Microsoft Forefront Client Security Service/processes Exclusion tip (Do not scan files accessed by these processes)
I’m out working at a client’s site with some fellow Catapult co-workers. They’re doing Microsoft Exchange stuff and I’m doing Microsoft Forefront Client Security stuff. They setup a total of five Microsoft Exchange 2010 servers and asked me to install, setup, and configure Microsoft Forefront Client Security on all of them. Two of the servers have the Hub Transport/Client Access roles installed. Two of the servers have the Mailbox role installed. One server has the Unified Messaging role installed. If you’ve ever seen the exclusion list for Microsoft Exchange 2010 it’s long, complicated, and takes quite some time to exclude items via the Microsoft Forefront Client Security Console ( http://technet.microsoft.com/en-us/library/bb332342.aspx ). When you get into setting service/processes exclusions it takes even longer because you have to set service/processes exclusions on each server one by one. There is no supported way from Microsoft to centralize service/processes exclusions. I thought there has to be an easier and faster way to set service/processes exclusions with this project and there was. Since there are multiple servers that are setup the same way and have the same Microsoft Exchange roles I setup service/processes exclusions on one of the servers, exported the processes exclusions registry key, imported that registry key into the same type of server, then installed Forefront Client Security. The steps are listed below and I would only do this if I knew both type of servers are built the same exact way and only if they have the same roles. It’s also important to note you have to import the registry keys on the new server BEFORE installing FCS because FCS modifies the registry keys so local admins can’t import registry keys in the branch after FCS is installed.
Registry branch for the service/processes exclusions on the first Hub Transport/Client Access server after I added them via the FCS GUI. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes\
Just exporting the branch
Saving the branch.
BEFORE installing FCS on the new server you have to import the registry key. This is because Forefront modifies the permissions for the Forefront registry keys so a local admin by default won’t have the access to add them after FCS is installed.
On the new server you’ll see the exclusions before FCS is installed.
On the new server you’ll see the exclusions after FCS is installed. The service/processes exclusions are still there!