Working with an infected computer

Applies To: Forefront Client Security

When Client Security finds software known or suspected to be malware, you learn about the infection from reports, alerts, careful monitoring of Client Security events, or perhaps from a diligent user who notifies you about a Client Security agent message on the infected computer.

When it finds an instance of malware, Client Security takes the action specified by the policy protecting the infected computer. If an alert is generated, it indicates whether Client Security successfully completed the actions dictated by the policy. Because the action specified can be to take no action or query the user (who may respond that the Client Security agent should do nothing), it is important that you investigate and resolve any infection.

The two types of infection alerts are as follows:

  • Computer Infected—Successful Response

  • Computer Infected—Failed Response

Researching malware

Client Security provides you with the means to research malware it discovers.

If Client Security did not create an alert that identifies the malware detected, you can still view the malware event logged on the collection server. In the MOM Operator console, view the event and use the link to view the relevant entry in the Microsoft Malicious Software Encyclopedia. For more information about viewing events, see Working with events.

You can also view events on the Computer Detail and Computer Detail History reports. For more information, see Viewing and printing reports.

If Client Security created an alert for the malware detection, do the following:

  • View the information on the Properties tab to learn what action was taken and whether it succeeded.

    If the action failed, the most likely causes for the failure are as follows:

    • A restart or a full scan is necessary to complete the response.

    • An infected resource is on a read-only shared folder on a different computer than the one running Client Security.

    • An infected resource is on a read-only media on the computer.

  • Use the link on the Properties tab to view the Malware Detail report and learn about the software found and the action taken. Depending on the action specified in the policy, the software may still be present on the computer.

  • Use the link to the Computer Detail report to learn about the state of the infected computer, such as the presence of other malware or vulnerabilities.


When investigating events related to infections, you may find more than one event related to actions taken on a single infection. This occurs when real-time protection blocks access to potential malware and the user, when prompted, specifies a different action. It can also occur when a user reviews scan history and specifies a different action than the Client Security agent took on the malware at detection.

For more information about alerts, see Working with alerts.

To resolve an infection

  1. As described in the preceding section, learn about the malware found.

  2. If the software is acceptable, edit the policy and on the Overrides tab, set a different default action for this software so that Client Security does not attempt to remove it again.

    If the software is unacceptable, take the following actions, as appropriate:

    • Use what you learned in step 1 to ensure that the malware is removed from the computer.

    • If the infected resource is on a read-only share on a different computer than the one that reported the infection, then you should identify the server that the file is on, troubleshoot why that server is not detecting the malware, ensure that real-time protection is enabled on that server, and ensure that the server has regularly scheduled full scans.

    • If the infected resource is on a read-only media, then remove the media and avoid using it.

    • Ensure that the Client Security agent and signatures are up to date on the infected computer.

    • Investigate how the computer became infected and take steps to prevent new infections from occurring in the same manner.

    • Scan the computer again. If the malware remains on the computer after you've followed all removal instructions, reformat and rebuild the computer.

    • Confirm that the affected computer was not harmed. If the computer was harmed, repair it.

    • If the default action for this software was to leave the software on the computer (such as quarantining the software) and this is unacceptable, edit the policy and on the Overrides tab, set a different default action for this software.

    • Scan your network for other occurrences of this malware.

  3. Send Microsoft a sample of the malware found. For more information, see Sending malware samples to Microsoft.


Overriding default responses to malware


Using the Client Security agent