Archive

Archive for the ‘FCS’ Category

Have FCS? Moving to FEP?

Hey folks!

I wanted to let you know that we have guidance for migrating from FCS v1 to FEP 2010 here (http://technet.microsoft.com/en-us/library/gg477033.aspx).

The process involves the following high level steps:

  1. Document the policy settings you want to preserve from FCS to FEP. There is no policy migration between the two versions.
  2. In WSUS, unapprove all the FCS v1 client installation packages.
    • If you forget to do this, you may end up with FCS v1 reinstalled.
  3. Install FEP on your Config Mgr installation, and proceed with the FEP client deployment.
    • The FCS v1 client software is automatically uninstalled and FEP is installed.
    • Also – the definitions already on the client computers are preserved, speeding up the up-to-date process for definition downloading.

Thanks!

Kim Ditto-Ehlert
Senior Technical Writer

Have FCS? Moving to FEP?

Hey folks!

I wanted to let you know that we have guidance for migrating from FCS v1 to FEP 2010 here (http://technet.microsoft.com/en-us/library/gg477033.aspx).

The process involves the following high level steps:

  1. Document the policy settings you want to preserve from FCS to FEP. There is no policy migration between the two versions.
  2. In WSUS, unapprove all the FCS v1 client installation packages.
    • If you forget to do this, you may end up with FCS v1 reinstalled.
  3. Install FEP on your Config Mgr installation, and proceed with the FEP client deployment.
    • The FCS v1 client software is automatically uninstalled and FEP is installed.
    • Also – the definitions already on the client computers are preserved, speeding up the up-to-date process for definition downloading.

Thanks!

Kim Ditto-Ehlert
Senior Technical Writer

FCS – Upcoming solution for installation issues with March 2011 Update

March 31st, 2011 Comments off

We have been working hard on a solution for customers that encountered issues with our update in March. I wanted to let you know what we are planning to address this.

We are authoring a package that is specifically designed to find systems that have a failed upgrade to our March update. To do this, we will be pushing a package from Microsoft Update that looks for several specific conditions:

  1. The SSA package from Forefront Client Security to be present.

  2. Several Antimalware registry keys are present, even though Antimalware software had been removed due to an upgrade.

  3. You are running Vista or higher OS (including Server OS like Windows Server 2008)

If all of these items are true, then we will reinstall the update package and return the system to normal.

If a system fails any one of these conditions, we aren’t going to install. The first case is a safe check because only FCSv1 customers have this particular package. The second one is equally important, because if a admin has actually intentionally removed FCSv1, the Antimwalware keys we are looking for would no longer exist. The third obviously focuses the package on machines that it applies to.

We are planning to release this package on 4/5. Our intention is to make this available and visible before the upcoming patch Tuesday window so administrators and users can choose to deploy it ahead of any other updates pending the following Tuesday. WSUS admins will be able to find this package by its KB number 2524280.

Please note that this package is intended to fix only a very specific case of an upgrade failure. There are many technical reasons that a package may fail to upgrade that we cannot address in this manner. Examples include a damaged registry, Windows installer repository issues or binaries being held by external processes beyond our control. If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .

Forefront Client Security Engineering team

Categories: FCS, FCS Support, Forefront, KB, known issue, WSUS Tags:

FCS v1 March 2011 update

March 8th, 2011 Comments off

Update 10 March 2011

We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used.  We wanted to be clear on the issue and exactly what steps we are taking to rectify it.


Symptom:

 A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1.   After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.

 

The problem:

 This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.   It does not occur on Windows XP, Windows Server 2003 or Windows 2000.  This issue was  not introduced in the March Update.  It is caused by a previously undetected problem in the October 2010 update.  Please review the steps below for what options you should take.

 For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”.   If the update is deployed or manually installed in other ways, this bug does not occur.   


Key facts:

  1. If you have already successfully installed the March update, you do NOT need to roll it back.
  2. This bug doesn’t apply to either Microsoft Security Essentials or Forefront Endpoint Protection in anyway.
  3. It can only occur if the option for “Install Updates and Shutdown” is selected by the user or is set by policy.
  4. On unaffected computers, it in no way impacts the ability to get definition updates to stay secure.

 
What can I do to address this issue myself?

There are a number of workarounds that can be used currently.

 

Avoiding the issue

  • WSUS administrators can decline or not approve for installation
  • Avoid installing KB2508823 with  “Install updates and shutdown”.   This may be accomplished by
    • a recommendation by administrators to user
    • enforcement by Automatic Updates group policy:  Computer Configuration/Administrative Templates/Windows Components/Windows Update- Do not display ‘Install Updates and shut down’ option in Shut Down Windows dialog box.
    • installing the update KB2508823 through WSUS deadlines.  That triggers to install immediately.

Issue correction

If you have computers which experience this issue and are now unprotected, there are a number of options

  • Download and install KB2508823 manually.  There are steps to do this in the KB: http://support.microsoft.com/kb/2508823  in the Hotfix information  section
  • Approve in WSUS “Client Update for Microsoft Forefront Client Security (1.0.1728.0)”  and decline both the March update(KB2508823) and the Client Update for Microsoft Forefront Client Security (1.0.1736.0) (2508824).  This will redeploy the prior update
  • Approve the “Client Update for Microsoft Forefront Client Security (1.0.1736.0)”   slipstream update.
    NOTE:  We have seen that in some cases this will fail with 0x666 ERROR_PRODUCT_VERSION 
    If you are seeing ERROR_PRODUCT_VERSION  failures installing the slipstream you can uninstall SSA and that should allow it to work.  To do this, choose to uninstall “Microsoft Forefront Client Security State Assessment Service” in Control Panel>Programs>Uninstall a program or by executing the command line: msiexec.exe /x {2AB5A838-9DAC-45F5-8EC2-019DDDC4B4F6} /quiet

 

What is Microsoft doing to address this?

 We are doing the following:

  1. We have already throttled downloads of KB2508823 on Microsoft update so that users connecting directly Microsoft Update, will not have the package proactively delivered. 
  2. We are changing the logic on Microsoft update to only allow the update to apply to Windows 2000, Windows XP, and Windows Server 2003 today.   That will prevent further incidents from occurring.   We are testing this change now, and will update the blog on when you can expect to see this change.
  3. We are authoring a patch update that will address this issue on Microsoft update.   This patch will supersede the current patches for all platforms.  We will provide more information soon on when you can expect to see that package. 

We take the support of our customers very seriously.   If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .

Sincerely, the Microsoft Forefront Client Security Engineering team.

 


Update 9 March 2011

 

 

Hello all,

 

 

Today (8 March 2011), we released an update to FCSv1.   Changes include:

  • This update enables computers running Forefront Client Security to update definitions at the scheduled time while running on battery power.
  • This update contains changes to allow computers running Forefront Client Security service to open files encrypted by Prim’X ZoneCentral that are located in a network shared folder.
  • This update corrects issues in the mpfilter.sys kernel component used by Client Security that causes real-time protection errors on computers running Windows 2000.

For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823).
For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article
2508824 (http://support.microsoft.com/kb/2508824).

For more information about the update, Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823) has the detail.

 

Thanks!


 

We have recieved reports that in some cases the FCS update fails to install correctly.   We are reviewing these reports now, and will update this blog when we have details we can share.   If you are a WSUS administrator you may want to hold off approving this update for the moment. 

Categories: FCS, KB, QFE, update Tags:

FEP, MSE and FCS – and Windows 7 SP1

March 4th, 2011 Comments off

Hello folks!

Did you know that Windows 7 SP1 is available for download? Windows 7 SP1 brings some great features to the platform, and everyone’s pretty excited about it.

We want to make absolutely clear that Windows 7 SP1 is supported by the following endpoint security products:

If in doubt about what you have installed, view your version number, on the Help menu, click About.

If your version is reported in the range of 2.0.1677 to 2.0.2530, then you should:

  • Uninstall the unsupported pre-release version of the of the client currently installed, and
  • Install one of the release antimalware packages listed above, according to your organizational needs.

Thanks!

Note:  The same statements apply for Windows Server 2008 R2 SP1 as well; you need the same update to allow FCS function. (Douglas Hill 3/23/2010)

 

Categories: FCS, FEP, MSE, Windows 7 SP1 Tags:

Microsoft SpyNet?

February 22nd, 2011 Comments off

So have you ever wondered what the Microsoft SpyNet opt in page is really all about?

image

Microsoft SpyNet is a cloud service that allows the FEP or MSE client on your computer to report information about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC) researchers. When this information is reported, definitions for previously unknown threats can be created and distributed, minimizing the time that a new threat is spreading in the wild before protection is available. (Note: older clients, like FCS and Windows Defender, also participate in SpyNet, but to get the full benefits of SpyNet, which includes Dynamic Signature Service, you should move to FEP or MSE.)

Additionally, when your FEP or MSE client reports new malware to the Microsoft SpyNet cloud service, the Dynamic Signature Service can recognize when a definition is available but not yet released, and deliver that definition for that specific threat in real-time from the cloud. Upon delivery of the dynamic signature, the threat will be detected and can be removed from the system

Hey – here’s a thought. Take 3 minutes and watch this – Microsoft SpyNet and the Dynamic Signature Service in action:

(Please visit the site to view this video)

Categories: Dynamic Signature Service, FCS, FEP, SpyNet Tags:

FCS: 64-Bit Clients do not report the antimalware version in the Computer Details report in the Forefront Client Security management console

January 26th, 2011 Comments off

An issue has been identified in Forefront Client Security (FCS) where when viewing the computer details report from the Forefront Client Security management console, the antimalware client version on 64-bit clients is not reported accurately. This is because of an error in the way the Operations Manger 2005 Management Pack collects this information.

During Forefront Client Security installation, the antimalware package creates several registry keys and creates files in several different directories. During the antimalware installation on 64-bit computers, the following key is created under [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Forefront\Client Security\1.0\AM]

“InstallLocation=C:\\Program Files (x86)\\Microsoft Forefront\\Client Security\\Client\\Antimalware\\”

The antimalware version is not reported because the MOM agent is 32-bit and on 64-bit computers runs under Windows on windows subsystem. Because of this the MOM agent queries the WOW6432 node of HKEY_LOCAL_MACHINE. When the MOM script queries for the installation path and gets a value of “C:\Program Files (x86)\Microsoft Forefront\Client Security\Client\Antimalware,” it then attempts to discover the file version for MsMpEng.exe, which is not located in this directory. On 64-bit computers MsMpEng.exe is located in “c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware. When this query fails, the AM version property is set to “N/A”.

If you are experiencing this issue, we suggest you open a support case with using one of the methods documented here: Chris Norman, Senior Escalation Engineer

Categories: 64 bit, computer details, FCS, known issue Tags:

FCS Path based exclusions do not apply to mount points

January 19th, 2011 Comments off

Hi,

If you’ve configured path based exclusions in FCS 1.0, you may notice that mount points in the path tree are still scanned. This happens because the mount point resides on a different volume than the parent folder. When a file is accessed on the mount point, FCS receives a device path that is not a child of the excluded folder and FCS doesn’t connect the mount point association when it applies the exclusion.

This is a known issue, and we apologize for any inconvenience that this might cause.

Thanks,

Chris Kemper,  Senior Support Escalation Engineer – MSFT

Categories: exclusions, FCS, mount points Tags: