There is an issue with the changes made in QFE9 (KB2394433) that prevents the Antimalware minifilter mpfilter.sys from loading properly on Windows 2000. This causes a failure to provide On Access Real-Time Protection. If you do not have any Windows 2000 computers in your organization, this issue does not apply to you.

UPDATE: This morning we released an update that will allow organizations to deploy the latest Forefront Client Security update on Windows 2000 systems.  The information on this release can be found in Knowledge Base Article 2459065 .

 Windows Server Update Services (WSUS) admins will see two separate packages that apply to Windows 2000 systems only.   One is the update package mentioned above, and the second is the package for new deployments (see this Knowledge Base Article 2464613).    

 

 

KB

English Title of Package in WSUS

New Deployments

2464613

Client Update for Microsoft Forefront Client Security (1.0.1732.0) (Windows 2000 SP4)

Update

2459065

Update for Microsoft Forefront Client Security (KB2459065) (Windows 2000 SP4)

We chose to deploy the update in this way so we did not force on admins to redeploy a client update to their entire client base for a change that impacted a single platform.   When we release updates in the future we intend to only have a single update package again.

 

Thanks again for your patience while we addressed this issue for our Windows 2000 users.  We recommend you complete your migrations from Windows 2000 as soon as you are able, as Windows 2000 this is officially out of support.  

 

UPDATE: We have changed the publication logic for this update so that this update no longer applies to Windows 2000 computers. The propagation began at 5pm 10/21 Pacific time, and should propagate to your local Microsoft Update server shortly.

This change in publication prevents the update and slipstream (new installs via WSUS) from applying to Windows 2000. No changes have been made to the package itself; the package will still install on Windows 2000 if you download it and run it manually (or via some other non-WSUS technology).

The update will still install on all other supported operating systems. This issue only effects Windows 2000.

To see this new logic on your WSUS server, you must synchronize your WSUS server after 5pm Pacific time.

Stay tuned for further updates. 

We'll post mitigations on the TechNet Wiki, in this article (http://social.technet.microsoft.com/wiki/contents/articles/qfe9-kb2394433-introduces-rtp-error-0x8007007f-on-windows-2000.aspx).

For information about configuring WSUS to deploy a previous FCS client hotfix, see this article (http://social.technet.microsoft.com/wiki/contents/articles/configuring-wsus-to-deploy-previous-fcs-client-hotfix.aspx)


Customers experiencing this issue should revert back to QFE8 (KB979536) by uninstalling the antimalware client, installing the RTM client, and then upgrade to QFE8.

To uninstall with no user interface, use the following command line:

msiexec.exe /x {A22989EE-AE7A-42F8-A0C0-9C99CFB644FB} /qn

After deploying KB2394433 (or KB2394439) to Windows 2000 computers there are two FCSAM 3002 Errors in the System log with the following information:

10/19/2010 01:24:53 PM                FCSAM Error                      3002       Win2k
Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed.
User: NT AUTHORITY\SYSTEM
Agent: On Access
Error Code: 0x8007007f
Error description: The specified procedure could not be found.

These errors are reported to the FCS server and are shown in the FCS Management Console dashboard as Reporting Critical Issues. These machines will also be represented in the Computers Per Issue section under Alerts detected.

In the Alerts Summary report, the alert name Error can be expanded to show the Scanning Failed error. This error can be expanded to list the machines potentially experiencing this issue.

Capture

Also, on the Windows 2000 machines having this problem, you can verify if the mpfilter.sys minifilter is loaded by typing the following at a command prompt:

fltmc

In this scenario the fltmc command doesn't list the mpfilter minifilter driver as loaded, as shown below:

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
No filters loaded

It's worth mentioning that there was an installation issue with the "1725" client package available in WSUS that resulted in the Antimalware service being removed. Customers using WSUS to deploy the FCS client to Windows 2000 machines should use the RTM "1703" client package to avoid both this issue with the "1725" client package and the Real-Time Protection error described in this article.

We'll post mitigations on the TechNet Wiki, in this article (http://social.technet.microsoft.com/wiki/contents/articles/qfe9-kb2394433-introduces-rtp-error-0x8007007f-on-windows-2000.aspx).

For information about configuring WSUS to deploy a previous FCS client hotfix, see this article (http://social.technet.microsoft.com/wiki/contents/articles/configuring-wsus-to-deploy-previous-fcs-client-hotfix.aspx)

Stay tuned to this blog for updates.

Andrew Davis
Senior Technical Lead, CSS