Setting the logging level

Applies To: Forefront Client Security

Client Security generates events on client computers for many events. If you want to reduce the number of events logged in client computer event logs, you can configure the policies deployed to those computers to not log events for files marked unknown.

Although the Client Security console doesn't include an option for logging events for the detection of software that is known and benign (or known good), you can enable logging for these detections on individual clients.


It is recommended that you use logging of known-good software for testing purposes only.

To enable a client computer to log known-good software, on the following registry key, configure the value of DisableLoggingForKnownGood to 0 (zero):

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Reporting

If you use Group Policy for Client Security policy deployment, manual changes to this registry key are overwritten at the next Group Policy refresh.

By default, the Client Security agent logs events for unknown files.

To configure whether Client Security agents log events for unknown files

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Reporting tab.

  3. Under Logging, select or clear the Do not log events for files marked unknown check box, as applicable.

  4. After you finish creating or editing the policy, click OK.

  5. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.