Using the Client Security agent

Applies To: Forefront Client Security

The Client Security agent can enable users to start malware scans, schedule scans, configure malware scan exclusions and response overrides, view the results of scans, and configure other options. The degree to which a user can access and control the Client Security agent depends on the Client Security policy deployed to the computer. For more information, see Controlling the end-user experience.

If the policy deployed to a computer allows it, the user can access the Client Security agent UI by double-clicking the Client Security notification area (formerly known as system tray) icon. (The user can also access the UI by clicking Start, pointing to All Programs, pointing to Microsoft Forefront, and then clicking Forefront Client Security.) Users can find detailed information about the agent in its online Help.

Notification area icon meanings

The notification area icon for the Client Security agent changes depending on:

  • The state of the agent.

  • The presence of messages about malware detection or other events. To view messages (if the policy deployed to the computer allows it), the user can double-click the notification area icon, which opens the Client Security agent UI.

The following table describes the icon's various forms and their meanings.

Icon Description
System tray icon when there are no alerts

The Client Security agent has no messages for the user.

The circle rotates if the Client Security agent is currently performing any of the following tasks:

  • Scanning for malware

  • Checking for updates or downloading updates

  • Cleaning malware found by real-time protection

System tray icon for known good detection

The Client Security agent completed a scan and did not detect harmful or unwanted software.

Definitions are up to date.

The Client Security agent has no messages for the user.

Systm tray icon for low or medium alerts

The Client Security agent has issued a low or medium alert message.

The low or medium alert message may indicate any of the following:

  • Malware with a low or medium severity rating has been discovered.

  • The agent has not received definition updates in over 14 days.

  • A definition update failed.

  • No scans have been completed successfully in 3 days.

  • The FCS service is stopped.

  • A reboot is required.

System tray icon for high and severe alerts

The Client Security agent has issued a high or severe alert message.

This may indicate the discovery of known malware of a high or severe severity.

System tray icon for unknown malware detection

The Client Security agent has issued an alert message about possible malware but has not been able to identify the software. In most cases, software detected is likely to be harmless.

Prompts for unclassified software

You can configure the Client Security agent, either by policy or in the Client Security agent UI, to prompt the user when the agent detects unclassified software. Client Security definitions include information about trusted software in addition to malware. It also monitors the behavior of applications. Prompting users to allow potentially unwanted actions by unclassified software can help protect your organization from new malware that isn't yet identified by the most recently approved and distributed definitions.

To avoid prompting users for common, legitimate applications that Client Security detects as potentially malicious software, exclude the applications from scans. For more information, see Excluding files, folders, and file types from scans.

Common tasks with the Client Security agent

The following table provides the starting steps for performing common tasks with the Client Security agent.

Task How to get started

Starting a scan.

To run a quick scan, click Scan.

To run a full or custom scan, click the down arrow next to the Scan button and then configure the scan.

Stopping a scan.

Click Stop Scan.

Checking status, including determining:

  • Date and time of last scan

  • Current scan schedule

  • Real-time protection status

  • Antivirus definition version

  • Antispyware definition version

Click Home and view the information under Status.

Checking for definition updates manually.

Click the down arrow next to Help, and then click Check for updates.

Viewing the results of previous scans and actions taken by the Client Security agent.

Click History.

Viewing and configuring default actions.

Click Tools, and under Tools and Settings, click Options. Under Default actions, view and configure the actions as needed.


If you select Ignore for a particular alert level, the Client Security agent always ignores malware of the specified alert level and never logs events when it detects malware of the specified alert level.

Viewing and acting on quarantined items.

Click Tools, and under Tools, click Quarantined items.

Viewing and acting on allowed items.

Click Tools, and under Tools and Settings, click Allowed items.

Configuring the Client Security agent.

Click Tools, and under Settings, click Options or Microsoft SpyNet.