Revisions to Forefront Client Security Best Practice Analyzer

Article translations Article translations
Article ID: 976986 - View products that this article applies to.
Notice
Expand all | Collapse all

On This Page

INTRODUCTION

This article lists and describes the revisions that are made to the Forefront Client Security (FCS) Best Practices Analyzer after its initial release. This article contains information about new checks and information about updates to existing checks. This article is not intended to replace the release information for the Web version of Forefront Client Security (FCS) Best Practice Analyzer that is located on the following TechNet Web site:
Client Security Best Practices Analyzer
To download and install the Forefront Client Security (FCS) Best Practice Analyzer, visit the following Microsoft Web site:
Microsoft Forefront Client Security BPA
After you install the Forefront Client Security (FCS) Best Practice Analyzer, run the best practice analyzer by executing Fcsbpa.exe in the BPA folder in your Client Security installation directory. By default, this folder is located in the following directory:
C:\Program Files\Microsoft Forefront\Client Security\BPA\fcsbpa.exe

MORE INFORMATION

Version 1.0.1733.0

Addition: Low and medium severity threat overrides are not present

By default, Client Security will not suspend some potentially unwanted software that may also be used for legitimate purposes.  Client Security enables administrators to override this default behavior, depending on their organizations’ risk tolerances.  A best practice result is presented if both low and medium severity threat overrides for either remove or quarantine are not found in a deployed Client Security policy. Additional information on this scenario can be found here:

http://blogs.technet.com/b/clientsecurity/archive/2010/09/17/understanding-how-forefront-client-security-responds-to-potentially-unwanted-software.aspx

Note: results from this check can be safely ignore when presented on down-level nodes participating in an Enterprise Manager configuration where policy is deployed via Enterprise Manager.




Addition: Missing down-level database servers

Enterprise Manager is designed to help larger Client Security deployments centrally manage up to 100,000 clients.  When installed, no client computers send information directly to Enterprise Manager; instead client computer information primarily resides on down-level Client Security deployments.  The Enterprise Manager instance queries up to 10 down-level Client Security deployments to generate reports and dashboard data. More information on Enterprise Manager can be found at: http://technet.microsoft.com/en-us/library/bb896626.aspx 

As described above, Enterprise Manager sources its data from the down-level Client Security deployments.  If no down-level deployments have been installed then the Enterprise Manager dashboard and reports will contain no data.  An error is presented if Enterprise Manager is installed but there are no down-level servers in the Client Security database.

To correct this issue you should install the Enterprise Manager down-level components on your down-level deployments.  Or if you have inadvertently installed Enterprise Manager and do not have down-level deployments you should uninstall Enterprise Manager and rerun the Client Security configuration wizard.




Revision: Importing and Exporting BPA results on Windows Server 2008

This revision of the BPA contains a fix for a user interface hang when importing and exporting BPA results on Windows Server 2008.





Version 1.0.1727.11

Addition: Number of Client Security clients check

The Collection database is queried to count the number of computers that have reported within the last 30 days. If the number of computers is 1 or 0, an error is reported to indicate a deployment issue in which an FCS server is managing no client computers.

If the number of computers is greater than 10,000, an error is reported to indicate that the supported client limits have been exceeded. If the number of client computers exceeds 10,000, a Client Security administrator will have to remove computers from this server installation. Client computers can be reconfigured to report to a different Client Security server through several methods. Additional information on these methods can be found here:

http://blogs.technet.com/b/fcsnerds/archive/2008/11/12/changing-the-management-group-to-which-an-fcs-client-reports.aspx


Addition: Windows 2000 Client check

The Collection database is queried to count the number of computers with the operating system of "5.0" that have reported within the last 30 days. If the value is greater than 0, a warning is presented to indicate that Windows 2000 support ends July 13, 2010. For more information about how to migrate servers and clients, see http://go.microsoft.com/fwlink/?LinkId=82060.


Addition: Data transformation services last run time check

The Collection database is queried to determine the last time that the data transformation services (DTS) job, which transfers data between the Collection database and reporting database, was successfully run. This job should be run every night. If the last successful run was more than 24 hours ago, a warning is presented along with the date and time of the last successful completion. For steps to troubleshoot a DTS job failure, see http://support.microsoft.com/kb/899158.

Addition: Reporting database retention interval check The Reporting database is queried to determine the maximum retention interval set for the reporting data. If the default value of 395 days is set, a best practice event is logged to indicate that the default interval should be reviewed to make sure that it aligns with your company data retention policies. A non-default interval is as shown as informational. For information about modifying the Reporting database retention interval see the following Microsoft Knowledge Base article: http://support.microsoft.com/kb/887016/.


Addition: Collection Database sizing check

This check will query for the current size of the Collection database files (not including transaction log files). It then uses the value determined in the "Number of Client Security clients check" and a multiplier value to determine an estimated database size. If the Collection database does not meet or exceed the estimated size, a warning is shown.

For guidance on sizing your Client Security database see the Performance and Scalability guide at http://technet.microsoft.com/en-us/library/bb418772.aspx. For steps to resize an existing database see http://msdn.microsoft.com/en-us/library/ms175890(SQL.90).aspx.


Addition: Reporting Database sizing check

This check will query for the current size of the Reporting database files (not including transaction log files). It then uses the value determined by the "Number of Client Security clients check," the retention interval determine in the "Reporting database retention interval check," and a multiplier value to determine an estimated database size. If the Reporting database does not meet or exceed the estimated size, a warning is shown.

For guidance about sizing your Client Security database see the Performance and Scalability guide at http://technet.microsoft.com/en-us/library/bb418772.aspx. For steps to resize an existing database, see http://msdn.microsoft.com/en-us/library/ms175890(SQL.90).aspx.


Addition: Collection Database recovery model check

A recovery model of "Simple" is recommended for the Collection database to avoid certain performance problems as described in the Client Security disaster recovery guide and the following Knowledge Base article: Reasons why you should use the Simple recovery model for the MOM 2005 OnePoint and SystemCenterReporting databases http://support.microsoft.com/kb/929870 This check will query for the current recovery model of the Collection database. If the Collection database is not set to "Simple," a non-default event is recorded.


Addition: Reporting Database recovery model check

A recovery model of "Simple" is recommended for the Reporting database to avoid certain performance problems as described in the Client Security disaster recovery guide and the following Knowledge Base article: Reasons why you should use the Simple recovery model for the MOM 2005 OnePoint and SystemCenterReporting databases http://support.microsoft.com/kb/929870 This check will query for the current recovery model of the Reporting database. If the Collection database is not set to "Simple," a non-default event is recorded.



Addition: Collection Database last backup check

Backing up the Collection database is a critical component of a Client Security disaster recovery strategy. This check queries for the last time that a backup was performed on the Collection database. If the Collection database has never been backed up, a warning event is raised. If the Collection database has been backed up previously but not in the last day, a Best Practice event is produced. For more information about best practices for backing up the Collection (OnePoint) database, see http://technet.microsoft.com/en-us/library/cc180782.aspx. For more information on Client Security database disaster recovery, see http://technet.microsoft.com/en-us/library/bb418814.aspx.


Addition: Reporting Database last backup check

Backing up the Reporting database is an important component of a Client Security disaster recovery strategy. This check will query for the last time that a backup was performed on the Reporting database. If the Reporting database has never been backed up, a warning event is raised. If the Reporting database has been backed up previously but not in the last 7 days, a Best Practice event is produced. For more information about best practices for backing up the Reporting (SystemCenterReporting) database, see http://technet.microsoft.com/en-us/library/cc180782.aspx. For more information about Client Security database disaster recovery see http://technet.microsoft.com/en-us/library/bb418814.aspx.


Addition: Check for threat metadata

The Management service that runs on the Client Security Management server role is responsible for reading malware threat information from its local antimalware definitions and adding that information to the Collection database. That information is then used in Client Security reporting, alerting, and policy overrides.

If the malware threat information in the Collection database is empty, this indicates that there is a problem in the Management service, and an error event is produced. Typically, this is because the management service is not running or because a service principal name (SPN) must be registered for the Collection database.

If the malware threat information in the Collection database contains only a handful of threats, a warning will be produced. This indicates that the management service was able to add threats to the database, but there is a problem with the definition updates on the Management server, and the server is using the default 1.0.0.0 definitions. If this occurs, you should troubleshoot and update the definitions on the Management server.

For more information about these issues, see the Client Security troubleshooting guide at http://technet.microsoft.com/en-us/library/bb418961.aspx.


Addition: Start menu shortcut

A Start menu shortcut was added to the installation package to help run the best practice analyzer.



Revision: BPA Home page link

The FCS BPA home page link that is shown in the left navigation pane of the BPA was modified to point to this Knowledge Base article.


Revision: Topology Check

This check was revised to no longer produce an error when run on a WSUS server that does not have any Client Security roles installed.



Revision : WSUS Approval rule for Definition Update configuration

This check was revised to include a warning if all approval rules, including the default rule, have been removed.

Version 1.0.1721.2

Addition of Windows Server Updates Services (WSUS) Checks

Forefront Client Security (FCS) uses WSUS for the deployment of definition updates and for the installation of new client agents to remote computers.
  • Version / Not present
    This check queries the registry to determine whether WSUS is installed. If not, the program states that WSUS is not installed, and no more WSUS checks are performed. If WSUS is installed, and if the major version number is 2, a warning is presented, and no more checks are performed. This behavior occurs because versions that have the major version number 2 are no longer supported. If WSUS is installed, if the major version number is 3, and if the latest service pack is not installed, a warning is presented. If it is installed, the program states that the current service pack is installed.
  • Automatic synchronization status
    This check queries to determine whether WSUS is configured to synchronize automatically and to determine whether the FCS Update Assistant service is present and is set to Automatic. If neither of these checks is true, a best practice event is presented to indicate that a manual synchronization is required.
  • Number of synchronizations per day
    This check queries to determine whether WSUS is configured for automatic synchronization. The number of synchronizations per day is presented.
  • Definition Updates classification synchronization configuration
    This check queries to determine whether the Definition Updates classification is configured for synchronization. If not, a warning is presented.
  • Updates classification synchronization configuration
    This check queries to determine whether the Updates classification contains the Client Security deployment package and to determine whether the Updates classification is configured for synchronization. If not, a warning is presented.
  • Forefront Client Security product synchronization configuration
    This check queries to determine whether the Forefront Client Security product is configured for synchronization. If not, an error is presented.
  • Approval rule for Definition Update configuration
    This check queries to determine whether there is a rule that automatically approves FCS definition updates for deployment. If not, a warning is presented. This check does not interrogate any target group configuration.
  • Number of target computers
    This check queries to determine whether the number of computers reporting to WSUS is one or zero. If true, a warning is presented. If the number of clients is greater than one, the number of target computers is presented.
  • Number of expired definitions
    FCS definition updates will accumulate over time on a WSUS server, consuming disk and database resources. This check queries for expired FCS definition that are no longer being used and issues a best practice warning if more than a month’s worth are found.
  • Most recent anti-malware definition version
    This check queries to determine whether an approved anti-malware definition is not superseded. If found, this definition is displayed together with its version number. There should be only one of these definitions.
  • FCS client deployment package approval status
    Client Security can be deployed to client computers by using WSUS. This check queries to determine whether the deployment package is approved. A best practice event is presented if the deployment package is not approved. If the update is approved, but is not ready for deployment, an error is shown.
  • Latest anti-malware client update approval status
    This check queries to determine whether an approved anti-malware critical update that is not superseded is approved. A best practice event is presented if an anti-malware critical update is not approved. If the update is approved, but it is not ready for deployment, an error is shown.

Properties

Article ID: 976986 - Last Review: January 20, 2011 - Revision: 6.0
APPLIES TO
  • Microsoft Forefront Client Security
Keywords: 
kbsurveynew kbexpertiseinter kbexpertisebeginner kbhowto fep2010swept KB976986

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com