INTRODUCTION

This article describes the Microsoft Forefront Client Security (FCS) anti-malware client issues that are fixed in this hotfix package.

Issues that this hotfix package fixes

Issue 1

Forefront Client Security real-time protection detects, suspends, and takes action against malware threats. After a threat is suspended, the user is notified. The user may be given an option to decide which action is taken, depending on the configuration of the client. If no action is taken after 10 minutes, then a default action that is defined either by policy or by definitions is executed. During this time, the malware threats are suspended and cannot be read or executed by other applications.This real-time protection delay period is implemented by a user interface process. If a user does not log on to the computer, then this process does not run. Therefore, FCS does not take action on the suspended malware.

Workaround

When malware is detected by real-time protection, the malware is suspended and cannot be read or executed by other applications. This behavior occurs both when a user is logged on to the computer and when a user is not logged on to the computer. Therefore, the computer is under protection. However, the malware still resides on the disk.If a user logs on to the computer after the malware is detected, they are notified in the user interface and the real-time protection delay period begins.When you deploy a policy to client computers, FCS takes action automatically on malware detected during scheduled scans. If you perform a scheduled full scan of the computer, action is taken against any malware that is detected and suspended after the scan is finished. A full scan includes all hard disk drives on the computer and takes action regardless of whether a user is logged on to the computer during the scan.

Resolution

This update adds an additional timer to the malware protection service. This additional timer implements the real-time protection delay period. Therefore, the default action that is defined either by policy or by definitions is executed when no user is logged on to the computer.

Issue 2

A change to the libraries of the Driver Install Frameworks (DIFx) for Applications is described under the "Issue 1" heading in the "Resolution" section of the following article Knowledge Base (KB) article:

976668 Forefront Client Security anti-malware client update: December 2009Many automated installation methods install updates by using the LocalSystem account. For example, Automatic Updates and System Center Configuration Manager use the LocalSystem account for updates. When the hotfix 976668 is installed by using the LocalSystem account on a Windows 2000-based computer, the update fails and the following error is logged in the Mp_ambits.log file:

DIFXAPP: INFO: creating HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D} (User's SID: 'S-1-5-18') ...DIFXAPP: ERROR 0x57 encountered while creating subkey for component '{153AA63E-3BFD-495C-A35F-85F66650141D}'DIFXAPP: RETURN: ProcessDriverPackages() 87 (0x57)
Workaround

To install the update that is described in KB 976668 on a Windows 2000-based Computer, log on the computer as an interactive user, and then run the update. To obtain the update, use the Microsoft Update Web site by using a Web browser, or download and then run the update from the Microsoft Update catalog that is described in KB 976668.

Resolution

This update no longer uses DIFx for Applications during installation. The update uses a custom installation technology that can be used on all currently supported FCS operating systems.

Issue 3

The FCS anti-malware service exits unexpectedly on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

Resolution

This update corrects a problem in the FCS anti-malware service on the on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

More Information

Hotfix information

A supported hotfix is available from Microsoft.Note This hotfix is available from Microsoft Update and from Windows Server Update Services. Additionally, the hotfix can be obtained by following these steps:

  1. Visit the following Microsoft Update Catalog Web site:

    http://catalog.update.microsoft.com/v7/site/Home.aspx

  2. Type 979536 in the Search box, and then click Search.

  3. Click Add to add the hotfix to the basket.

  4. Near the search bar at the top, click the view basket link.

  5. Click Download.

  6. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.

  7. Click Continue, and then click I Accept to accept the Microsoft Software License Terms.

  8. When the update is downloaded to the location that you specified, click Close.

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the anti-malware client that is deployed by using the Forefront Client Security deployment package (1.0.1725.0) on a computer.

976669 Forefront Client Security deployment package (1.0.1725.0): December 2009This hotfix replaces the following hotfixes:

976668 Forefront Client Security anti-malware client update: December 2009

971026 A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client

952265 Data corruption may occur on a computer that has Forefront Client Security installed

938054 A hotfix is available to resolve some problems with the Forefront Client Security client

956280 The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Forefront Client Security, 32-bit versions

File name

File version

File size

Date

Time

Amhelp.chm

Not applicable

65,216

28-Oct-2008

17:55

Mpasbase.vdm

1.0.0.0

572,720

28-Oct-2008

17:58

Mpasdesc.dll

1.5.1981.0

49,024

19-Jan-2010

22:10

Mpasdlta.vdm

1.0.0.0

9,008

28-Oct-2008

17:58

Mpavbase.vdm

1.0.0.0

204,624

28-Oct-2008

17:58

Mpavdlta.vdm

1.0.0.0

9,040

28-Oct-2008

17:58

Mpavrtm.dll

1.5.1981.0

128,384

19-Jan-2010

21:51

Mpclient.dll

1.5.1981.0

366,976

19-Jan-2010

21:51

Mpcmdrun.exe

1.5.1981.0

349,048

19-Jan-2010

21:49

Mpengine.dll

1.1.3520.0

3,308,624

28-Oct-2008

17:57

Mpevmsg.dll

1.5.1981.0

23,424

19-Jan-2010

22:10

Mpfilter.sys

1.5.1969.0

69,616

15-May-09

17:35

Mpoav.dll

1.5.1981.0

92,032

19-Jan-2010

21:51

Mprtmon.dll

1.5.1981.0

731,008

19-Jan-2010

21:51

Mpsigdwn.dll

1.5.1981.0

129,920

19-Jan-2010

21:51

Mpsoftex.dll

1.5.1981.0

518,016

19-Jan-2010

21:51

Mpsvc.dll

1.5.1981.0

316,288

19-Jan-2010

21:51

Mputil.dll

1.5.1981.0

177,024

19-Jan-2010

21:51

Msascui.exe

1.5.1981.0

1,033,600

19-Jan-2010

21:51

Msmpcom.dll

1.5.1981.0

221,056

19-Jan-2010

21:51

Msmpeng.exe

1.5.1981.0

16,880

19-Jan-2010

21:49

Msmplics.dll

1.5.1981.0

9,088

19-Jan-2010

21:51

Msmpres.dll

1.5.1981.0

766,336

19-Jan-2010

22:10

Forefront Client Security, 64-bit versions

File name

File version

File size

Date

Time

Amhelp.chm

Not Applicable

65,216

28-Oct-2008

17:55

Mpasbase.vdm

1.0.0.0

572,720

28-Oct-2008

17:58

Mpasdesc.dll

1.5.1981.0

49,536

19-Jan-2010

23:59

Mpasdesc.dll (WOW64)

1.5.1981.0

49,024

19-Jan-2010

22:10

Mpasdlta.vdm

1.0.0.0

9,008

28-Oct-2008

17:58

Mpavbase.vdm

1.0.0.0

204,624

28-Oct-2008

17:58

Mpavdlta.vdm

1.0.0.0

9,040

28-Oct-2008

17:58

Mpavrtm.dll

1.5.1981.0

155,008

19-Jan-2010

23:41

Mpclient.dll

1.5.1981.0

546,688

19-Jan-2010

23:41

Mpclient.dll (WOW64)

1.5.1981.0

366,976

19-Jan-2010

21:51

Mpcmdrun.exe

1.5.1981.0

504,096

19-Jan-2010

23:38

Mpengine.dll

1.1.3520.0

4,431,952

28-Oct-2008

17:57

Mpevmsg.dll

1.5.1981.0

23,424

19-Jan-2010

23:59

Mpfilter.sys

1.5.1969.0

88,944

15-May-2009

17:35

Mpoav.dll

1.5.1981.0

117,632

19-Jan-2010

23:41

Mpoav.dll (WOW64)

1.5.1981.0

92,032

19-Jan-2010

21:51

Mprtmon.dll

1.5.1981.0

1,181,056

19-Jan-2010

23:41

Mpsigdwn.dll

1.5.1981.0

179,584

19-Jan-2010

23:41

Mpsoftex.dll

1.5.1981.0

791,424

19-Jan-2010

23:41

Mpsvc.dll

1.5.1981.0

434,560

19-Jan-2010

23:41

Mputil.dll

1.5.1981.0

247,168

19-Jan-2010

23:41

Mputil.dll (WOW64)

1.5.1981.0

177,024

19-Jan-2010

21:51

Msascui.exe

1.5.1981.0

1,636,736

19-Jan-2010

23:41

Msmpcom.dll

1.5.1981.0

305,536

19-Jan-2010

23:41

Msmpeng.exe

1.5.1981.0

16,368

19-Jan-2010

23:38

Msmplics.dll

1.5.1981.0

9,088

19-Jan-2010

23:41

Msmplics.dll (WOW64)

1.5.1981.0

9,088

19-Jan-2010

23:41

Msmpres.dll

1.5.1981.0

764,288

19-Jan-2010

23:59

Known issues

If you perform the workaround that is described under the "Issue 2" heading by installing hotfix 976668 as an interactive user on a computer that is running Windows 2000, you must also run this update as an interactive user. This requirement is necessary because this update uninstalls the update that is described in KB article 976668 before this update is installed. If you install this update by using the LocalSystem account, the same issues that are described in KB article 976668 occur during that uninstall stage of the update.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.