Symptoms
Client Security antimalware agents running on Windows 2000 do not properly detect malware via on-access protection after applying the Forefront Client Security October 2010 antimalware update described in the following articles:
2394433 Forefront Client Security antimalware client update: October 2010
2394439 Forefront Client Security deployment package (1.0.1728.0): October 2010
Client Security antimalware agents running on Windows 2000 will also produce two FCSAM 3002 error events in the System log:
These errors are sent to the FCS Collection server and are shown in the FCS management dashboard as Reporting Critical Issues. Affected computers will also be represented in the Computers Per Issue section under Alerts detected.
Cause
Microsoft has identified an issue in the Forefront Client Security agent on Windows 2000 which prevents the kernel-mode mini-filter driver, mpfilter.sys, from properly loading. This issue is specific to agents running on Windows 2000 and the Client Security October update and does not occur on other operating systems.
Resolution
Hotfix Information
A supported hotfix is available from Microsoft. This fix applies only to Forefront Client Security agents running on Windows 2000.
Note This hotfix is available from Microsoft Update and from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
-
Visit the following Microsoft Update Catalog Web site: http://catalog.update.microsoft.com/v7/site/Home.aspx
-
Type 2459065 in the Search box, and then click Search.
-
Click Add to add the hotfix to the basket.
-
Click Download.
-
Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
-
Click Continue, and then click I Accept to accept the Microsoft Software License Terms.
-
When the update is downloaded to the location that you specified, click Close
Prerequisites
There are no prerequisites for installing this hotfix.
Restart requirement
You may be required restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix replaces the anti-malware client that is deployed by using the Forefront Client Security deployment package (1.0.1725.0) on a computer.
976669 Forefront Client Security deployment package (1.0.1725.0): December 2009This hotfix replaces the following hotfixes:
979536 Forefront Client Security anti-malware client update: April 2010
976668 Forefront Client Security anti-malware client update: December 2009
971026 A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client
952265 Data corruption may occur on a computer that has Forefront Client Security installed
938054 A hotfix is available to resolve some problems with the Forefront Client Security client
956280 The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files
File information
The English version of this update has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, x86-based versions
|
File name |
File version |
File size |
Date |
Time |
|---|---|---|---|---|
|
Amhelp.chm |
65,216 |
19-Jul-2010 |
00:51 |
|
|
Mpasbase.vdm |
1.0.0.0 |
572,720 |
19-Jul-2010 |
00:52 |
|
Mpasdesc.dll |
1.5.1994.0 |
49,024 |
11-Nov-2010 |
03:31 |
|
Mpasdlta.vdm |
1.0.0.0 |
9,008 |
19-Jul-2010 |
00:52 |
|
Mpavbase.vdm |
1.0.0.0 |
204,624 |
19-Jul-2010 |
00:52 |
|
Mpavdlta.vdm |
1.0.0.0 |
9,040 |
19-Jul-2010 |
00:52 |
|
Mpavrtm.dll |
1.5.1994.0 |
128,384 |
11-Nov-2010 |
02:48 |
|
Mpclient.dll |
1.5.1994.0 |
366,976 |
11-Nov-2010 |
02:48 |
|
Mpcmdrun.exe |
1.5.1994.0 |
349,064 |
11-Nov-2010 |
02:39 |
|
Mpengine.dll |
1.1.3520.0 |
3,308,624 |
19-Jul-2010 |
00:52 |
|
Mpevmsg.dll |
1.5.1994.0 |
23,424 |
11-Nov-2010 |
03:31 |
|
Mpfilter.sys |
1.5.1969.0 |
69,616 |
10-Nov-2010 |
19:17 |
|
Mpoav.dll |
1.5.1994.0 |
92,032 |
11-Nov-2010 |
02:48 |
|
Mprtmon.dll |
1.5.1994.0 |
731,008 |
11-Nov-2010 |
02:48 |
|
Mpsigdwn.dll |
1.5.1994.0 |
129,920 |
11-Nov-2010 |
02:48 |
|
Mpsoftex.dll |
1.5.1994.0 |
518,016 |
11-Nov-2010 |
02:48 |
|
Mpsvc.dll |
1.5.1994.0 |
319,360 |
11-Nov-2010 |
02:48 |
|
Mputil.dll |
1.5.1994.0 |
177,024 |
11-Nov-2010 |
02:48 |
|
Msascui.exe |
1.5.1994.0 |
1,033,600 |
11-Nov-2010 |
02:48 |
|
Msmpcom.dll |
1.5.1994.0 |
221,056 |
11-Nov-2010 |
02:48 |
|
Msmpeng.exe |
1.5.1994.0 |
16,896 |
11-Nov-2010 |
02:39 |
|
Msmplics.dll |
1.5.1994.0 |
9,088 |
11-Nov-2010 |
02:48 |
|
Msmpres.dll |
1.5.1994.0 |
766,336 |
11-Nov-2010 |
03:31 |
Workaround
If either of the updates in the Symptom section are manually installed you must uninstall the Forefront Client Security October 2010 antimalware update on computers running Windows 2000 and install this update (KB2459065). You can uninstall the October 2010 update using one of the following methods:
-
From a command line or script, run: msiexec.exe /x {A22989EE-AE7A-42F8-A0C0-9C99CFB644FB} /qn
-
From the Add/Remove Programs applet, uninstall "Microsoft Forefront Client Security antimalware service"
In a properly functioning WSUS environment, after you uninstall the October 2010 update this version of the antimalware client will redeploy during the next Automatic Updates detection and installation cycle by applying the slipstream package described in the "More Information" section below. Alternatively, you may use the steps in the "Hotfix Information" section of this following article to manually download and install the Forefront Client Security antimalware agent on the affected computers after uninstalling the October 2010 update.
Microsoft has confirmed that this is a bug in the Microsoft products that are listed in the "Applies to" section.
More Information
This update is a replacement for the October 2010(KB2394433) release for Client Security agents running on Windows 2000. This update is included in a new slipstream installation package of the Forefront Client Security client software also for Windows 2000 SP4 agents. For more information about the slipstream installation package, click the following article number to view the article in the Microsoft Knowledge Base:
2464613 Forefront Client Security deployment package (1.0.1732.0) for Windows 2000 SP4
Applicability
To determine if this issue affects you, consider the following:
-
The computer operating system is Windows 2000
-
Forefront Client Security October 2010 antimalware update is installed. This can be determined by verifying the verison of %programfiles%\Microsoft Forefront\Client Security\Client\antimalware\mpclient.dll is exactly 1.5.1993.0.
If both of these are true, then this issue is applicable and you should perform the steps in the workaround.
