About scans

Applies To: Forefront Client Security

Client Security uses engines to perform scans. The engines use definitions to identify malware and vulnerabilities, as well as optional heuristics methods to detect suspicious files that aren't yet identified by malware definitions.

Malware scans

Client Security can perform on-demand scans, scheduled scans, and interval scans. It also can provide real-time protection, as well as boot-sector scanning.

On-demand malware scans enable you to initiate scans of all managed computers or a specific managed computer. This is especially useful if Client Security reports or alerts are indicating that a malware outbreak may be occurring. You can choose whether an on-demand scan is a full scan or a quick scan. On-demand scans always include an SSA scan. For more information, see Scanning managed computers now.

Scheduled malware scans enable you to choose the time of day when the Client Security agent on each managed computer begins a scan. This enables you to select a time that is likely to have minimal impact on users. You can also configure whether a scheduled scan is a full scan or a quick scan. If a client computer is offline for two consecutive scheduled scans, Client Security starts a scan the next time someone logs on to the computer. For more information, see Configuring scheduled and interval malware scans.


Any client computer in hibernate mode is considered offline.

Interval malware scans let you run scans at regular intervals, such as every four hours. Interval malware scans are always quick scans.

Real-time protection takes place when users access files or start applications or services. For example, using real-time protection, a Client Security agent can detect malware when a user downloads the malware from a Web site. For more information, see Configuring real-time protection.

Boot-sector scanning protects the part of your hard disk that, for disks configured to be boot-capable, contain the files necessary to start your computer. Boot-sector malware affects computers by copying code either to the boot sector on a floppy disk or the partition table on a hard disk. During the startup of the computer, the malware gets loaded into memory. Once in memory, the malware can spread to any non-infected disks accessed by the system.

Client Security scans the boot sector of any removable media when the media is inserted into the computer.

Malware scan types

Client Security supports the types of scans detailed in the following table.

Scan type What is included


  • In-memory processes

  • Files in the following folders:

    • User profiles

    • Desktop

    • System folder

    • Program files

  • Extensibility (by definition updates), which enables Client Security to respond to evolution in malware


  • All aspects of a quick scan

  • Full evaluation of local drives

  • Local, fixed drives only (no network or removable drives)


  • Drives and folders specified by user

  • All aspects of a quick scan, but only when the custom scan finds malware in the user-specified drive or folder


Custom scans are available only in the Client Security agent user interface (UI). You can configure whether users can access the Client Security agent UI. For more information, see Controlling the end-user experience.

Responses to detected malware

When it detects malware, a Client Security agent checks the following sources, in this order, for a response and attempts to apply the first response found:

  1. Policy protecting the computer infected with malware

  2. End user's answer to a Client Security request for how to respond to the malware

  3. Definition that Client Security used to detect the malware

The possible responses are as follows:

  • Default response—Client Security takes the first action specified by the malware definitions for the detected malware. You can specify this response when you configure overrides. This prevents end users from specifying a response.

  • Remove—Client Security attempts to delete the malware from the computer.

  • Clean—Client Security attempts to fix infected files without removing them from the computer. This response is only available in definitions and cannot be supplied by policy or end users.

  • Quarantine—Client Security leaves the malware on the computer but disallows access to the malware.

  • Ignore—Client Security does nothing.

Security state assessment scans

SSA scans detect possible vulnerabilities. Client Security can perform scheduled SSA scans. Client Security uses the criteria contained in SSA definitions to evaluate client computers for vulnerabilities. When a possible vulnerability is found, Client Security assigns the vulnerability a score and creates an event. For more information, see Responding to detected vulnerabilities.


Overriding default responses to malware


About malware definitions