Determining which risk to assign to a process

Once you decide that you need more than one scanning policy, identify your processes and determine which risk to assign to each one.


  1. Determine which processes you are using. Use the Windows Task Manager or Windows Performance Monitor to help you understand which processes are using the most CPU time and memory.
  2. Determine which program is responsible for each process. Remember that only the child processes of the defined parent process adhere to the scanning policy. For example, if you define the Microsoft Word executable file, WINWORD.EXE, as a high-risk process, any Microsoft Word documents that are accessed would be scanned according to the high-risk scanning policy. However, when the parent process Microsoft Word is launched, the WINWORD.EXE file is scanned according to the policy of the process that launched it.
  3. Determine which risk applies to each process using these guidelines:
    • Low-risk — Processes with less possibility of spreading or introducing a potential threat. These can be processes that access many files, but in a way that has a lower risk of spreading potential threats. For example:

      Backup software

      Compiling processes

    • High-risk — Processes with a greater possibility of spreading or introducing a potential threat. For example:

      Processes that launch other processes, such as Microsoft Windows Explorer or the command prompt.

      Processes that execute scripts or macros, such as WINWORD or CSCRIPT.

      Processes used for downloading from the internet, such as browsers, instant messengers, or mail clients.

      Note: Initially, the high-risk scanning policy is set the same as the policy for default processes to ensure that high-risk processes are scanned in depth and give you the maximum protection. We do not recommend reducing the default level of scanning.
    • Default — Any process not defined as low-risk or high-risk.