Best practices with Client Security
Applies To: Forefront Client Security
Consider following these practices when managing your Client Security deployment.
It is a best practice to perform the following tasks on a daily basis:
Open the Microsoft Forefront Client Security console and view the dashboard. Review the charting data, issues, and notifications. Investigate trends, such as increases in malware or other issues. For more information, see Accessing the dashboard.
Check the Security Summary report. You can use this report to monitor the status of policy deployment and client connectivity, and you can view the current state and 30-day trend charts for computers reporting issues, malware found, security state assessment (SSA) scan results, and alerts.
Review each section of the report carefully and, as needed, use the links to more detailed reports to investigate any of the information displayed in the report.
It is recommended that you use the subscription feature in the Report Manager to receive the Security Summary report by daily e-mail. For more information about e-mail delivery of reports, see Sending report e-mail.
Check for definitions deployment issues and investigate computers that have not received definition updates for over three days. To do so, view the following reports:
Spyware Definitions Deployment Status
Virus Definitions Deployment Status
Vulnerabilities Definition Deployment Status
Each of these reports is accessible through the Deployment Summary report.; however, consider subscribing to each report for daily e-mail delivery.
Investigate alerts promptly. Addressing infections and malware outbreaks in a timely manner helps prevent further damage. Addressing vulnerabilities helps reduce risk to your organization.
In the MOM Operator console, consider doing the following:
Use the Company Knowledge tab of alerts to maintain information about resolving each type of Client Security alert, such as steps that are specific to your organization or details that can help you resolve the alert type more quickly.
Create custom alert views for each type of Client Security alert. This helps you find critical alerts and not overlook them among less important alerts.
For example, on a computer in alert level 4 or 5, Client Security generates an alert for every definition update failure, which persists in the MOM Operator console even if the next update succeeds. Meanwhile, a "Computer Infected - Failed Response" alert may be issued only once in a day and may be overlooked among dozens of alerts about update failures. A custom view for "Computer Infected - Failed Response" alerts helps you readily find these important alerts.
For more information, see Responding to alerts.
It is a best practice to perform the following tasks on a weekly basis:
Check these reports for recent trends in detection of malware and potential vulnerabilities:
Security State Assessment History
Investigate increases in detections and determine if there are mitigating steps, such as blocking access to a common source of infection.
Check the Deployment Summary report. You can use this report to check for problems with deployment of policies and updates of definitions and scan engines.
Check the Connectivity Summary report. You can use this report to identify client computers that have been out of contact with the collection server for extended periods of time, which may indicate computer failure, user tampering with Client Security software, malware infection, or simply a computer that has been offline for benign reasons.
Check the Malware Summary report. You can use this report to identify unclassified software. Exclude any software from the check that you identify as legitimate. Mitigate any issues with software that you determine to be unacceptable.
Back up the collection database and reporting database. It is recommended that you automate backups. For more information, see the Client Security Disaster Recovery Guide (http://go.microsoft.com/fwlink/?LinkID=86617).
Remove from the MOM Administrator console any Client Security client computers that are no longer part of your deployment, which includes the old names of renamed computers. This prevents inaccurate data from appearing on reports such as the Connectivity Summary report. For more information, see Removing computers from your deployment.
It is a best practice to perform the following tasks on a monthly basis:
After the second Tuesday of each month, use the Security State Assessment Summary to monitor the progress of Microsoft security update deployment in your organization. Troubleshoot and resolve any deployment issues you discover.
Review new SSA checks when Client Security receives them from Microsoft Update. Client Security adds new SSA checks to SSA-related reports, and you should be prepared to understand the scan results for any new SSA checks. For each check, determine what scores are acceptable to your organization and how you want to address unacceptable scores when they arise.
Review your deployed Client Security policies for opportunities to tune the settings of the policies or the computers to which they're deployed. Consider if policy settings accurately reflect your organization's security requirements, client and server performance, and ability to address the alerts raised.
Consider such items as whether scans occur frequently enough, whether scans are scheduled for the optimal times, and whether checks for updates happen often enough or too often.
Review your update-management strategy:
Look for issues revealed by the Deployment Summary report that you can address by modifying your WSUS configuration, changing policy settings for update checks, or enabling fallback to Microsoft Update for updates.
Review your MOM notification strategy. Evaluate whether Client Security–related notifications reach the correct people. Modify notification groups in the MOM Administrator console, as needed.
Remove old updates from your WSUS server. For more information, see Removing old updates from WSUS.
It is a best practice to perform the following tasks when needed:
Address infections and outbreaks when Client Security detects them.
For information about malware outbreaks, see Managing "Malware Outbreak" alerts.
Send to Microsoft samples of malware not discovered by Client Security or software incorrectly identified as malware. For more information about the submission process, see Sending malware samples to Microsoft.