There is an issue with the changes made in QFE9 (KB2394433) that prevents the Antimalware minifilter mpfilter.sys from loading properly on Windows 2000. This causes a failure to provide On Access Real-Time Protection. If you do not have any Windows 2000 computers in your organization, this issue does not apply to you.

UPDATE: This morning we released an update that will allow organizations to deploy the latest Forefront Client Security update on Windows 2000 systems.  The information on this release can be found in Knowledge Base Article 2459065 .

 Windows Server Update Services (WSUS) admins will see two separate packages that apply to Windows 2000 systems only.   One is the update package mentioned above, and the second is the package for new deployments (see this Knowledge Base Article 2464613).    

We chose to deploy the update in this way so we did not force on admins to redeploy a client update to their entire client base for a change that impacted a single platform.   When we release updates in the future we intend to only have a single update package again.

Thanks again for your patience while we addressed this issue for our Windows 2000 users.  We recommend you complete your migrations from Windows 2000 as soon as you are able, as Windows 2000 this is officially out of support.  

UPDATE: We have changed the publication logic for this update so that this update no longer applies to Windows 2000 computers. The propagation began at 5pm 10/21 Pacific time, and should propagate to your local Microsoft Update server shortly.

This change in publication prevents the update and slipstream (new installs via WSUS) from applying to Windows 2000. No changes have been made to the package itself; the package will still install on Windows 2000 if you download it and run it manually (or via some other non-WSUS technology).

The update will still install on all other supported operating systems. This issue only effects Windows 2000.

To see this new logic on your WSUS server, you must synchronize your WSUS server after 5pm Pacific time.

Stay tuned for further updates. 

We'll post mitigations on the TechNet Wiki, in this article (http://social.technet.microsoft.com/wiki/contents/articles/qfe9-kb2394433-introduces-rtp-error-0x8007007f-on-windows-2000.aspx).

For information about configuring WSUS to deploy a previous FCS client hotfix, see this article (http://social.technet.microsoft.com/wiki/contents/articles/configuring-wsus-to-deploy-previous-fcs-client-hotfix.aspx)

Customers experiencing this issue should revert back to QFE8 (KB979536) by uninstalling the antimalware client, installing the RTM client, and then upgrade to QFE8.

To uninstall with no user interface, use the following command line:

msiexec.exe /x {A22989EE-AE7A-42F8-A0C0-9C99CFB644FB} /qn

After deploying KB2394433 (or KB2394439) to Windows 2000 computers there are two FCSAM 3002 Errors in the System log with the following information:

10/19/2010 01:24:53 PM                FCSAM Error                      3002       Win2k
Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed.
User: NT AUTHORITY\SYSTEM
Agent: On Access
Error Code: 0x8007007f
Error description: The specified procedure could not be found.

These errors are reported to the FCS server and are shown in the FCS Management Console dashboard as Reporting Critical Issues. These machines will also be represented in the Computers Per Issue section under Alerts detected.

In the Alerts Summary report, the alert name Error can be expanded to show the Scanning Failed error. This error can be expanded to list the machines potentially experiencing this issue.

Also, on the Windows 2000 machines having this problem, you can verify if the mpfilter.sys minifilter is loaded by typing the following at a command prompt:

fltmc

In this scenario the fltmc command doesn't list the mpfilter minifilter driver as loaded, as shown below:

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
No filters loaded

It's worth mentioning that there was an installation issue with the "1725" client package available in WSUS that resulted in the Antimalware service being removed. Customers using WSUS to deploy the FCS client to Windows 2000 machines should use the RTM "1703" client package to avoid both this issue with the "1725" client package and the Real-Time Protection error described in this article.

We'll post mitigations on the TechNet Wiki, in this article (http://social.technet.microsoft.com/wiki/contents/articles/qfe9-kb2394433-introduces-rtp-error-0x8007007f-on-windows-2000.aspx).

For information about configuring WSUS to deploy a previous FCS client hotfix, see this article (http://social.technet.microsoft.com/wiki/contents/articles/configuring-wsus-to-deploy-previous-fcs-client-hotfix.aspx)

Stay tuned to this blog for updates.

Andrew Davis
Senior Technical Lead, CSS

Hello all,

A short note, but on October 12^th, we released an update to FCSv1.   This update contains:

• This update is supported on Windows 7 SP1 RC or greater.  Windows 7 Service Pack 1 will check for the presence of this update or a superseding update before installing.
• This update contains changes to the Forefront Client Security service to improve remediation of certain malicious software.
• This update corrects two issues in the mpfilter.sys kernel component used by Client Security that cause deadlocks.
• This update corrects an issue during definition update, computers that utilize the Volume Shadow Copy service appear to hang for several minutes. This issue may occur on computers using backup software that leverages shadow copy volumes.
• This update corrects a stop error with the error code 0x00000050 on computers running Windows Vista, Windows 2008 Server, Windows 7 or Windows 2008 R2 Server. If Client Security is installed on a computer. 
• This update increases the priority of the antimalware engine and definitions that are loaded during antimalware service start. The priority change enables the antimalware service to handle requests sooner, mitigating the UI unresponsiveness. However, this change may slightly increase boot time on limited systems by consuming more processor resources during system start.
• This update corrects an issue in real-time protection when volumes are encrypted using certain 3^rd party technologies.

For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2394433 (http://support.microsoft.com/kb/2394433/).
For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2394439 (http://support.microsoft.com/kb/2394439/).

For more information about the update, Microsoft Knowledge Base article 2394439 (http://support.microsoft.com/kb/2394439) will have the detail.

Thanks!

Douglas Hill
Program Manager

Microsoft antimalware definition updates accumulate over time and can affect more than just database resources and disk resources on the Windows Server Update Service server.

When a client connects to the Windows Server Update Service (WSUS) server, the client retrieves a list of all the approved updates that are offered and then must parse the list to determine which updates need to be installed. Both Forefront Client Security and Forefront Endpoint Protection help minimize this by only requesting antimalware definition updates, but a WSUS server that has been in operation for a long time could still possibly return thousands of updates that must be parsed. This large number of updates being returned can manifest itself as high CPU and memory usage by the svchost.exe process inside which Automatic Updates runs http://support.microsoft.com/kb/938947.

When Microsoft releases new antimalware definitions, we mark it as superseding any previous released updates, and expire the oldest current update. The goal is to always have four versions of the updates available through WSUS to be offered to the client. Even though those older updates have been expired, unless they are declined, they will still be offered to the client for evaluation. Luckily there are several things we can do to avoid getting in this scenario.

Along with the ability to automatically approve the definition updates, WSUS has the ability to automatically decline updates as they are expired. To maintain the best performance of your WSUS server, this advanced option should be enabled, and if you choose to not automatically decline expired updates, you need to make sure to periodically decline them.

To automatically approve revisions to updates and decline expired updates:

1. In the WSUS administration console, click Options, and then click Automatic Approvals.
2. On the Advanced tab, make sure that both Automatically approve new revisions of approved updates and Automatically decline updates when a new revision causes them to expire check boxes are selected.
3. Click OK.

The Forefront team also released the Client Security Best Practice Analyzer. This tool performs a series of diagnostic tests that can be used to troubleshoot issues or improve performance of your Client Security servers. You can find out more about the BPA here http://technet.microsoft.com/en-us/library/bb877697.aspx and recent updates and changes to it here: http://support.microsoft.com/kb/976986. One of the checks the BPA performs is for the number of expired definitions on the Forefront Client Security distribution server.

Number of expired definitions:

FCS definition updates will accumulate over time on a WSUS server, consuming disk and database resources.  This check queries for expired FCS definition that are no longer being used and issues a best practice warning if more than a month’s worth are found.

Here is what it looks like in the BPA tool:

The TechNet documentation also contains a list of best practices to use when managing your Client Security Deployment. You can find these best practices here http://technet.microsoft.com/en-us/library/bb418840.aspx . One of the recommendations is to remove old updates from the WSUS server on a monthly basis. There are 2 ways to manually do this: you can use the wsusutil.exe from the command line, or you can use the Server Clean-Up Wizard that is integrated into the management UI beginning with WSUS 3.0:

• Removing update using wsusutil.exe: http://technet.microsoft.com/en-us/library/bb432641.aspx
• Server Clean Up Wizard: http://technet.microsoft.com/en-us/library/cc708578(WS.10).aspx

Important

If you run multiple WSUS servers in an upstream downstream relationship you need to run the cleanup on all downstream servers before running it on the upstream Servers. If you fail to do this you will corrupt the data base of the downstream server and have to rebuild your downstream servers to fix the corruption.

If you have to manage multiple WSUS servers or you want to automate the cleanup process, there are a couple of PowerShell examples over in the Scripting Forum:

• Script to run cleanup on a single WSUS server: http://gallery.technet.microsoft.com/ScriptCenter/en-us/fd39c7d4-05bb-4c2d-8a99-f92ca8d08218
• Script to identify all downstream servers and run WSUS Clean-Up on them: http://gallery.technet.microsoft.com/ScriptCenter/en-us/90ca6976-d441-4a10-89b0-30a7103d55dbthem

Thanks
Chris Norman
Senior Escalation Engineer