Scanning removable drives
In response to a recent question via this blog, I’d like to explain a setting for antimalware scanning in Forefront Client Security that you can configure via a registry key.
FCS scans removable drives at certain times. When you insert a removable drive, the boot sector of that drive is scanned. After that, when you access a file on a removable drive, it's scanned. When you run a full scan, removable drives are not scanned.
There is a registry key that can control this, however. You can change/add the registry key with either a .reg file or via a custom ADM, as described in the More Information section of KB 971026 (https://support.microsoft.com/default.aspx/kb/971026).
The registry key that must be changed is the Forefront Client Security policy key. The key name is DisableRemovableDriveScanning, and has two possible settings:
· Missing or 1: removable drives are not included in full scans
· 0 (zero): removable drives are scanned in full scans
Permissions on this key prevent direct editing, so you must use one of the two methods described in the KB article referenced above.
For the ADM file, start Notepad, and then copy and paste the following text into the Notepad file:
CLASS MACHINE
CATEGORY !!FCSCategory
POLICY !!RemovableDriveScanning_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
EXPLAIN !!RemovableDriveScanning_Explain
;; Note that instead of disabling a disable we flip-flop the logic to make it proactive
VALUENAME DisableRemovableDriveScanning
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
[strings]
FCSCategory="Microsoft Forefront Client Security"
RemovableDriveScanning_Name="Enabling removable drive scanning"
RemovableDriveScanning_Explain="This setting instructs the FCS antimalware client to scan removable drives during full scans"
Save the file as an ADM file, making sure to choose All files *.* as the file type (the KB suggests saving it with the KB ID number – for this one, you could use RemovableDrive.ADM as the file name), and then use Group Policy to deploy the new setting, as described in Option 1, step 2, in the KB article.
If you want to deploy the DisableRemovableDriveScanning key via a .reg file, follow the steps described in Option 2 in the KB article, substituting the following registry information for step 4:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
"DisableRemovableDriveScanning"=dword:0