Understanding catch-up scans

A catch-up scan is a scan that is initiated because a regularly scheduled Forefront Client Security antimalware scan was missed.  Usually these scheduled scans are missed because the computer was turned off at the scheduled time.  The FCS documentation at http://technet.microsoft.com/en-us/library/bb418896.aspx states:

Scheduled malware scans enable you to choose the time of day when the Client Security agent on each managed computer begins a scan. This enables you to select a time that is likely to have minimal impact on users. You can also configure whether a scheduled scan is a full scan or a quick scan. If a client computer is offline for two consecutive scheduled scans, Client Security starts a scan the next time someone logs on to the computer. For more information, see Configuring scheduled and interval malware scans .

To expand on this, scans can be scheduled to run either daily or weekly and either full or quick scans.  If there is no scheduled scan configured, there will be no catch-up scan run.  If the scheduled scan is configured for daily, then after two days of being missed the next time the antimalware service starts, after a short delay of about ten to twenty minutes, the missed scheduled scan will be run.  The scan type will be based upon the scan type of the scheduled scan:  if a full scan is scheduled the catch-up scan will be a full, if the scheduled scan is a quick scan the catch-up scan will also be a quick.  If the scan is configured for weekly, then after missing the scan two consecutive weeks the next time the antimalware service starts, after a short delay of about ten minutes, the missed scheduled scan will be run.  The number scans missed(two) before the catch-up scan is invoked is non-configurable.

In the current version, the Forefront Client Security antimalware client differentiates scans initiated through the UI from scans initiated through the command line of scheduled tasks.  Scans invoked through the antimalware UI do not count as “scheduled” and cannot can be used to avoid catch-up scans.  The only exception to this is if a computer has never run a scheduled scan; this helps prevent prevent newly installed clients from running a catch-up scan when they receive policy.

If you miss a scheduled scan and want to run your own catch-up scan so it will run at a convenient time, you should invoke the scan through the command line:

“%programfiles%\Microsoft Forefront\Client Security\Client\antimalware\mpcmdrun.exe” –Scan

Additionally, catch-up scans are only applicable to scans that are scheduled for a particular time, they do not apply to interval-based scans as shown below


An interval scan is essentially just a timer that starts roughly when the service starts.  If the computer is rebooted, the service is restarted, or the scan interval changes the timer is reset.

By default catch-up scans will be enabled. If you do not wish to run catch-up scans you may use an ADM file and set the following registry key  HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan – DisableCatchUpScan .  You can cut-and-paste the below example into a text file and rename it to an ADM to test this:

          POLICY !!CatchUp_Name
KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"

                   EXPLAIN !!CatchUp_Explain
                   VALUENAME DisableCatchupScan
                     VALUEON NUMERIC 1
                     VALUEOFF NUMERIC 0
          END POLICY
FCSCategory="Microsoft FCS Scan Override"
CatchUp_Name="Disable Catch-up Scan"
CatchUp_Explain="This setting instructs the FCS antimalware client not to re-attempt a missed scan"


Craig Wiand
Microsoft Forefront Escalation Engineer