Article ID: 963033 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://vkbexternal/VKBWebService/ViewContent.aspx?scid=kb;EN-US;322756&PortalId=1)How to back up and restore the registry in Windows
Antigen or Forefront Server Security products may make heuristic detections using the (Authentium) Command engine, returning one of the following virus names:
· "is based on a remote template“
· "could be infected with an unknown virus"
· "could be a destructive program”
You may experience regular heuristic detections where the Command engine has named the virus as above. If you believe that the affected files are legitimate and are not infected and you have used a local AV scanner to verify that each file is clean (not infected), you may wish to disable future detections of this nature. Follow the workaround in the More Information section to disable these types of heuristic detections. If you are in any doubt about the validity of the Command engine detections, you may wish to open a Microsoft Support ‘Advisory’ case prior to implementing the workaround.
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To disable any of these detections, you will need to ensure that your Command scan engine has updated to at least Update Version 0811030004 or above and create a new registry value. To do this, follow these steps:
A: Create registry values for all desired exclusions of heuristic detections for the (Authentium) Command engine:
1. First of all, decide which heuristic detections you wish to exclude, for example:
a. "is based on a remote template“
b. "could be infected with an unknown virus"
c. "could be a destructive program"
2. Open the Registry and navigate to the correct registry key, according to your product:
2. For Antigen 9 products (x86): HKEY_LOCAL_MACHINE\SOFTWARE\Sybari Software\Engines
3. For Forefront Server Security products (x64): HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Forefront Server Security\Engines
4.3. Right-click the \Engines key and select New>Key. Type "Command" as the name of the new key.
5.4. In the new Command key, right-click and choose New>Multi-String Value *. Enter "IgnoreVirusNames" as the string name.
6.5. Double-click the IgnoreVirusNames value and add each virus name ("exclusion string") that you wish to disable on a separate line in the Value Data field, e.g.
7. is based on a remote template
8. could be infected with an unknown virus
9. could be a destructive program
10. 6. Close the Registry.
Note: In Windows 2000 there is no Multi-String Value available. To workaround this, choose Binary Value instead and enter "IgnoreVirusNames" as the string name. When you edit this Binary Value, you can type the exclusion strings in the right-hand side of the Value Data field. To separate multiple exclusion strings, click in the binary area of the Value Data field and enter 00 (zero, zero). When you have finished adding exclusion strings enter 00 00 (zero, zero, zero, zero) at the end of the data in the binary area of the Value Data field.
Example: When entering "is based on a remote template“ and "could be infected with an unknown virus" as exclusion strings, the binary Value Data field should appear as follows:
0000 69 73 20 62 61 73 65 64 is based
0008 20 6F 6E 20 61 20 72 65 on a re
0010 6D 6F 74 65 20 74 65 6D mote tem
0018 70 6C 61 74 65 00 63 6F plate.co
0020 75 6C 64 20 62 65 20 69 uld be i
0028 6E 66 65 63 74 65 64 20 nfected
0030 77 69 74 68 20 61 6E 20 with an
0038 75 6E 6B 6E 6F 77 6E 20 unknown
0040 76 69 72 75 73 00 00 virus..
B: Update your Command scan engine
1. In the Antigen Administrator or Forefront Server Security Administrator, navigate to SETTINGS, Scanner Updates and then select the (Authentium) Command engine.
2. Click on the 'Update Now' button on the right-hand side to initiate an update. The 'Update Now' button becomes grayed-out.
3. Once the update has completed (either successfully or having failed), the 'Update Now' button is no longer grayed-out. At this point, check the Update Version number for the Command engine on the same screen. If you see Update Version 0811030004 or above, the registry settings will take effect.
By default, these values are not present and are therefore not active (i.e. the associated heuristic detections WILL take place by default).
Note no restart of services is required for these changes to take effect.
Expected behavior: if the (Authentium) Command engine makes a heuristic detection that you have disabled, Antigen/Forefront Server Security will ignore it and take no action.
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.
Article ID: 963033 - Last Review: January 16, 2015 - Revision: 2.0