HOW TO: Disable heuristic detections for the (Authentium) Command engine in Antigen 9 or Forefront Server Security products

Article translations Article translations
Article ID: 963033 - View products that this article applies to.
Expand all | Collapse all
Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Symptom



Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.

For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

 

Antigen or Forefront Server Security products may make heuristic detections using the (Authentium) Command engine, returning one of the following virus names:

·         "is based on a remote template“

·         "could be infected with an unknown virus"

·         "could be a destructive program”


You may experience regular heuristic detections where the Command engine has named the virus as above. If you believe that the affected files are legitimate and are not infected and you have used a local AV scanner to verify that each file is clean (not infected), you may wish to disable future detections of this nature. Follow the workaround in the More Information section to disable these types of heuristic detections. If you are in any doubt about the validity of the Command engine detections, you may wish to open a Microsoft Support ‘Advisory’ case prior to implementing the workaround.

More Information





Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.


To disable any of these detections, you will need to ensure that your Command scan engine has updated to at least Update Version 0811030004 or above and create a new registry value.   To do this, follow these steps:

 

A:   Create registry values for all desired exclusions of heuristic detections for the (Authentium) Command engine:

1.       First of all, decide which heuristic detections you wish to exclude, for example:

a.       "is based on a remote template“

b.      "could be infected with an unknown virus"

c.       "could be a destructive program"

2.       Open the Registry and navigate to the correct registry key, according to your product:

2.       For Antigen 9 products (x86): HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Engines

3.       For Forefront Server Security products (x64): HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Engines

4.3.       Right-click the \Engines key and select New>Key. Type "Command" as the name of the new key.

5.4.       In the new Command key, right-click and choose New>Multi-String Value *. Enter "IgnoreVirusNames" as the string name.

6.5.       Double-click the IgnoreVirusNames value and add each virus name ("exclusion string") that you wish to disable on a separate line in the Value Data field, e.g.

7.       is based on a remote template

8.       could be infected with an unknown virus

9.       could be a destructive program

10.   6. Close the Registry.

 

Note:  In Windows 2000 there is no Multi-String Value available. To workaround this, choose Binary Value instead and enter "IgnoreVirusNames" as the string name. When you edit this Binary Value, you can type the exclusion strings in the right-hand side of the Value Data field. To separate multiple exclusion strings, click in the binary area of the Value Data field and enter 00 (zero, zero). When you have finished adding exclusion strings enter 00 00 (zero, zero, zero, zero) at the end of the data in the binary area of the Value Data field.

 

Example: When entering "is based on a remote template“ and "could be infected with an unknown virus" as exclusion strings, the binary Value Data field should appear as follows:

 

0000    69 73 20 62 61 73 65 64  is based

0008    20 6F 6E 20 61 20 72 65   on a re

0010    6D 6F 74 65 20 74 65 6D  mote tem

0018    70 6C 61 74 65 00 63 6F  plate.co

0020    75 6C 64 20 62 65 20 69  uld be i

0028    6E 66 65 63 74 65 64 20  nfected

0030    77 69 74 68 20 61 6E 20  with an

0038    75 6E 6B 6E 6F 77 6E 20  unknown

0040    76 69 72 75 73 00 00     virus..

 

B:   Update your Command scan engine

1.       In the Antigen Administrator or Forefront Server Security Administrator, navigate to SETTINGS, Scanner Updates and then select the (Authentium) Command engine.

2.       Click on the 'Update Now' button on the right-hand side to initiate an update. The 'Update Now' button becomes grayed-out.

3.       Once the update has completed (either successfully or having failed), the 'Update Now' button is no longer grayed-out. At this point, check the Update Version number for the Command engine on the same screen. If you see Update Version 0811030004 or above, the registry settings will take effect.

 

By default, these values are not present and are therefore not active (i.e. the associated heuristic detections WILL take place by default).

Note no restart of services is required for these changes to take effect.

 

Expected behavior: if the (Authentium) Command engine makes a heuristic detection that you have disabled, Antigen/Forefront Server Security will ignore it and take no action.

DISCLAIMER

MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.

Properties

Article ID: 963033 - Last Review: January 31, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft Forefront Client Security
  • Microsoft Forefront Security for Exchange Server
  • Microsoft Forefront Endpoint Protection 2010
Keywords: 
kbnomt kbrapidpub fep2010swept KB963033

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com