The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files

Article translations Article translations
Article ID: 956280 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you browse a network file share that contains many malicious files, an error may occur that causes the Microsoft Forefront Client Security kernel-mode mini-filter to unload. Additionally, an event that resembles the following may be logged in the System log:
Log Name:      System
Source:        Microsoft-Windows-FilterManager
Date:          Date Time
Event ID:      1
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      <Computer Name>
Description:
File System Filter 'MpFilter' (Version 6.0, 4/23/2008 2:58:29 AM) unloaded successfully.

CAUSE

There is a timing issue with the filter manager communication channel that Forefront Client Security uses to communicate between its kernel-mode mini-filter and the scanning service. This issue may result in unexpected errors, such as the following error:
ERROR_NO_ACCESS
When this error occurs, it causes the mini-filter to unload.

RESOLUTION

Hotfix information

A supported hotfix is now available from Microsoft.

Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
  1. Visit the following Microsoft Update Catalog Web site:
    http://catalog.update.microsoft.com/v7/site/Home.aspx
  2. Type 956280 in the Search box, and then click Search.
  3. Click Add to add the hotfix to the basket.
  4. Near the search bar at the top, click the view basket link.
  5. Click Download.
  6. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
  7. Click Continue, and then click I Accept to accept the Microsoft Software License Terms. The hotfix starts to download.
  8. Wait until the hotfix is downloaded to the specified location, and then click Close.

Known issue with this update

When you use Windows Update to install updates on a computer that is running a Server Core installation of Windows Server 2008, this hotfix may not be installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
955884 The update for Forefront Client Security (update 952265) may not be installed on a Server Core installation of Windows Server 2008 when you use Windows Update

Prerequisites

There are no prerequisites for installing this hotfix.

Restart information

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the hotfixes that are described in the Microsoft Knowledge Base (KB) articles, KB952265 and KB938054.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, x86-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Amhelp.chmNot Applicable65,21607-Mar-200721:43
Mpasbase.vdm1.0.0.0572,72007-Mar-200721:44
Mpasdesc.dll1.5.1958.052,27209-Jul-200821:26
Mpasdlta.vdm1.0.0.09,00807-Mar-200721:44
Mpavbase.vdm1.0.0.0204,62407-Mar-200721:44
Mpavdlta.vdm1.0.0.09,04007-Mar-200721:44
Mpavrtm.dll1.5.1958.0130,60809-Jul-200821:08
Mpclient.dll1.5.1958.0369,71209-Jul-200821:08
Mpcmdrun.exe1.5.1958.0350,36009-Jul-200821:05
Mpengine.dll1.1.3520.03,308,62415-May-200820:15
Mpevmsg.dll1.5.1958.026,67209-Jul-200821:26
Mpfilter.sys1.5.1954.053,16815-May-200820:15
Mpoav.dll1.5.1958.095,28009-Jul-200821:08
Mprtmon.dll1.5.1958.0734,25609-Jul-200821:08
Mpsigdwn.dll1.5.1958.0133,16809-Jul-200821:08
Mpsoftex.dll1.5.1958.0521,26409-Jul-200821:08
Mpsvc.dll1.5.1958.0307,76009-Jul-200821:08
Mputil.dll1.5.1958.0180,27209-Jul-200821:08
Msascui.exe1.5.1958.01,036,84809-Jul-200821:08
Msmpcom.dll1.5.1958.0224,30409-Jul-200821:08
Msmpeng.exe1.5.1958.018,70409-Jul-200821:05
Msmplics.dll1.5.1958.012,33609-Jul-200821:08
Msmpres.dll1.5.1958.0769,58409-Jul-200821:26
Forefront Client Security, x64-based versions
Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Amhelp.chmNot Applicable65,21607-Mar-200721:43
Mpasbase.vdm1.0.0.0572,72007-Mar-200721:44
Mpasdesc.dll1.5.1958.052,78410-Jul-200800:09
Mpasdlta.vdm1.0.0.09,00807-Mar-200721:44
Mpavbase.vdm1.0.0.0204,62407-Mar-200721:44
Mpavdlta.vdm1.0.0.09,04007-Mar-200721:44
Mpavrtm.dll1.5.1958.0156,20809-Jul-200823:51
Mpclient.dll1.5.1958.0549,93609-Jul-200823:51
Mpcmdrun.exe1.5.1958.0506,43209-Jul-200823:49
Mpengine.dll1.1.3520.04,431,95215-May-200820:15
Mpevmsg.dll1.5.1958.026,67210-Jul-200800:09
Mpfilter.sys1.5.1954.067,12015-May-200820:15
Mpoav.dll1.5.1958.0120,88009-Jul-200823:51
Mprtmon.dll1.5.1958.01,184,30409-Jul-200823:51
Mpsigdwn.dll1.5.1958.0182,83209-Jul-200823:51
Mpsoftex.dll1.5.1958.0794,67209-Jul-200823:51
Mpsvc.dll1.5.1958.0419,37609-Jul-200823:51
Mputil.dll1.5.1958.0250,41609-Jul-200823:51
Msascui.exe1.5.1958.01,639,98409-Jul-200823:51
Msmpcom.dll1.5.1958.0308,78409-Jul-200823:51
Msmpeng.exe1.5.1958.018,19209-Jul-200823:49
Msmplics.dll1.5.1958.012,33609-Jul-200823:51
Msmpres.dll1.5.1958.0767,53610-Jul-200800:09

Properties

Article ID: 956280 - Last Review: January 20, 2011 - Revision: 2.0
APPLIES TO
  • Microsoft Forefront Client Security
Keywords: 
kbfix kbexpertiseinter kbqfe fep2010swept KB956280

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com