A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client

Article translations Article translations
Article ID: 971026 - View products that this article applies to.
Expand all | Collapse all

On This Page

This article describes the Microsoft Forefront Client Security (FCS) anti-malware client issues that are fixed in the hotfix package for Forefront Client Security.

INTRODUCTION

Issues that this hotfix package fixes

Issue 1

The malware landscape has evolved, which requires new techniques to detect malware more efficiently.
Resolution
New features to detect new malicious software are added to Forefront Client Security. You must apply this hotfix to enable these new features. This hotfix includes changes to the Forefront Client Security kernel-mode driver.

Issue 2

The Software Explorers component of the anti-malware user interface exits prematurely on a computer that is running Windows 2000 when a shortcut is located in a Windows startup folder.
Resolution
This hotfix implements a change in the way that the COM is used in the Software Explorers component. The change works around an issue that is present in Windows 2000 only. This issue causes the Software Explorers component to exit prematurely.

Issue 3

Although the usage of MpCmdRun.exe -Trace indicates that it traces all levels and all groups, some trace statements are not added to the binary log file. No tracing was available for the kernel-mode mini-filter component.
Resolution
MpCmdRun.exe -Trace is changed to include all levels and all groups. The kernel-mode mini-filter component is updated to again log trace statements to the binary log file.

Issue 4

Forefront Client Security unexpectedly scans files that are stored in network locations when you perform a scan of a client computer that has shortcut files. This is behavior described in the following Knowledge Base article:
939361 Forefront Client Security unexpectedly scans files that are stored in network locations when you perform a full scan of a client computer
Resolution
This issue is resolved by a Forefront Client Security (FCS) scan engine update and through an FCS service update. The way that the FCS engine scans shortcut (.lnk) files is updated. The engine can now be configured to query the path to which the shortcut points. If the path is on the local computer, the engine will scan the referenced location. If the path is a network location, the engine will not scan the reference.

This engine scanning behavior was introduced with the May 2009 engine version 1.1.4701.0, which was released with definition update 1.59.3.0. By default, the new shortcut scanning behavior is not enabled. To enable this feature, you must do all the following:
  • Install definition update version 1.59.3.0 or a later version.
  • Install the anti-malware client update that is described in this article.
  • Apply the policy configuration steps that are described in the "More Information" section in this article.

Issue 5

On a system drive that is a dynamic disk volume, the detected malware causes repeated detections and creates excess files.
Resolution
This issue is corrected so that detections on a system drive that is a dynamic disk volume do not cause repeated detections or unnecessary files.

Issue 6

The Windows 7 Actions Center produces a Virus Protection message: “Forefront Client Security is on but is reporting its status to Windows Security Center in a format that is no longer supported. Use the program’s automatic updating feature, or contact the program manufacture for an updated version.”
Resolution
This update contains changes in how Forefront Client Security interacts with the Windows Security Center and is required for support on Windows 7.

Hotfix information

A supported hotfix is available from Microsoft.

Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
  1. Visit the following Microsoft Update Catalog Web site:
    http://catalog.update.microsoft.com/v7/site/Home.aspx
  2. Type 971026 in the Search box, and then click Search.
  3. Click Add to add the hotfix to the basket.
  4. Near the search bar at the top, click the view basket link.
  5. Click Download.
  6. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
  7. Click Continue, and then click I Accept to accept the Microsoft Software License Terms. The hotfix starts to download.
  8. Wait until the hotfix is downloaded to the specified location, and then click Close.

Known issue with this update

This hotfix may not be installed when you use Windows Update to install updates on a computer that is running a Server Core installation of Windows Server 2008. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
955884 The update for Forefront Client Security (update 952265) may not be installed on a Server Core installation of Windows Server 2008 when you use Windows Update

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the following hotfixes:
952265 Data corruption may occur on a computer that has Forefront Client Security installed
938054 A hotfix is available to resolve some problems with the Forefront Client Security client
956280 The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files

File information

The English version of this hotfix package uses a Microsoft Windows Installer package to install the hotfix package. The dates and the times for these files are listed in Coordinated Universal Time (UTC) in the following table. When you view the file information, the date is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Forefront Client Security, x86-based versions

Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Amhelp.chmNot Applicable65,21628-Oct-200817:55
Mpasbase.vdm1.0.0.0572,72028-Oct-200817:58
Mpasdesc.dll1.5.1972.049,02403-Jun-200922:48
Mpasdlta.vdm1.0.0.09,00828-Oct-200817:58
Mpavbase.vdm1.0.0.0204,62428-Oct-200817:58
Mpavdlta.vdm1.0.0.09,04028-Oct-200817:58
Mpavrtm.dll1.5.1972.0128,36803-Jun-200922:29
Mpclient.dll1.5.1972.0366,44803-Jun-200922:29
Mpcmdrun.exe1.5.1972.0349,04803-Jun-200922:26
Mpengine.dll1.1.3520.03,308,62428-Oct-200817:57
Mpevmsg.dll1.5.1972.023,42403-Jun-200922:48
Mpfilter.sys1.5.1969.069,61615-May-200917:35
Mpoav.dll1.5.1972.092,01603-Jun-200922:29
Mprtmon.dll1.5.1972.0730,99203-Jun-200922:29
Mpsigdwn.dll1.5.1972.0129,92003-Jun-200922:29
Mpsoftex.dll1.5.1972.0518,01603-Jun-200922:29
Mpsvc.dll1.5.1972.0304,51203-Jun-200922:29
Mputil.dll1.5.1972.0177,02403-Jun-200922:29
Msascui.exe1.5.1972.01,033,60003-Jun-200922:29
Msmpcom.dll1.5.1972.0221,04003-Jun-200922:29
Msmpeng.exe1.5.1972.016,88003-Jun-200922:26
Msmplics.dll1.5.1972.09,08803-Jun-200922:29
Msmpres.dll1.5.1972.0766,33603-Jun-200922:48

Forefront Client Security, x64-based versions

Collapse this tableExpand this table
File nameFile versionFile sizeDateTime
Amhelp.chmNot Applicable65,21628-Oct-200817:55
Mpasbase.vdm1.0.0.0572,72028-Oct-200817:58
Mpasdesc.dll1.5.1972.049,52004-Jun-200900:36
Mpasdlta.vdm1.0.0.09,00828-Oct-200817:58
Mpavbase.vdm1.0.0.0204,62428-Oct-200817:58
Mpavdlta.vdm1.0.0.09,04028-Oct-200817:58
Mpavrtm.dll1.5.1972.0154,49604-Jun-200900:17
Mpclient.dll1.5.1972.0546,68804-Jun-200900:17
Mpcmdrun.exe1.5.1972.0504,60804-Jun-200900:15
Mpengine.dll1.1.3520.04,431,95228-Oct-200817:57
Mpevmsg.dll1.5.1972.023,40804-Jun-200900:36
Mpfilter.sys1.5.1969.088,94415-May-200917:35
Mpoav.dll1.5.1972.0117,63204-Jun-200900:17
Mprtmon.dll1.5.1972.01,181,05604-Jun-200900:17
Mpsigdwn.dll1.5.1972.0179,58404-Jun-200900:17
Mpsoftex.dll1.5.1972.0791,42404-Jun-200900:17
Mpsvc.dll1.5.1972.0416,12804-Jun-200900:17
Mputil.dll1.5.1972.0247,16804-Jun-200900:17
Msascui.exe1.5.1972.01,636,73604-Jun-200900:17
Msmpcom.dll1.5.1972.0305,53604-Jun-200900:17
Msmpeng.exe1.5.1972.016,36804-Jun-200900:15
Msmplics.dll1.5.1972.09,08804-Jun-200900:17
Msmpres.dll1.5.1972.0764,28804-Jun-200900:36

MORE INFORMATION

By default, the new shortcut scanning behavior that is described in the resolution of Issue 4 is not enabled. To enable this feature, you must install both the engine update and the update that is described in this article. After you install these updates, you must deploy policy to the client to change its default behavior. This policy can be deployed either through the local policy or through Active Directory by using a Group Policy administrative template( ADM) file. The policy settings are not directly deployable through the Forefront Client Security management console. However, they can be added to a file deployment before you use Fcslocalpolicytool.exe to apply the policy.

Policy configuration steps

To deploy the policy, use one of the following two options.

Option 1: Deploy the policy by using an ADM file

  1. Create a Group Policy administrative template file.
    1. Start Notepad.
    2. Copy and then paste the following commands into Notepad:
      CLASS MACHINE
      CATEGORY !!FCSCategory
      	POLICY !!NetworkScan_Name
      		KEYNAME "SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan"
      		EXPLAIN !!NetworkScan_Explain
      
      		VALUENAME DisableScanningNetworkFiles
      		  VALUEON NUMERIC 1
      		  VALUEOFF NUMERIC 0
      	END POLICY
      END CATEGORY
      
      [strings]
      FCSCategory="Microsoft FCS Scan Configuration"
      NetworkScan_Name="Disable Network Scan"
      NetworkScan_Explain="This setting instructs the FCS antimalware client not to scan referenced network locations."
      
    3. On the File menu, click Save As.
    4. Select a destination, and then type KB971026.adm in the File name box.
    5. In the Save as type box, and then click All Files (*.*).
  2. Use the Group Policy administrative template file to deploy policy
    1. Place the KB971026.adm file in a location that is available to the computer deploying policy. For more information about how to manage ADM files, click the following article number to view the article in the Microsoft Knowledge Base:
      816662 Recommendations for managing Group Policy administrative template (.adm) files
    2. Open the group policy editor to the appropriate local or Active Directory based location. Typically, this is done either through the local group policy editor, Active Directory Users and Computers, or the Group Policy Management Console(GPMC).
    3. Expand Computer Configuration, right-click Administrative Templates, click Add/Remove Template.
    4. Click Add.
    5. Click to select the KB971026.adm file that you created in Step 1, and then click Open.
    6. Click Close. The Classic Administrative Templates (ADM) folder is created under Administrative Templates.
    7. On Windows Vista or Windows Server 2008, expand Classic Administrative Templates (ADM), click Microsoft FCS Scan Configuration.
    8. In the right pane, double click Disable Network Scan.
    9. Select Enable, and then click OK.

Option 2: Deploy the policy by modifying the .reg file

.

Fix it for me

To let the Fix it package fix this problem automatically, follow these steps:
  1. Use the Forefront Client Security management console to deploy policy to a .reg file. For more information, see the “Registry file deployment section” at the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/bb418857.aspx
  2. Click the Fix this problem link, click Run in the File Download dialog box.
  3. Follow the instructions in the wizard that pops up.

Fix this problem
Microsoft Fix it 50502


Note:
This MSI package can be run in silent mode by importing a registry file. Specifically, you can run the MSI package by using the following syntax:

msiexec.exe /i  <MSI path and Name> /qn FIXITTARGETDIR=”<File path and Name>
Notice that all the characters of the FIXITTARGETDIR property must be uppercase. In addition, the file path must be full path.

An example of silent installation is as follows:
msiexec.exe  /i  c:\temp\MicrosoftFixit50502.msi  /qn FIXITTARGETDIR=”c:\temp\Scan.reg”


Note This wizard may be in English only; however, the automatic fix also work for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save this automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.


Let me fix it myself

To modify the .reg file yourself, follow these steps:
  1. Use the Forefront Client Security management console to deploy policy to a .reg file. For more information, see the “Registry file deployment section” at the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/bb418857.aspx
  2. Open Windows Explorer and locate the .reg file.
  3. Right-click the .reg file and then click Edit.
  4. Scroll to the end of the file, and then add the following two lines to the end of the file:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Scan]
    "DisableScanningNetworkFiles"=dword:1
  5. Save and close the .reg file.
  6. Use fcslocalpolicytool.exe to import the .reg file on the desired computer. For more information, see the “Registry file deployment section” at the following Microsoft Web site:
    http://technet.microsoft.com/en-us/library/bb418857.aspx

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Properties

Article ID: 971026 - Last Review: January 20, 2011 - Revision: 4.0
APPLIES TO
  • Microsoft Forefront Client Security
Keywords: 
kbexpertiseinter kbsurveynew kbqfe kbmsifixme kbfix fep2010swept KB971026

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com