), dbx, mbx, mime (Outlook Express), binhex (Mac).

If you enable this setting, e-mail scanning will be enabled.

If you disable or do not configure this setting, e-mail scanning will be disabled.

No

Scan

Turn on heuristics

This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.

If you enable or do not configure this setting, heuristics will be enabled.

If you disable this setting, heuristics will be disabled.

Yes

Scan

Scan packed executables

This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.

If you enable or do not configure this setting, packed executables will be scanned.

If you disable this setting, packed executables will not be scanned.

No

Scan

Scan removable drives

This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.

If you enable this setting, removable drives will be scanned during any type of scan.

If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during a quick scan and a custom scan.

Yes

Scan

Turn on reparse point scanning

This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth, so at worst, scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.

If you enable this setting, reparse point scanning will be enabled.

If you disable or do not configure this setting, reparse point scanning will be disabled.

No

Scan

Create a system restore point

This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.

If you enable this setting, a system restore point will be created.

If you disable or do not configure this setting, a system restore point will not be created.

Yes

Scan

Run a full scan on mapped network drives

This policy setting allows you to configure scanning mapped network drives.

If you enable this setting, mapped network drives will be scanned.

If you disable or do not configure this setting, mapped network drives will not be scanned.

Yes

Scan

Scan network files

This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.

If you enable this setting, network files will be scanned.

If you disable or do not configure this setting, network files will not be scanned.

Yes

Scan

Configure a local setting override for a maximum percentage of CPU utilization

This policy setting configures a local override for the configuration of the maximum percentage of CPU utilization during a scan. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Scan

Configure a local setting override for the scan type to use for a scheduled scan

This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Scan

Configure a local setting override for a scheduled scan day

This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Scan

Configure a local setting override for a scheduled quick scan time

This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

Scan

Block unsigned obfuscated executables

This policy setting allows you to manage whether to detect and block binaries that are obfuscated or binaries that do not have a trusted digital signature. For the signature on a binary to be trusted, it must chain to a code signing certificate in the Windows Trusted Root Program.

If you enable this setting, unsigned obfuscated executables will be blocked.

If you disable or do not configure this setting, unsigned obfuscated executables will not be blocked.

No

Scan

Turn on the removal of items from the scan history folder

This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to 0, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.

If you enable this setting, items will be removed from the scan history folder after the number of days specified.

If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.

No

Scan

Specify the interval to run quick scans per day

This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If this value is set to 0, quick scans will not be scheduled on an hourly interval; instead, quick scans will occur as specified by the Specify the time for a daily quick scan policy. By default, this setting is set to 0.

If you enable this setting, a quick scan will run at the interval specified.

If you disable or do not configure this setting, a quick scan will run at a default time.

Yes

Scan

Start the scheduled scan only when the computer is on, but not in use

This policy setting allows you to configure scheduled scans to start only when your computer is on, but not in use.

If you enable or do not configure this setting, scheduled scans will only run when the computer is on, but not in use.

If you disable this setting, scheduled scans will run at the scheduled time.

Yes

Scan

Specify the scan type to use for a scheduled scan

This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are:

  • 1 = Quick Scan (default)

  • 2 = Full Scan

If you enable this setting, the scan type will be set to the specified value.

If you disable or do not configure this setting, the default scan type will used.

Yes

Scan

Specify the day of the week to run a scheduled scan

This policy setting allows you to specify the day of the week to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.

This setting can be configured with the following ordinal number values:

  • (0x0) Every Day (default)

  • (0x1) Sunday

  • (0x2) Monday

  • (0x3) Tuesday

  • (0x4) Wednesday

  • (0x5) Thursday

  • (0x6) Friday

  • (0x7) Saturday

  • (0x8) Never

If you enable this setting, a scheduled scan will run at the frequency specified.

If you disable or do not configure this setting, a scheduled scan will run at a default frequency.

Yes

Scan

Specify the time for a daily quick scan

This policy setting allows you to specify the time of day to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on the local time on the computer where the scan is executing.

If you enable this setting, a daily quick scan will run at the time of day specified.

If you disable or do not configure this setting, a daily quick scan will run at a default time.

Yes

Scan

Specify the time of day to run a scheduled scan

This policy setting allows you to specify the time of day to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on the local time on the computer where the scan is executing.

If you enable this setting, a scheduled scan will run at the time of day specified.

If you disable or do not configure this setting, a scheduled scan will run at a default time.

Yes

Signature Updates

Define the number of days before spyware definitions are considered out of date

This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days.

If you enable this setting, spyware definitions will be considered out of date after the number of days specified have passed without an update.

If you disable or do not configure this setting, spyware definitions will be considered out of date after the default number of days have passed without an update.

Yes

Signature Updates

Define the number of days before virus definitions are considered out of date

This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 7 days.

If you enable this setting, virus definitions will be considered out of date after the number of days specified have passed without an update.

If you disable or do not configure this setting, virus definitions will be considered out of date after the default number of days have passed without an update.

Yes

Signature Updates

Define file shares for downloading definition updates

This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.

If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.

Yes

Signature Updates

Turn on an automatic scan after signature update

This policy setting allows you to configure the automatic scan that starts after a definition update has occurred.

If you enable or do not configure this setting, a scan will start following a definition update.

If you disable this setting, a scan will not start following a definition update.

Yes

Signature Updates

Allow definition updates when running on battery power

This policy setting allows you to configure definition updates on start up when there is no antimalware engine present.

If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present.

If you disable this setting, definition updates will not be initiated on startup when there is no antimalware engine present.

Yes

Signature Updates

Define the order of sources for downloading definition updates

This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”

For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }

If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.

If you disable or do not configure this setting, definition update sources will be contacted in a default order.

Yes

Signature Updates

Allow definition updates from Microsoft Update

This policy setting allows you to enable the download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source, such as Windows Update.

If you enable this setting, definition updates will be downloaded from Microsoft Update.

If you disable or do not configure this setting, definition updates will be downloaded from the configured download source.

Yes

Signature Updates

Allow real-time definition updates based on reports to Microsoft SpyNet

This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft SpyNet. If the service reports a file as an unknown and Microsoft SpyNet finds that the latest definition update has definitions for a threat involving that file, the service will receive all of the latest definitions for that threat immediately. You must have configured your computer to join Microsoft SpyNet for this functionality to work.

If you enable or do not configure this setting, real-time definition updates will be enabled.

If you disable this setting, real-time definition updates will disabled.

No

Signature Updates

Specify the day of the week to check for definition updates

This policy setting allows you to specify the day of the week to check for definition updates. The check can also be configured to run every day or to never run at all.

This setting can be configured with the following ordinal number values:

  • (0x0) Every Day (default)

  • (0x1) Sunday

  • (0x2) Monday

  • (0x3) Tuesday

  • (0x4) Wednesday

  • (0x5) Thursday

  • (0x6) Friday

  • (0x7) Saturday

  • (0x8) Never

If you enable this setting, the check for definition updates will occur at the frequency specified.

If you disable or do not configure this setting, the check for definition updates will occur at a default frequency.

Yes

Signature Updates

Specify the time to check for definition updates

This policy setting allows you to specify the time of day to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is configured to check for definition updates 15 minutes before the scheduled scan time. The schedule is based on the local time on the computer where the check is occurring.

If you enable this setting, the check for definition updates will occur at the time of day specified.

If you disable or do not configure this setting, the check for definition updates will occur at the default time.

Yes

Signature Updates

Allow notifications to disable definitions based on reports to Microsoft SpyNet

This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft SpyNet. Microsoft SpyNet uses these notifications to disable definitions that are causing false positive reports. You must have configured your computer to join Microsoft SpyNet for this functionality to work.

If you enable this setting or do not configure, the antimalware service will receive notifications to disable definitions.

If you disable this setting, the antimalware service will not receive notifications to disable definitions.

No

Signature Updates

Define the number of days after which a catch-up definition update is required

This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this setting is 1 day.

If you enable this setting, a catch-up definition update will occur after the specified number of days.

If you disable or do not configure this setting, a catch-up definition update will be required after the default number of days.

Yes

Signature Updates

Specify the interval to check for definition updates

This policy setting allows you to specify an interval to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day).

If you enable this setting, checks for definition updates will occur at the interval specified.

If you disable or do not configure this setting, checks for definition updates will occur at the default interval.

Yes

Signature Updates

Check for the latest virus and spyware definitions on startup

This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup.

If you enable this setting, a check for new definitions will occur after service startup.

If you disable this setting or do not configure this setting, a check for new definitions will not occur after service startup.

No

SpyNet

Configure the local setting override for reporting to Microsoft SpyNet

This policy setting configures a local override for the configuration to join Microsoft SpyNet. This setting can only be set by Group Policy.

If you enable this setting, the local preference setting will take priority over Group Policy.

If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.

Yes

SpyNet

Join Microsoft SpyNet

This policy setting allows you to join Microsoft SpyNet. Microsoft SpyNet is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.

You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and helps it to protect your computer. This information can include things like the location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.

Possible options are:

  • (0x0) Disabled (default)

  • (0x1) Basic membership

  • (0x2) Advanced membership

Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.

Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.

If you enable this setting, you will join Microsoft SpyNet with the membership specified.

If you disable or do not configure this setting, you will not join Microsoft SpyNet.

Yes

Threats

Specify threats upon which default action should not be taken when detected

This policy setting customizes which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.

Valid remediation action values are:

  • 2 = Quarantine

  • 3 = Remove

  • 6 = Ignore

Yes

Threats

Specify threat alert levels at which default action should not be taken when detected

This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level. Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be taken.

Valid threat alert levels are:

  • 1 = Low

  • 2 = Medium

  • 4 = High

  • 5 = Severe

Valid remediation action values are:

  • 2=Quarantine

  • 3=Remove

  • 6=Ignore

Yes

UX Configuration

Display notifications to clients when they need to perform actions

This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions:

  • Run a full scan

  • Download the latest virus and spyware definitions

  • Download the Standalone System Sweeper

If you enable or do not configure this setting, notifications will be displayed to clients when they need to perform the specified actions.

If you disable this setting, notifications will not be displayed to clients when they need to perform the specified actions.

Yes