Article ID: 971026 - View products that this article applies to.
This article describes the Microsoft Forefront Client Security (FCS) anti-malware client issues that are fixed in the hotfix package for Forefront Client Security.
Issues that this hotfix package fixes
Issue 1The malware landscape has evolved, which requires new techniques to detect malware more efficiently.
ResolutionNew features to detect new malicious software are added to Forefront Client Security. You must apply this hotfix to enable these new features. This hotfix includes changes to the Forefront Client Security kernel-mode driver.
Issue 2The Software Explorers component of the anti-malware user interface exits prematurely on a computer that is running Windows 2000 when a shortcut is located in a Windows startup folder.
ResolutionThis hotfix implements a change in the way that the COM is used in the Software Explorers component. The change works around an issue that is present in Windows 2000 only. This issue causes the Software Explorers component to exit prematurely.
Issue 3Although the usage of MpCmdRun.exe -Trace indicates that it traces all levels and all groups, some trace statements are not added to the binary log file. No tracing was available for the kernel-mode mini-filter component.
ResolutionMpCmdRun.exe -Trace is changed to include all levels and all groups. The kernel-mode mini-filter component is updated to again log trace statements to the binary log file.
Issue 4Forefront Client Security unexpectedly scans files that are stored in network locations when you perform a scan of a client computer that has shortcut files. This is behavior described in the following Knowledge Base article:
(http://support.microsoft.com/kb/939361/ )Forefront Client Security unexpectedly scans files that are stored in network locations when you perform a full scan of a client computer
ResolutionThis issue is resolved by a Forefront Client Security (FCS) scan engine update and through an FCS service update. The way that the FCS engine scans shortcut (.lnk) files is updated. The engine can now be configured to query the path to which the shortcut points. If the path is on the local computer, the engine will scan the referenced location. If the path is a network location, the engine will not scan the reference.
This engine scanning behavior was introduced with the May 2009 engine version 1.1.4701.0, which was released with definition update 18.104.22.168. By default, the new shortcut scanning behavior is not enabled. To enable this feature, you must do all the following:
Issue 5On a system drive that is a dynamic disk volume, the detected malware causes repeated detections and creates excess files.
ResolutionThis issue is corrected so that detections on a system drive that is a dynamic disk volume do not cause repeated detections or unnecessary files.
Issue 6The Windows 7 Actions Center produces a Virus Protection message: “Forefront Client Security is on but is reporting its status to Windows Security Center in a format that is no longer supported. Use the program’s automatic updating feature, or contact the program manufacture for an updated version.”
ResolutionThis update contains changes in how Forefront Client Security interacts with the Windows Security Center and is required for support on Windows 7.
A supported hotfix is available from Microsoft.
Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
Known issue with this updateThis hotfix may not be installed when you use Windows Update to install updates on a computer that is running a Server Core installation of Windows Server 2008. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/955884/ )The update for Forefront Client Security (update 952265) may not be installed on a Server Core installation of Windows Server 2008 when you use Windows Update
PrerequisitesThere are no prerequisites for installing this hotfix.
Restart requirementYou must restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix replaces the following hotfixes:
(http://support.microsoft.com/kb/952265/ )Data corruption may occur on a computer that has Forefront Client Security installed
(http://support.microsoft.com/kb/938054/ )A hotfix is available to resolve some problems with the Forefront Client Security client
(http://support.microsoft.com/kb/956280/ )The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files
File informationThe English version of this hotfix package uses a Microsoft Windows Installer package to install the hotfix package. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, x86-based versions
Collapse this tableExpand this table
Forefront Client Security, x64-based versions
Collapse this tableExpand this table
By default, the new shortcut scanning behavior that is described in the resolution of Issue 4 is not enabled. To enable this feature, you must install both the engine update and the update that is described in this article. After you install these updates, you must deploy policy to the client to change its default behavior. This policy can be deployed either through the local policy or through Active Directory by using a Group Policy administrative template( ADM) file. The policy settings are not directly deployable through the Forefront Client Security management console. However, they can be added to a file deployment before you use Fcslocalpolicytool.exe to apply the policy.
Policy configuration stepsTo deploy the policy, use one of the following two options.
Option 1: Deploy the policy by using an ADM file
Option 2: Deploy the policy by modifying the .reg file.
Fix it for meTo let the Fix it package fix this problem automatically, follow these steps:
Fix this problem
Microsoft Fix it 50502
Note: This MSI package can be run in silent mode by importing a registry file. Specifically, you can run the MSI package by using the following syntax:
msiexec.exe /i <MSI path and Name> /qn FIXITTARGETDIR=”<File path and Name>”Notice that all the characters of the FIXITTARGETDIR property must be uppercase. In addition, the file path must be full path.
An example of silent installation is as follows:
msiexec.exe /i c:\temp\MicrosoftFixit50502.msi /qn FIXITTARGETDIR=”c:\temp\Scan.reg”
Note This wizard may be in English only; however, the automatic fix also work for other language versions of Windows.
Note If you are not on the computer that has the problem, you can save this automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.
Let me fix it myselfTo modify the .reg file yourself, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 971026 - Last Review: January 20, 2011 - Revision: 4.0