This article has been archived. It is offered "as is" and will no longer be updated.
When you use Microsoft Forefront Client Security (FCS) Management Server, you experience the following symptoms.
When you enable SpyNet, FCS Management Server uses a blank proxy value as the default value.
Note See the "More Information" section for a description of the changes that have been made to the SpyNet setting.
When you set the Ignore override policy setting, the client computer still receives notifications about potentially unwanted software. However, no alert is generated on the FCS management server based on the notification.
Note See the "More Information" section for a description of the changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides.
Updates and hotfixes cannot be uninstalled on the FCS management server.
You cannot reinstall any FCS role after you install FCS server-side updates or hotfixes.
Important This hotfix removes any threat-level override settings that have been set. Therefore, we recommend that you note any Forefront Client Security policy override settings that you currently use before you apply this hotfix.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
No prerequisites are required.
If associated services cannot be stopped or files cannot be replaced dynamically, you may have to restart the computer.
Hotfix replacement information
This hotfix replaces hotfix 936729.
Update removal information
This hotfix cannot be removed.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Changes that have been made to the SpyNet setting
When you enable SpyNet, FCS Management Server uses the current Internet Explorer proxy as the default proxy.
Changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides
We have made significant changes to the way that FCS Management Server handles policies that include threat-level overrides.
After you install this hotfix, you may receive the following message when you try to edit an existing policy for the first time:
Because of the recent update to your installation of Client Security, this policy has been automatically updated. The following changes have been made:
On the Overrides tab, all threat-based overrides that remove or quarantine the threat have been removed.
To apply the updated policy to your client computers, you must redeploy the policy.
The options that allow for threat-level overrides such as Remove or Quarantine have been removed. Therefore, only previously created threat-level overrides that were set to Ignore appear in the policy after you click OK in this message. Additionally, the threat-level overrides that were set to Ignore are converted to Ignore Always overrides.
The Ignore override was designed to let the detected item run, to notify the user that potentially harmful software is running, and to create an event that is based on the detected item. The Ignore Always override lets the item run. However, the Ignore Always override does not notify the user. After you install the hotfix, threat-level overrides completely override the default response to the malicious software. Threat-level overrides let the malicious software run without notification to the user and without generating an alert on the FCS management server. After you view the policy, if the overrides are as you intend, you must save the policy and redeploy it. If only Ignore threat-level overrides were present, and you not see this notification message when you edit the policy, you must still save the policy and redeploy it. You must do this because the default override response will be changed to Ignore Always without sending a notification to the client computer.
The Ignore Always override is also used in Severity and Category overrides. This is significant because before this update, Category overrides always take precedence over Severity overrides whether or not Ignore is selected. This means that if a malware threat occurs with a category whose override includes Remove while the severity is overridden to Ignore, the Remove action occurs. After you install this hotfix, Category overrides still typically take precedence over Severity overrides unless the Severity override is Ignore. In this case, even if a Category override of Remove is selected, the Severity override Ignore action is still taken because of the way that Ignore Always is enforced.
To verify installation of this update, view the log file that is located in the following location: