We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.
A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.
This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take.
For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur.
What can I do to address this issue myself?
There are a number of workarounds that can be used currently.
Avoiding the issue
If you have computers which experience this issue and are now unprotected, there are a number of options
What is Microsoft doing to address this?
We are doing the following:
We take the support of our customers very seriously. If you need additional assistance please contact your support professional or visit http://support.microsoft.com/ph/12632 .
Sincerely, the Microsoft Forefront Client Security Engineering team.
Today (8 March 2011), we released an update to FCSv1. Changes include:
For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823).For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2508824 (http://support.microsoft.com/kb/2508824).
For more information about the update, Microsoft Knowledge Base article 2508823 (http://support.microsoft.com/kb/2508823) has the detail.
Visio is one of the most popular tools for creating diagrams that describe effective systems and processes. In every project in which I participate, when it comes to documenting what you did I always have to create a diagram where I defined architecture, server configuration, network, etc. A picture is worth a thousand words and Visio is the tool of choice in these documentation tasks.
With SMSMap you can read FEP components and ConfigMgr/SMS site roles through COM and automate Visio to draw a diagram of the hierarchy including the FEP SQL Reporting Server, FEP Data Warehouse SQL Server, and the FEP Reporting Component.
Developed by Jeff Tondt this free utility is available at http://www.tondtware.com and works on ConfigMgr SP2 / R3 and down to SMS 2003. Seeing the whole FEP/ConfigMgr hierarchy as a picture can help you quickly understand how your infrastructure is laid out. This handy tool automates creation of your infrastructure documentation and frees you up for other Forefront product installations.
Some screenshots of SMSMap:
Did you know that Windows 7 SP1 is available for download? Windows 7 SP1 brings some great features to the platform, and everyone's pretty excited about it.
We want to make absolutely clear that Windows 7 SP1 is supported by the following endpoint security products:
If in doubt about what you have installed, view your version number, on the Help menu, click About.
If your version is reported in the range of 2.0.1677 to 2.0.2530, then you should:
Note: The same statements apply for Windows Server 2008 R2 SP1 as well; you need the same update to allow FCS function. (Douglas Hill 3/23/2010)
So have you ever wondered what the Microsoft SpyNet opt in page is really all about?
Microsoft SpyNet is a cloud service that allows the FEP or MSE client on your computer to report information about programs that exhibit suspicious behavior to the Microsoft Malware Protection Center (MMPC) researchers. When this information is reported, definitions for previously unknown threats can be created and distributed, minimizing the time that a new threat is spreading in the wild before protection is available. (Note: older clients, like FCS and Windows Defender, also participate in SpyNet, but to get the full benefits of SpyNet, which includes Dynamic Signature Service, you should move to FEP or MSE.)
Additionally, when your FEP or MSE client reports new malware to the Microsoft SpyNet cloud service, the Dynamic Signature Service can recognize when a definition is available but not yet released, and deliver that definition for that specific threat in real-time from the cloud. Upon delivery of the dynamic signature, the threat will be detected and can be removed from the system
Hey – here’s a thought. Take 3 minutes and watch this – Microsoft SpyNet and the Dynamic Signature Service in action:
A while back we posted a reporting workbook for the Forefront Endpoint Protection Security Management Pack. This workbook allows you to connect to your FEP Security Management Pack database and create custom reports based on the data contained within the database.
We have a new addition to this – a workbook you can use to create custom FEP reports. This new workbook works in much the same way as the one previously released. You must first connect the workbook to your FEP database, and then you can use the worksheets to generate custom reports based on the data contained within the database.
In order to make it easier for you to find both workbooks, I’ve attached a zip file that contains both of them to this blog article (if you already downloaded the one for the FEP Security Management Pack, it has not changed). Each workbook has instructions on the first worksheet on how to connect it to your database.