INTRODUCTION
This article describes the Microsoft Forefront Client Security (FCS) anti-malware client issues that are fixed in this hotfix package.
Issues that this hotfix package fixes
Issue 1
Forefront Client Security real-time protection detects, suspends, and takes action against malware threats. After a threat is suspended, the user is notified. The user may be given an option to decide which action is taken, depending on the configuration of the client. If no action is taken after 10 minutes, then a default action that is defined either by policy or by definitions is executed. During this time, the malware threats are suspended and cannot be read or executed by other applications.This real-time protection delay period is implemented by a user interface process. If a user does not log on to the computer, then this process does not run. Therefore, FCS does not take action on the suspended malware.
Workaround
When malware is detected by real-time protection, the malware is suspended and cannot be read or executed by other applications. This behavior occurs both when a user is logged on to the computer and when a user is not logged on to the computer. Therefore, the computer is under protection. However, the malware still resides on the disk.If a user logs on to the computer after the malware is detected, they are notified in the user interface and the real-time protection delay period begins.When you deploy a policy to client computers, FCS takes action automatically on malware detected during scheduled scans. If you perform a scheduled full scan of the computer, action is taken against any malware that is detected and suspended after the scan is finished. A full scan includes all hard disk drives on the computer and takes action regardless of whether a user is logged on to the computer during the scan.
Resolution
This update adds an additional timer to the malware protection service. This additional timer implements the real-time protection delay period. Therefore, the default action that is defined either by policy or by definitions is executed when no user is logged on to the computer.
Issue 2
A change to the libraries of the Driver Install Frameworks (DIFx) for Applications is described under the "Issue 1" heading in the "Resolution" section of the following article Knowledge Base (KB) article:
976668 Forefront Client Security anti-malware client update: December 2009Many automated installation methods install updates by using the LocalSystem account. For example, Automatic Updates and System Center Configuration Manager use the LocalSystem account for updates. When the hotfix 976668 is installed by using the LocalSystem account on a Windows 2000-based computer, the update fails and the following error is logged in the Mp_ambits.log file:
DIFXAPP: INFO: creating HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D} (User's SID: 'S-1-5-18') ...DIFXAPP: ERROR 0x57 encountered while creating subkey for component '{153AA63E-3BFD-495C-A35F-85F66650141D}'DIFXAPP: RETURN: ProcessDriverPackages() 87 (0x57)Workaround
To install the update that is described in KB 976668 on a Windows 2000-based Computer, log on the computer as an interactive user, and then run the update. To obtain the update, use the Microsoft Update Web site by using a Web browser, or download and then run the update from the Microsoft Update catalog that is described in KB 976668.
Resolution
This update no longer uses DIFx for Applications during installation. The update uses a custom installation technology that can be used on all currently supported FCS operating systems.
Issue 3
The FCS anti-malware service exits unexpectedly on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
Resolution
This update corrects a problem in the FCS anti-malware service on the on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
More Information
Hotfix information
A supported hotfix is available from Microsoft.Note This hotfix is available from Microsoft Update and from Windows Server Update Services. Additionally, the hotfix can be obtained by following these steps:
-
Visit the following Microsoft Update Catalog Web site:
-
Type 979536 in the Search box, and then click Search.
-
Click Add to add the hotfix to the basket.
-
Near the search bar at the top, click the view basket link.
-
Click Download.
-
Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
-
Click Continue, and then click I Accept to accept the Microsoft Software License Terms.
-
When the update is downloaded to the location that you specified, click Close.
Prerequisites
There are no prerequisites for installing this hotfix.
Restart requirement
You may have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix replaces the anti-malware client that is deployed by using the Forefront Client Security deployment package (1.0.1725.0) on a computer.
976669 Forefront Client Security deployment package (1.0.1725.0): December 2009This hotfix replaces the following hotfixes:
976668 Forefront Client Security anti-malware client update: December 2009
971026 A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client
952265 Data corruption may occur on a computer that has Forefront Client Security installed
938054 A hotfix is available to resolve some problems with the Forefront Client Security client
956280 The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, 32-bit versions
|
File name |
File version |
File size |
Date |
Time |
|---|---|---|---|---|
|
Amhelp.chm |
Not applicable |
65,216 |
28-Oct-2008 |
17:55 |
|
Mpasbase.vdm |
1.0.0.0 |
572,720 |
28-Oct-2008 |
17:58 |
|
Mpasdesc.dll |
1.5.1981.0 |
49,024 |
19-Jan-2010 |
22:10 |
|
Mpasdlta.vdm |
1.0.0.0 |
9,008 |
28-Oct-2008 |
17:58 |
|
Mpavbase.vdm |
1.0.0.0 |
204,624 |
28-Oct-2008 |
17:58 |
|
Mpavdlta.vdm |
1.0.0.0 |
9,040 |
28-Oct-2008 |
17:58 |
|
Mpavrtm.dll |
1.5.1981.0 |
128,384 |
19-Jan-2010 |
21:51 |
|
Mpclient.dll |
1.5.1981.0 |
366,976 |
19-Jan-2010 |
21:51 |
|
Mpcmdrun.exe |
1.5.1981.0 |
349,048 |
19-Jan-2010 |
21:49 |
|
Mpengine.dll |
1.1.3520.0 |
3,308,624 |
28-Oct-2008 |
17:57 |
|
Mpevmsg.dll |
1.5.1981.0 |
23,424 |
19-Jan-2010 |
22:10 |
|
Mpfilter.sys |
1.5.1969.0 |
69,616 |
15-May-09 |
17:35 |
|
Mpoav.dll |
1.5.1981.0 |
92,032 |
19-Jan-2010 |
21:51 |
|
Mprtmon.dll |
1.5.1981.0 |
731,008 |
19-Jan-2010 |
21:51 |
|
Mpsigdwn.dll |
1.5.1981.0 |
129,920 |
19-Jan-2010 |
21:51 |
|
Mpsoftex.dll |
1.5.1981.0 |
518,016 |
19-Jan-2010 |
21:51 |
|
Mpsvc.dll |
1.5.1981.0 |
316,288 |
19-Jan-2010 |
21:51 |
|
Mputil.dll |
1.5.1981.0 |
177,024 |
19-Jan-2010 |
21:51 |
|
Msascui.exe |
1.5.1981.0 |
1,033,600 |
19-Jan-2010 |
21:51 |
|
Msmpcom.dll |
1.5.1981.0 |
221,056 |
19-Jan-2010 |
21:51 |
|
Msmpeng.exe |
1.5.1981.0 |
16,880 |
19-Jan-2010 |
21:49 |
|
Msmplics.dll |
1.5.1981.0 |
9,088 |
19-Jan-2010 |
21:51 |
|
Msmpres.dll |
1.5.1981.0 |
766,336 |
19-Jan-2010 |
22:10 |
Forefront Client Security, 64-bit versions
|
File name |
File version |
File size |
Date |
Time |
|---|---|---|---|---|
|
Amhelp.chm |
Not Applicable |
65,216 |
28-Oct-2008 |
17:55 |
|
Mpasbase.vdm |
1.0.0.0 |
572,720 |
28-Oct-2008 |
17:58 |
|
Mpasdesc.dll |
1.5.1981.0 |
49,536 |
19-Jan-2010 |
23:59 |
|
Mpasdesc.dll (WOW64) |
1.5.1981.0 |
49,024 |
19-Jan-2010 |
22:10 |
|
Mpasdlta.vdm |
1.0.0.0 |
9,008 |
28-Oct-2008 |
17:58 |
|
Mpavbase.vdm |
1.0.0.0 |
204,624 |
28-Oct-2008 |
17:58 |
|
Mpavdlta.vdm |
1.0.0.0 |
9,040 |
28-Oct-2008 |
17:58 |
|
Mpavrtm.dll |
1.5.1981.0 |
155,008 |
19-Jan-2010 |
23:41 |
|
Mpclient.dll |
1.5.1981.0 |
546,688 |
19-Jan-2010 |
23:41 |
|
Mpclient.dll (WOW64) |
1.5.1981.0 |
366,976 |
19-Jan-2010 |
21:51 |
|
Mpcmdrun.exe |
1.5.1981.0 |
504,096 |
19-Jan-2010 |
23:38 |
|
Mpengine.dll |
1.1.3520.0 |
4,431,952 |
28-Oct-2008 |
17:57 |
|
Mpevmsg.dll |
1.5.1981.0 |
23,424 |
19-Jan-2010 |
23:59 |
|
Mpfilter.sys |
1.5.1969.0 |
88,944 |
15-May-2009 |
17:35 |
|
Mpoav.dll |
1.5.1981.0 |
117,632 |
19-Jan-2010 |
23:41 |
|
Mpoav.dll (WOW64) |
1.5.1981.0 |
92,032 |
19-Jan-2010 |
21:51 |
|
Mprtmon.dll |
1.5.1981.0 |
1,181,056 |
19-Jan-2010 |
23:41 |
|
Mpsigdwn.dll |
1.5.1981.0 |
179,584 |
19-Jan-2010 |
23:41 |
|
Mpsoftex.dll |
1.5.1981.0 |
791,424 |
19-Jan-2010 |
23:41 |
|
Mpsvc.dll |
1.5.1981.0 |
434,560 |
19-Jan-2010 |
23:41 |
|
Mputil.dll |
1.5.1981.0 |
247,168 |
19-Jan-2010 |
23:41 |
|
Mputil.dll (WOW64) |
1.5.1981.0 |
177,024 |
19-Jan-2010 |
21:51 |
|
Msascui.exe |
1.5.1981.0 |
1,636,736 |
19-Jan-2010 |
23:41 |
|
Msmpcom.dll |
1.5.1981.0 |
305,536 |
19-Jan-2010 |
23:41 |
|
Msmpeng.exe |
1.5.1981.0 |
16,368 |
19-Jan-2010 |
23:38 |
|
Msmplics.dll |
1.5.1981.0 |
9,088 |
19-Jan-2010 |
23:41 |
|
Msmplics.dll (WOW64) |
1.5.1981.0 |
9,088 |
19-Jan-2010 |
23:41 |
|
Msmpres.dll |
1.5.1981.0 |
764,288 |
19-Jan-2010 |
23:59 |
Known issues
If you perform the workaround that is described under the "Issue 2" heading by installing hotfix 976668 as an interactive user on a computer that is running Windows 2000, you must also run this update as an interactive user. This requirement is necessary because this update uninstalls the update that is described in KB article 976668 before this update is installed. If you install this update by using the LocalSystem account, the same issues that are described in KB article 976668 occur during that uninstall stage of the update.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
