Real-time protection fails on Windows 2000 after you apply the Forefront Client Security October 2010 update

Article ID: 2459065 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Client Security antimalware agents running on Windows 2000 do not properly detect malware via on-access protection after applying the Forefront Client Security October 2010 antimalware update described in the following articles:
2394433
(http://support.microsoft.com/kb/2394433/ )
Forefront Client Security antimalware client update: October 2010
2394439
(http://support.microsoft.com/kb/2394439 / )
Forefront Client Security deployment package (1.0.1728.0): October 2010

Client Security antimalware agents running on Windows 2000 will also produce two FCSAM 3002 error events in the System log:

10/25/2010 01:55:53 PM FCSAM Error 3002 SRV

Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed.

User: NT AUTHORITY\SYSTEM

Agent: On Access

Error Code: 0x8007007f

Error description: The specified procedure could not be found.



These errors are sent to the FCS Collection server and are shown in the FCS management dashboard as Reporting Critical Issues. Affected computers will also be represented in the Computers Per Issue section under Alerts detected.

Back to the top | Give Feedback

CAUSE

Microsoft has identified an issue in the Forefront Client Security agent on Windows 2000 which prevents the kernel-mode mini-filter driver, mpfilter.sys, from properly loading. This issue is specific to agents running on Windows 2000 and the Client Security October update and does not occur on other operating systems.
Back to the top | Give Feedback

RESOLUTION

Hotfix Information

A supported hotfix is available from Microsoft. This fix applies only to Forefront Client Security agents running on Windows 2000.

Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
  1. Visit the following Microsoft Update Catalog Web site: http://catalog.update.microsoft.com/v7/site/Home.aspx
    (http://catalog.update.microsoft.com/v7/site/Home.aspx)
  2. Type 2459065 in the Search box, and then click Search.
  3. Click Add to add the hotfix to the basket.
  4. Click Download.
  5. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
  6. Click Continue, and then click I Accept to accept the Microsoft Software License Terms.
  7. When the update is downloaded to the location that you specified, click Close

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You may be required restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the anti-malware client that is deployed by using the Forefront Client Security deployment package (1.0.1725.0) on a computer.
976669
(http://support.microsoft.com/kb/976669/ )
Forefront Client Security deployment package (1.0.1725.0): December 2009
This hotfix replaces the following hotfixes:
979536
(http://support.microsoft.com/kb/979536/ )
Forefront Client Security anti-malware client update: April 2010
976668
(http://support.microsoft.com/kb/976668/ )
Forefront Client Security anti-malware client update: December 2009
971026
(http://support.microsoft.com/kb/971026/ )
A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client
952265
(http://support.microsoft.com/kb/952265/ )
Data corruption may occur on a computer that has Forefront Client Security installed
938054
(http://support.microsoft.com/kb/938054/ )
A hotfix is available to resolve some problems with the Forefront Client Security client
956280
(http://support.microsoft.com/kb/956280/ )
The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files

File information

The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Forefront Client Security, x86-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Amhelp.chm65,21619-Jul-201000:51
Mpasbase.vdm1.0.0.0572,72019-Jul-201000:52
Mpasdesc.dll1.5.1994.049,02411-Nov-201003:31
Mpasdlta.vdm1.0.0.09,00819-Jul-201000:52
Mpavbase.vdm1.0.0.0204,62419-Jul-201000:52
Mpavdlta.vdm1.0.0.09,04019-Jul-201000:52
Mpavrtm.dll1.5.1994.0128,38411-Nov-201002:48
Mpclient.dll1.5.1994.0366,97611-Nov-201002:48
Mpcmdrun.exe1.5.1994.0349,06411-Nov-201002:39
Mpengine.dll1.1.3520.03,308,62419-Jul-201000:52
Mpevmsg.dll1.5.1994.023,42411-Nov-201003:31
Mpfilter.sys1.5.1969.069,61610-Nov-201019:17
Mpoav.dll1.5.1994.092,03211-Nov-201002:48
Mprtmon.dll1.5.1994.0731,00811-Nov-201002:48
Mpsigdwn.dll1.5.1994.0129,92011-Nov-201002:48
Mpsoftex.dll1.5.1994.0518,01611-Nov-201002:48
Mpsvc.dll1.5.1994.0319,36011-Nov-201002:48
Mputil.dll1.5.1994.0177,02411-Nov-201002:48
Msascui.exe1.5.1994.01,033,60011-Nov-201002:48
Msmpcom.dll1.5.1994.0221,05611-Nov-201002:48
Msmpeng.exe1.5.1994.016,89611-Nov-201002:39
Msmplics.dll1.5.1994.09,08811-Nov-201002:48
Msmpres.dll1.5.1994.0766,33611-Nov-201003:31

Workaround

If either of the updates in the Symptom section are manually installed you must uninstall the Forefront Client Security October 2010 antimalware update on computers running Windows 2000 and install this update (KB2459065). You can uninstall the October 2010 update using one of the following methods:
  • From a command line or script, run: msiexec.exe /x {A22989EE-AE7A-42F8-A0C0-9C99CFB644FB} /qn
  • From the Add/Remove Programs applet, uninstall "Microsoft Forefront Client Security antimalware service"

In a properly functioning WSUS environment, after you uninstall the October 2010 update this version of the antimalware client will redeploy during the next Automatic Updates detection and installation cycle by applying the slipstream package described in the "More Information" section below. Alternatively, you may use the steps in the "Hotfix Information" section of this following article to manually download and install the Forefront Client Security antimalware agent on the affected computers after uninstalling the October 2010 update.

STATUS

Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.

Back to the top | Give Feedback

MORE INFORMATION




This update is a replacement for the October 2010(KB2394433) release for Client Security agents running on Windows 2000. This update is included in a new slipstream installation package of the Forefront Client Security client software also for Windows 2000 SP4 agents. For more information about the slipstream installation package, click the following article number to view the article in the Microsoft Knowledge Base:
2464613
(http://support.microsoft.com/kb/2464613/ )
Forefront Client Security deployment package (1.0.1732.0) for Windows 2000 SP4

Applicability

To determine if this issue affects you, consider the following:
  • The computer operating system is Windows 2000
  • Forefront Client Security October 2010 antimalware update is installed. This can be determined by verifying the verison of %programfiles%\Microsoft Forefront\Client Security\Client\antimalware\mpclient.dll is exactly 1.5.1993.0.
If both of these are true, then this issue is applicable and you should perform the steps in the workaround.


Back to the top | Give Feedback

Properties

Article ID: 2459065 - Last Review: November 23, 2010 - Revision: 2.0
APPLIES TO
  • Microsoft Forefront Client Security
Keywords: 
KB2459065
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top