A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client

Issues that this hotfix package fixes

Issue 1

The malware landscape has evolved, which requires new techniques to detect malware more efficiently.

Resolution

New features to detect new malicious software are added to Forefront Client Security. You must apply this hotfix to enable these new features. This hotfix includes changes to the Forefront Client Security kernel-mode driver.

Issue 2

The Software Explorers component of the anti-malware user interface exits prematurely on a computer that is running Windows 2000 when a shortcut is located in a Windows startup folder.

Resolution

This hotfix implements a change in the way that the COM is used in the Software Explorers component. The change works around an issue that is present in Windows 2000 only. This issue causes the Software Explorers component to exit prematurely.

Issue 3

Although the usage of MpCmdRun.exe -Trace indicates that it traces all levels and all groups, some trace statements are not added to the binary log file. No tracing was available for the kernel-mode mini-filter component.

Resolution

MpCmdRun.exe -Trace is changed to include all levels and all groups. The kernel-mode mini-filter component is updated to again log trace statements to the binary log file.

Issue 4

Forefront Client Security unexpectedly scans files that are stored in network locations when you perform a scan of a client computer that has shortcut files. This is behavior described in the following Knowledge Base article:

Resolution

This issue is resolved by a Forefront Client Security (FCS) scan engine update and through an FCS service update. The way that the FCS engine scans shortcut (.lnk) files is updated. The engine can now be configured to query the path to which the shortcut points. If the path is on the local computer, the engine will scan the referenced location. If the path is a network location, the engine will not scan the reference.

This engine scanning behavior was introduced with the May 2009 engine version 1.1.4701.0, which was released with definition update 1.59.3.0. By default, the new shortcut scanning behavior is not enabled. To enable this feature, you must do all the following:

• Install definition update version 1.59.3.0 or a later version.
• Install the anti-malware client update that is described in this article.
• Apply the policy configuration steps that are described in the "More Information" section in this article.

Issue 5

On a system drive that is a dynamic disk volume, the detected malware causes repeated detections and creates excess files.

Resolution

This issue is corrected so that detections on a system drive that is a dynamic disk volume do not cause repeated detections or unnecessary files.

A supported hotfix is available from Microsoft.

Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:

1. Visit the following Microsoft Update Catalog Web site:
   http://catalog.update.microsoft.com/v7/site/Home.aspx (http://catalog.update.microsoft.com/v7/site/Home.aspx)
2. Type 971026 in the Search box, and then click Search.
3. Click Add to add the hotfix to the basket.
4. Near the search bar at the top, click the view basket link.
5. Click Download.
6. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
7. Click Continue, and then click I Accept to accept the Microsoft Software License Terms. The hotfix starts to download.
8. Wait until the hotfix is downloaded to the specified location, and then click Close.

Known issue with this update

This hotfix may not be installed when you use Windows Update to install updates on a computer that is running a Server Core installation of Windows Server 2008. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the following hotfixes:

File information

The English version of this hotfix package uses a Microsoft Windows Installer package to install the hotfix package. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Forefront Client Security, x86-based versions

Forefront Client Security, x64-based versions

By default, the new shortcut scanning behavior that is described in the resolution of Issue 4 is not enabled. To enable this feature, you must install both the engine update and the update that is described in this article. After you install these updates, you must deploy policy to the client to change its default behavior. This policy can be deployed either through the local policy or through Active Directory by using a Group Policy administrative template( ADM) file. The policy settings are not directly deployable through the Forefront Client Security management console. However, they can be added to a file deployment before you use Fcslocalpolicytool.exe to apply the policy.

Policy configuration steps

To deploy the policy, use one of the following two options.

Option 1: Deploy the policy by using an ADM file

1. Create a Group Policy administrative template file.
   1. Start Notepad.
   2. Copy and then paste the following commands into Notepad:

      CLASS MACHINE
      CATEGORY !!FCSCategory
      	POLICY !!NetworkScan_Name
      		KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
      		EXPLAIN !!NetworkScan_Explain
      
      		VALUENAME DisableScanningNetworkFiles
      		  VALUEON NUMERIC 1
      		  VALUEOFF NUMERIC 0
      	END POLICY
      END CATEGORY
      
      [strings]
      FCSCategory="Microsoft FCS Scan Configuration"
      NetworkScan_Name="Disable Network Scan"
      NetworkScan_Explain="This setting instructs the FCS antimalware client not to scan referenced network locations."
      

   3. On the File menu, click Save As.
   4. Select a destination, and then type KB971026.adm in the File name box.
   5. In the Save as type box, and then click All Files (*.*).
2. Use the Group Policy administrative template file to deploy policy
   1. Place the KB971026.adm file in a location that is available to the computer deploying policy. For more information about how to manage ADM files, click the following article number to view the article in the Microsoft Knowledge Base:
      816662  (http://support.microsoft.com/kb/816662/ ) Recommendations for managing Group Policy administrative template (.adm) files
   2. Open the group policy editor to the appropriate local or Active Directory based location. Typically, this is done either through the local group policy editor, Active Directory Users and Computers, or the Group Policy Management Console(GPMC).
   3. Expand Computer Configuration, right-click Administrative Templates, click Add/Remove Template.
   4. Click Add.
   5. Click to select the KB971026.adm file that you created in Step 1, and then click Open.
   6. Click Close. The Classic Administrative Templates (ADM) folder is created under Administrative Templates.
   7. On Windows Vista or Windows Server 2008, expand Classic Administrative Templates (ADM), click Microsoft FCS Scan Configuration.
   8. In the right pane, double click Disable Network Scan.
   9. Select Enable, and then click OK.

Option 2: Deploy the policy by modifying the .reg file

1. Use the Forefront Client Security management console to deploy policy to a .reg file. For more information, see the “Registry file deployment section” at the following Microsoft Web site:
   http://technet.microsoft.com/en-us/library/bb418857.aspx (http://technet.microsoft.com/en-us/library/bb418857.aspx)
2. Open Windows Explorer and locate the .reg file.
3. Right-click the .reg file and then click Edit.
4. Scroll to the end of the file, and then add the following two lines to the end of the file:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
   "DisableScanningNetworkFiles"=dword:1

5. Save and close the .reg file.
6. Use fcslocalpolicytool.exe to import the .reg file on the desired computer. For more information, see the “Registry file deployment section” at the following Microsoft Web site:
   http://technet.microsoft.com/en-us/library/bb418857.aspx (http://technet.microsoft.com/en-us/library/bb418857.aspx)

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.