If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;
Look for the file called;
MpCmdRun.exe
On Forefront Client Security this is found in;
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware
If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..
One likely useful command to debug performance issues is;
MpCmdRun.exe -trace
However I have been unable to determine how to decode the .bin file created!? So if you have any suggestions please let me know!? However if you look in the .log file in the same directory you will get some historic information which may prove useful. Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.
All very useful..
Here are the switches for Forefront Client Security;
-Scan [-ScanType]
0 Default, according to your configuration 1 Quick scan 2 Full system scan
-Trace [-Grouping] [-Level]
Begins tracing Microsoft Forefront Client Security's actions. You can specify the components for which tracing is enabled and
how much information is recorded. If no component is specified, all the components will be logged. If no level is specified, the Error, Warning and Informational levels will be logged. The data will be stored in the support directory as a file having the current timestamp in its name and bearing the extension BIN.
[-Grouping] 0x1 Service 0x2 Malware Protection Engine 0x4 User Interface 0x8 Real-Time Protection 0x10 Scheduled actions
[-Level] 0x1 Errors 0x2 Warnings 0x4 Informational messages 0x8 Function calls 0x10 Assertions
-GetFiles Gathers the following log files and packages them together in a compressed file in the support directory - Any trace files from Microsoft Forefront Client Security - The Windows Update history log - All FCSAM or FCSAMRtp events from the System and Application event log - All relevant Microsoft Forefront Client Security registry locations - All software information from Software Explorer
-RemoveDefinitions Restores the last set of signature definitions
-RemoveDefinitions -All Rolls the signature definitions back to the default signature set and removes any installed signature and engine files.Use this option if you have difficulties trying to update signatures.
-RestoreDefaults Resets all configuration options to their default values; this is the equivalent of running Microsoft Forefront Client Security setup unattended.
-GetSWE Exports the contents of Software Explorer into a file named MPSWE.txt in the support directory