Resolving disabled real-time protection

Applies To: Forefront Client Security

If real-time protection becomes disabled on a computer that is protected by a policy of alert level 5, Client Security generates a "Protection Turned Off" alert.

Researching disabled real-time protection

If Client Security created an alert for the disabling of real-time protection, use the alert's Properties tab to view information about this alert. Use the link to the Computer Detail report and learn about the computer that reported disabled real-time protection.

If Client Security did not create an alert for disabled real-time protection, you can still view the event logged on the collection server. In the MOM Operator console, view the event to learn which computer reported disabled real-time protection. For more information about viewing events, see Working with events.

For more information about alerts, see Working with alerts.

The most likely causes for real-time protection being turned off are as follows:

  • A local user on the computer disabled real-time protection.

  • A Client Security administrator has deployed a policy with real-time protection disabled.

  • Malware disabled the real-time protection feature.

To resolve disabled real-time protection

  1. Use the Computer Detail report to learn about the computer whose real-time protection is turned off:

    • If real-time protection was turned off in the policy, consider enabling real-time protection or lowering the alert level of the policy. It is recommended that you use real-time protection in policies that protect important computers.

    • If real-time protection was turned off by a user on the computer, ask the user why it was disabled.

      If the reason is valid, consider lowering the alert level of the computer.

      If the reason isn’t valid, tell the user to refrain from disabling real-time protection. Make sure the computer is operating correctly. Resolve any issues you discover and enable real-time protection in the Client Security agent. To do so, click Tools, click Options, and under Real-time protection options, select the Use real-time protection check box.

  2. Perform a full scan of the computer. For information, see Scanning managed computers now.