Agent recommendations

Applies To: Forefront Client Security

Client Security agent performance is dependent on a large number of variables. Items that can affect the performance of the Client Security agent on a client computer include:

  • Amount of available RAM on the host.

  • Amount of disk space on the host.

  • Speed of the physical disk on the host.

  • Applications currently running on the client computer.

Because each organization has a different mix of the preceding variables, there is no typical performance value.

It is recommended that you inventory your organization's client base to obtain a representative list of standard client configurations, and then install the Client Security agent on a sample of the representative systems and use performance monitoring to determine the impact.

Scheduling scans

Client computers' performance can vary depending on whether the Client Security agent is inactive or performing a scan. Performing a full scan during a time when the managed computer is going to be used affects the performance of the managed computer for the end user. It is recommended that you schedule full scans for times when managed computers are not in use.

Using Client Security policy

Client Security policies allow the Client Security administrator to schedule antimalware (quick and full) and SSA scans, as well as to configure how often managed computers check for definition updates. If you want to schedule scans to occur multiple times each day (or to have Client Security agents check for updates at the highest frequency of hourly), ensure that your Client Security agents, your Client Security servers, and your existing network topology can handle the additional load this would create.

As an illustration, consider SSA scans. When a large number of Microsoft security updates are released for the operating system in use, those updates may not be applied immediately. If the updates are not applied prior to the next SSA scan, the scan returns one event per Client Security agent per missing update; a large number of missing updates results in a large number of returned events.