Symptoms:
When you use the Forefront Endpoint Protection (FEP) 2010 Group Policy Tool to import a policy file that was exported from System Center 2012 Endpoint Protection, it will fail with a screenshot similar to the following:
Cause:
The XML namespace is missing and a couple of registry value types have changed in System Center 2012 Endpoint Protection, which results in the error.
Resolution:
You can use the script in the Script section to make the changes to the policy file. You can also write a Java script tool to automate the script. For example, you can name the script in the Script section FepGPFileCorrector.js, and then use a command such as the following:
cscript.exe FepGPFileCorrector.js <originpolicyfile>.xml
Where, originpolicyfile is the exported System Center 2012 Endpoint Protection policy file. Currently, the following is supported:
The target/output policy file is named Converted-<originpolicyfile>.xml.
References:
The Forefront Endpoint Protection Group Policy Tool is used to convert policy settings contained in configured FEP policies to the format that is used by Group Policy. This tool can be obtained from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=207729) as part of the FEP 2010 Group Policy Tools download package.
System Center 2012 Endpoint Protection provides several default policy template files that you can find in subfolder AdminConsole\XmlStorage\EPTemplates of site server installation directory. You can import the policy template files by using FEP 2010 Forefront Endpoint Protection Group Policy Tool by default.
Script:
@set @debug = false
//******************************************************************************
//
// Constants
var c_sSecurityPolicy = "SecurityPolicy";
var c_sPolicySection = "PolicySection";
var c_sLocalGroupPolicySettings = "LocalGroupPolicySettings";
var c_sXmlns = "xmlns";
var c_sNameSpace = "http://forefront.microsoft.com/FEP/2010/01/PolicyData";
var c_sAddKey = "AddKey";
var c_sAddValue = "AddValue";
var c_sName = "Name";
var c_sType = "Type";
var c_sDisabled = "Disabled";
var c_sFallbackOrder = "FallbackOrder";
var c_sDefinitionUpdateFileShareSources = "DefinitionUpdateFileSharesSources";
var c_sDWord = "REG_DWORD";
var c_sSZ = "REG_SZ";
var c_sHelp = "cscript.exe FepGPFileCorrector.js <originpolicyfile> \r\n"
+ "\r\n"
+ "originpolicyfile Original exported SCEp2012 policy file.\r\n"
// Globals
var g_fso = null; // Scripting.FileSystemObject
var g_xmlSource = null; // Source XML document
var g_xmlTarget = null; // Target XML document
var g_shell = null;
var g_environment = null;
var g_sScriptDir = null; // cscript.exe running directory
var g_sOriginPolicyFile = null; // Original FEP2012 exported policy file
var g_sOriginFileName = null; // Original FEP2012 exported policy file name
var g_sOriginPolicyPath = null; // The directory hosting original FEP2012 exported policy file
// GetAttribute
function GetAttribute(oNode, sAttrib, bAllowNull)
{
var attrib = oNode.attributes.getNamedItem(sAttrib);
if (attrib != null)
return attrib.text;
}
else if (bAllowNull)
return null;
// Validate script host version
if (Number(WScript.Version) < 5.6)
WScript.Echo(
"This script requires Windows Script Host v5.6 or later. "
+ "Go to http://www.microsoft.com/scripting for download"
);
WScript.Quit(1);
if (WScript.FullName.toLowerCase().indexOf("cscript.exe") < 0)
"This script can only be executed with Cscript."
if ((WScript.Arguments.length < 1) || (WScript.Arguments(0) == "/?"))
WScript.Echo(c_sHelp);
// Initialize
g_fso = new ActiveXObject("Scripting.FileSystemObject");
g_shell = new ActiveXObject("WScript.Shell");
g_environment = g_shell.Environment("Process");
g_sScriptDir = g_fso.GetParentFolderName(WScript.ScriptFullName);
g_sOriginPolicyFile = String(WScript.Arguments(0));
// If g_sOriginPolicyFile has not path
if ((g_sOriginPolicyFile.indexOf(":") > 0) && (g_sOriginPolicyFile.charAt(0) != "."))
g_sOriginPolicyPath = g_sOriginPolicyFile.substr(0, g_sOriginPolicyFile.lastIndexOf("\\"));
g_sOriginFileName = g_sOriginPolicyFile.substr(g_sOriginPolicyFile.lastIndexOf("\\") + 1);
else if ((g_sOriginPolicyFile.charAt(0) == "\\") && (g_sOriginPolicyFile.charAt(1) == "\\"))
else
g_sOriginPolicyPath = g_sScriptDir;
g_sOriginFileName = g_sOriginPolicyFile;
if (!g_fso.FileExists(g_sOriginPolicyFile))
WScript.Echo("XML file " + g_sOriginPolicyFile + " does not exist!");
throw new Error(1, "The XML file does not exist!");
//var oFile = g_fso.GetFile(g_sOriginPolicyFile);
//oFile.Attributes = oFile.Attributes & (~1);
g_xmlSource = new ActiveXObject("MSXML2.DOMDocument.6.0");
// Load original SCEP2012 exported policy file
if (!g_xmlSource.load(g_sOriginPolicyFile))
var pe = g_xmlSource.parseError;
INFO(
"XML load failed:\n"
+ " Location: " + pe.line + ", " + pe.linepos + "\n"
+ " Source: " + pe.srcText + "\n"
+ " Reason: " + pe.reason + "\n"
throw new Error(-1, "Policy file is invalid.");
var oSrcSecurityPolicyNode;
//var oRootNodes = g_xmlSource.documentElement.selectNodes(c_sSecurityPolicy);
var oRootNodes = g_xmlSource.childNodes;
if (!g_xmlSource.hasChildNodes())
WScript.Echo("XML file " + g_sOriginPolicyFile + " might not need to process, exit directly.");
for (var iIndex = 0; iIndex < oRootNodes.length; iIndex++)
if (oRootNodes[iIndex].nodeName == c_sSecurityPolicy)
oSrcSecurityPolicyNode = oRootNodes[iIndex];
if (oSrcSecurityPolicyNode != null)
if (oSrcSecurityPolicyNode.attributes.getNamedItem(c_sXmlns) != null)
break;
g_xmlTarget = new ActiveXObject("MSXML2.DOMDocument.6.0");
var sTargetXmlFile = g_sOriginPolicyPath + "\\Converted-" + g_sOriginFileName;
if (g_fso.FileExists(sTargetXmlFile))
var oFile = g_fso.GetFile(sTargetXmlFile);
oFile.Attributes = oFile.Attributes & (~1);
g_fso.DeleteFile(sTargetXmlFile);
WScript.Echo("The target converted policy file: " + sTargetXmlFile);
var oSrcAddKeyNodes;
var oSrcAddValueNodes;
var sNameAttribute;
var sTypeAttribute;
var sDisabledAttribute;
var sNodeValue;
var oTargetAddKeyNode;
var oTargetAddValueNode;
var oAttributes;
// Check "SecurityPolicy" node in source XML
// Create "SecurityPolicy" node for target XML
var oTargetSecurityPolicyNode = g_xmlTarget.createNode(1, c_sSecurityPolicy, c_sNameSpace);
// Add attributes under "SecurityPolicy" child node to target node
oAttributes = oSrcSecurityPolicyNode.attributes;
for (var index = 0; index < oAttributes.length; index++)
if (oAttributes.item(index).name != c_sXmlns)
oTargetSecurityPolicyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "PolicySection" child node in source XML
var oSrcPolicySectionNode = oSrcSecurityPolicyNode.selectSingleNode(c_sPolicySection);
if (oSrcPolicySectionNode != null)
// Create "PolicySection" node for target XML
var oTargetPolicySectionNode = g_xmlTarget.createNode(1, c_sPolicySection, c_sNameSpace);
// Add attributes under "PolicySection" child node to target node
oAttributes = oSrcPolicySectionNode.attributes;
oTargetPolicySectionNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
// Check "LocalGroupPolicySettings" child node
var oSrcLocalGroupPolicySettingsNode = oSrcPolicySectionNode.selectSingleNode(c_sLocalGroupPolicySettings);
if (oSrcLocalGroupPolicySettingsNode != null)
// Create "LocalGroupPolicySettings" node for target XML
var oTargetLocalGroupPolicySettingsNode = g_xmlTarget.createNode(1, c_sLocalGroupPolicySettings, c_sNameSpace);
oSrcAddKeyNodes = oSrcLocalGroupPolicySettingsNode.selectNodes(c_sAddKey);
for (var iKeyIndex = 0; iKeyIndex < oSrcAddKeyNodes.length; iKeyIndex++)
// Create one "AddKey" node for target XML
oTargetAddKeyNode = g_xmlTarget.createNode(1, c_sAddKey, c_sNameSpace);
// Add attributes under "AddKey" child node to target node
oAttributes = oSrcAddKeyNodes[iKeyIndex].attributes;
oTargetAddKeyNode.setAttribute(oAttributes.item(index).name, oAttributes.item(index).nodeValue);
oSrcAddValueNodes = oSrcAddKeyNodes[iKeyIndex].selectNodes(c_sAddValue);
for (var iValueIndex = 0; iValueIndex < oSrcAddValueNodes.length; iValueIndex++)
// Create "AddValue" node
oTargetAddValueNode = g_xmlTarget.createNode(1, c_sAddValue, c_sNameSpace);
// Add attributes under "AddValue" child node to target node
sNameAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sName);
oTargetAddValueNode.setAttribute(c_sName, sNameAttribute);
sTypeAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sType);
if (sNameAttribute == c_sFallbackOrder)
if (sTypeAttribute == c_sDWord)
oTargetAddValueNode.setAttribute(c_sType, c_sSZ);
oTargetAddValueNode.setAttribute(c_sType, sTypeAttribute);
else if (sNameAttribute == c_sDefinitionUpdateFileShareSources)
if (oSrcAddValueNodes[iValueIndex].attributes.getNamedItem(c_sDisabled) != null)
sDisabledAttribute = GetAttribute(oSrcAddValueNodes[iValueIndex], c_sDisabled);
oTargetAddValueNode.setAttribute(c_sDisabled, sDisabledAttribute);
sNodeValue = oSrcAddValueNodes[iValueIndex].text;
oTargetNodeValue = g_xmlTarget.createTextNode(sNodeValue);
oTargetAddValueNode.appendChild(oTargetNodeValue);
// Append "AddValue" child node under current "AddKey" node
oTargetAddKeyNode.appendChild(oTargetAddValueNode);
// Append "AddKey" child node under "LocalGroupPolicySettings" node
oTargetLocalGroupPolicySettingsNode.appendChild(oTargetAddKeyNode);
// Append "LocalGroupPolicySettings" child node under "PolicySection" node
oTargetPolicySectionNode.appendChild(oTargetLocalGroupPolicySettingsNode);
// Append "PolicySection" child node under "SecurityPolicy" node
oTargetSecurityPolicyNode.appendChild(oTargetPolicySectionNode);
// Append "SecurityPolicy" node
g_xmlTarget.appendChild(oTargetSecurityPolicyNode);
g_xmlTarget.save(sTargetXmlFile);
--Weitao Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
On the FEP Support team, we occasionally receive cases from customers who need to allow a “known threat” to run in their environment for various reasons. Most of these have tried (unsuccessfully) to make this work by using File, Folder, or Process exclusions. While it may be possible to achieve this goal using these methods, this would be an unsupported use of exclusions, and this is really “the wrong tool for the job.” The recommended and supported method for allowing known threats to run is with the Threat Override policy.
Before we get too far into this, you may be thinking, “Why would I ever allow malware to run on my computers?” There are several typical reasons:
1. Your business requires a certain application, typically in the Remote Control Software, Monitoring Software, or Potentially Unwanted Software categories, that you have licensed and use for legitimate purposes. So even though Forefront Endpoint Protection classifies it as ‘malware’, in your environment, it is legitimate, licensed software. Note: many of the threats in these categories are also used by attackers for nefarious purposes.
2. You are in the IT Security department and are examining the behavior of malware in a controlled environment (lab).
3. You are part of a company’s IT Security department and use some tools that are classified as malware as penetration testing tools.
OK, back to the customer issues we see occasionally, here is one recent example:
“Problem Description: FEP is currently flagging some 'malware' on a couple of our servers. It's not necessarily a false positive as it can be used for nefarious purposes. However, I would like to exclude it from the scans on a few of our servers. The problem I'm encountering is that I haven't been able to figure out how to exclude it using wildcards. I've searched for documentation, but examples and explanations are currently lacking. Here are some of the sites I've looked at:
http://technet.microsoft.com/en-us/library/gg398037.aspx
http://technet.microsoft.com/en-us/library/ff823837.aspx
http://blogs.technet.com/b/clientsecurity/archive/2010/03/08/wildcards-in-path-exclusions.aspx
If I put in the full path to the ISO file, it's no longer scanned. However the path to the ISO file can (and does) vary from server to server, including different drive letters. I would rather not have to enter 5-10 (or more) hard coded exclusion paths for the same exclusion, I would rather be able to use wildcards to exclude this ISO file regardless of it's location on a given server.”
Here was my response to the customer:
Hi <customer>, what you’re trying to do (allow a known threat to run) is accomplished by using the ‘Threat Override’ feature of Forefront Endpoint protection. The file/folder/process exclusions are provided primarily for performance and compatibility reasons, not for allowing known threats to run. So, for example, if you had a folder with a huge number of data files (i.e. millions) created by an application, and FEP was taking a long time to scan that folder, or a folder structure with many complex/nested zip files, you might need to exclude those files/folders. Or, for process exclusions, if you had an application that performed poorly with FEP enabled, then you would exclude that process from being scanned by FEP.
The ‘Threat Override’ policy is the supported method for allowing known threats (executables which could potentially do ‘bad things’) to run.
It’s very easy to create and deploy a threat override.
Our documentation on creating policy and defining threat overrides is located here:
Either you edit an existing policy or you create a new policy. A procedure to create a new policy can be found here: http://technet.microsoft.com/en-us/library/ff823835.aspx
When you have your policy, you need to modify it to define a threat override. For guidance on how to edit a policy, see http://technet.microsoft.com/en-us/library/gg398037.aspx
Here is an example:
To enable a Threat Override, you would create a policy like this:
Then select a policy template, such as this:
Then finish creating the policy, and go to the Properties for the new policy, and click on the ‘Antimalware’ tab, and click ‘Overrides’ on the left hand side.Type in ‘MonitoringTool:Win32/MSNSniffer’, ensure the ‘Override action’ is set to the default (Allow), and click ‘Add’.
Note: If you aren’t sure of the exact threat name, go to the System Event log on the client where the threat was detected, and there should be an event with ‘Source: FCSAM’ and an Event ID of 3004. The Description field will include the link to the Microsoft Security Portal entry for that particular threat, including the Threat Name that you enter below.
Then click ‘OK’, and assign that policy to computers where you want to allow this to run.
Please let me know if you have questions about this.
Here was the customer’s response, once he enabled the Threat Override:
“Faron,
Thank you for the additional information, it was very helpful. Once I added the Threat Override, it no longer flagged during the scans.
Thanks for your help on this.”
For reference, here are links to more information on creating & editing FCS/FEP policy:
Creating a policy: http://technet.microsoft.com/en-us/library/ff823835.aspx
Editing a policy: http://technet.microsoft.com/en-us/library/gg398037.aspx
Hopefully this article is helpful in explaining the correct purpose and usage of Threat Overrides in Forefront Endpoint Protection.
Faron Faulk
Microsoft Platforms Security Technical Lead
[Updated 12/16/2011]
Earlier today we released an updated version (found here) of the Definition Update Automation Tool for Forefront Endpoint Protection 2010 Update Rollup 1. This document provides steps for how to use this tool.
Important Note: We recommend installing the hotfix here if you are using the Definition Update Automation Tool.
With Forefront Endpoint Protection 2010 Update Rollup 1, you now can deploy Forefront Endpoint Protection definition updates to clients by using the Configuration Manager console. There are multiple definition update releases per day, thus making it time-consuming to manually download and deploy each definition update through the Configuration Manager Console. The Definition Update Automation Tool can be used to automate the steps required to keep a deployment of Forefront Endpoint Protection update definitions up to date. The tool will download the latest definition update and update the specified software update deployment with the latest definition. Configuring this tool to run automatically with Windows Task Scheduler or via a Configuration Manager Status Filter Rule can keep a deployment up to date without continuous and repetitive manual processes.
To learn more about managing software updates click here.
This tool was first released with Forefront Endpoint Protection 2010 Update Rollup 1. This release addresses a number of supportability issues, primarily around logging.
Bug Fixes:
Usage: SoftwareUpdateAutomation.exe parameters
Parameters:
/Help: Get program usage
/SiteServer: Site server computer name
/UpdateFilter: Filter for selecting software updates that are used for the destination packages
/AssignmentName: Name of destination software updates assignment
/PackageName: Name of destination software update package
/DisableRefreshDP: Disable automatic propagation of updated package to Distribution Points
/Verbose: Enable additional logging.
SoftwareUpdateAutomation.exe /AssignmentName FEPDeployment /Package FEP
This example will use local machine as Site Server and use the default UpdateFilter. It will add the latest Forefront Endpoint Protection definition update into Assignment “FEPDeployment” and Package “FEP” and refresh the Distribution Points if any updates were made to the deployment package.
To run this tool, you must copy the binaries to the Admin UI bin folder:
Now you can run this tool manually from a command line, or use Task Scheduler or a Status Filter Rule to run it automatically.
Note: This tool will only download the latest Forefront Endpoint Protection definition update and add it to the existing deployment and package. It will not synchronize the definition update into Configuration Manager. It is still necessary to run software update synchronization to synchronize the latest Forefront Endpoint Protection definition update into the Configuration Manager database before you run this tool. Please refer to How to Configure Software Updates Synchronization(http://technet.microsoft.com/en-us/library/bb632893.aspx) for information on how to configure the software update synchronization. As a best practice, before you run this tool, always make sure that a scheduled software update synchronization has completed.
/AssignmentName AssignmentName /PackageName PackageName
Where AssignmentName is the name of the software deployment for the definitions which you recorded earlier and PackageName is the name of the software package that contains the definitions which you recorded earlier. Parameters are not case sensitive.
Note: This is the recommended scheduling option as it allows the Definition Update Automation Tool to automatically run after a WSUS synchronization completes successfully.
Sample RunSoftwareUpdateAutomation.bat:
“<ConfigMgr Install Dir>\AdminUI\bin\SoftwareUpdateAutomation.exe” /AssignmentName ”AssignmentName” /PackageName “PackageName”
Note: It is recommended to put the Definition Update Automation Tool command line in a batch file to prevent problems with the quotes (“).
The status filter Rule runs the tool under the System account. To enable the tool to download, make sure the system account has the appropriate proxy settings. One option to configure the proxy settings for localsystem is to use the BITSAdmin Tool (for more information on the BITSAdmin Tool, click here).
You can use the command: bitsadmin /util /setieproxy localsystem to set the proxy setting for system account. (eg: bitsadmin /util /setieproxy localsystem myproxy *.mydomain.com)
A proper schedule for software update point synchronization is necessary to keep your Forefront Endpoint Protection clients up-to-date. Below is the recommended setting for these schedules when using this tool:
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site name> / Site Settings / Component Configuration.
Right-click Software Update Point Component, click Properties.
Click Sync Schedule Tab, check Enable Synchronization on a schedule, check Simple schedule and Run every 1 Days.
There are four suggested Configuration Manager and Forefront Endpoint Protection 2010 topologies: See http://technet.microsoft.com/en-us/library/gg412503.aspx. In this section, we will give suggestions on where to run this tool for each topology.
Run this tool on each central site.
Run this tool on each child site. Note: the assignment and package you used for this tool must also be created on child site.
SoftwareUpdateAutomation.log will always be the first place to investigate. The log file is located in %ALLUSERSPROFILE%.
You can use the parameter /Verbose to enable verbose logging.
When using Task Scheduler to run the tool, the task must be selected to run as highest privilege. Otherwise, no log file will be created.
Error in SoftwareUpdateAutomation.log
Possible Reason and Resolution
Error:Error Downloading SourceURL…… Result: 12007
Verify that the proxy is set correctly.
If you run the tool with domain user account, check the proxy with command: netsh winhttp show proxy;
If you run the tool with system account (eg. You use Status Filter Rule to run the tool), check the proxy with command: bitsadmin /util /getieproxy localsystem.
Cannot find the log
The log is under %ProgramData% folder;
If you run it on Windows 2003 Server, there is no %ProgramData% environment variable. You can always use %ALLUSERSPROFILE% to access the folder contains the log file.
If you run the tool with a Task Sequence ensure that the user account used to run the tool has permission to create the log under that folder (and run as highest privilege is selected).
Make sure the command line parameters are set correctly; otherwise no log will be created.
--Jason Lewis
This posting is provided "AS IS" with no warranties and confers no rights.
Users like you make all the difference in the quality of our products. The Microsoft Assessment and Planning (MAP) Toolkit Team will soon start recruiting Beta participants for our next version’s Beta program.
We’re currently recruiting users of Forefront Endpoint Protection 2010. We of course welcome anybody who is interested in the MAP product. Click here to find more about what MAP has to offer. MAP helps customers and partners with a host of scenarios as software usage tracking, software and hardware inventory, assessments for migration, virtualization and the cloud.
We really look forward to having you involved in our Beta program and hearing your thoughts on the features we’ve added.
As a way of saying thank you there will be prizes. We don’t have all the details yet but in the past we gave away prizes such as Xbox 360s, Kinect for Xbox, and Zune media Players to a randomly selected subset of participants.
Sincerely,
The Map Toolkit Team
To proactively express your interest in MAP please
This announcement is sponsored by the Microsoft Solution Accelerators Team. You can contact us at mapfdbk@microsoft.com
by Michael Cureton
We’ve become aware of two issues when using the Definition Update Automation Tool. This blog article presents workarounds for the issues.
The FEP 2010 Definition Update Automation Tool may fail to add new definition updates to your deployment package. Reviewing the %ProgramData%\SoftwareUpdateAutomation.log file shows the following exception:
SmsAdminUISnapIn Error: 1 : Unexpected exception: System.ArgumentException: An item with the same key has already been added. at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource) at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add) at System.Collections.Generic.Dictionary`2.Add(TKey key, TValue value) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SccmUtilities.CalculateCleanupDelta(ConnectionManagerBase connection, ICollection`1 freshUpdateFilesObjectList, IResultObject destinationPackageObject) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Update(SoftwareUpdateAutomationArguments arguments) at Microsoft.Forefront.EndpointProtection.SoftwareUpdateAutomation.SoftwareUpdater.Main(String[] args)
More than one FEP 2010 definition update is being detected as active by the tool.
The FEP 2010 Definition Update Automation tool queries WMI (SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1) to get the single active FEP 2010 definition update. The exception happens as a result of more than one update being returned. The tool may detect more than one update as being active when one of the two conditions is TRUE:
To confirm if you’re experiencing condition #1 or #2, run the below WMI query:
SELECT * FROM SMS_SoftwareUpdate WHERE ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0
If the query only returns one row, then you are experiencing condition #1. If two or more rows are returned, you are experiencing condition #2.
If you are experiencing condition #1, you can prevent the symptom by simply adding the /UpdateFilter flag to the command line for the tool (SoftwareUpdateAutomation.exe) with the appropriate values to filter out expired definition updates that are not superseded.
For example:
SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /UpdateFilter “ArticleID=2461484 AND IsSuperseded=0 AND IsEnabled=1 AND IsExpired=0”
If you are experiencing condition #2, you will need to manually decline the orphaned updates via the WSUS administration console. For each update returned from the WMI query that you used to confirm that you have condition #2, double-click on the LocalizedDisplayName property and note the definition version. The update with the highest definition version will be the active one. The update(s) with the lower definition versions have been orphaned.
For example, using the list below, 1.107.713.0 would be the active update and the other two updates are orphaned and would need to be declined manually in WSUS.
Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.103.1405.0) Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.105.2231.0) Definition Update for Microsoft Forefront Endpoint Protection 2010 - KB2461484 (Definition 1.107.713.0)
After you have determined the orphaned update(s) title (and version), load the WSUS snap-in and drill down to the Updates node. On the action pane, click New Update View. Select “Updates are in a specific classification” and “Updates are for a specific product”. In step 2, click any classification and ensure that only Definition Updates is checked. Next click any product and ensure that only Forefront Endpoint Protection 2010 is checked. In step 3, specify a name for the view and click OK.
Locate the created view in the WSUS console. Change the Approval value to "Any Except Declined" and the Status to "Any" and hit Refresh. Click the Title column so that the results are sorted using the version. Find the orphaned update(s) that you identified by version and select the Decline action for each. Once this is complete, you’ll need to wait for the next scheduled Software Update Point (SUP) sync to complete, at which time the updates that you declined will be marked as expired in the ConfigMgr database.
NOTE: Running a manual SUP sync will NOT expire the declined updates. Only a scheduled sync will perform this operation.
Once the sync is complete, you can run the WMI query used to determine condition to confirm that only one row is now returned. You will also need to run the tool going forward using the condition #1 workaround with the /UpdateFilter flag.
The FEP 2010 Definition Update Automation Tool does not refresh distribution points (DPs) by default. Even though the help output for the tool states that /RefreshDP is set by default, it is not.
Add /RefreshDP to the command line for the tool (SoftwareUpdateAutomation.exe). For example:
SoftwareUpdateAutomation.exe /AssignmentName <AssignmentName> /PackageName <DeploymentPkgName> /RefreshDP