Announcement: Microsoft Anti-Malware Platform Update

Announcement: Microsoft Anti-Malware Platform Update

  • Comments 15
  • Likes

The anti-malware platform will be updated Tuesday April 9, 2013 across multiple products. These products include Forefront Endpoint Protection 2010 and System Center 2012 Endpoint Protection SP1 standalone clients, and the managed versions of both.

The standalone updates will be made available via Microsoft Update and WSUS as Critical Updates. The installation packages are approximately 25MB; WSUS administrators should review auto-approval rules in advance of the April 9 release to avoid any unexpected increase in network traffic.

This anti-malware platform update contains the following improvements:

•         Adds new malware remediation functionality to the anti-malware platform.

•         Adds anti-tampering improvements to the anti-malware platform.

•         Improves overall performance of the anti-malware platform.

Update April 16, 2013

The KB articles for these updates are as follows:

Stand-alone / Unmanaged clients:

KB2831312         An anti-malware platform update for stand-alone Forefront Endpoint Protection 2010 clients is available from Microsoft Update

KB2831316         An anti-malware platform update for stand-alone System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Update

 Managed (by Configuration Manager 2007 for FEP, or by System Center 2012 Configuration Manager for SCEP):

KB2827684         An anti-malware platform update for Forefront Endpoint Protection 2010 clients is available from Microsoft Support

KB2828233         An anti-malware platform update for System Center 2012 Endpoint Protection Service Pack 1 clients is available from Microsoft Support

 As noted in the KB articles, these updates may require reboots during installation.

 The two stand-alone releases (2831312 and 2831316) were temporarily removed from Microsoft Update on April 10; they will be restored on Wednesday April 17.
This is because of a detection logic issue that was discovered with the Windows Defender platform update made available to Windows 8 clients:

The Windows Defender update was being erroneously offered to clients that had the new FEP or SCEP platform updates applied. This led to installation failures of KB2781197 that are misleading, as the update does not actually apply when FEP or SCEP have been updated to the latest platform.

Note that managed customers (using Configuration Manager 2007 or System Center 2012 Configuration Manager) may also see failures when installing update KB2781197 on Windows 8 clients that have the FEP or SCEP platform update applied. These failures can also be ignored and should cease now that the update KB2781197 detection logic is revised (effective April 16).

--The Configuration Manager Team

This posting is provided "AS IS" with no warranties and confers no rights.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Does this apply to Windows Intune Endpoint Protection?

  • Will the mac clients be manageable?

  • Yeah, I would have liked to have seen some heads up on how to handle this using SCCM 2012 SP1 and ADRs.  I am only finding talk about this over the last couple of days.  Nice warning.  It just got deployed to  over 500 machines in my environment and had people flipping out because it was asking them to reboot.

  • SCCM Guy - Same thing happend to me today. We had failed to scope our ADR to "Definition Updates" only and ended up deploying this to several servers/workstations. We were able to disable the deployment right away but the damage was done, this update does require a reboot, I'm just thankful that I had reboots suppressed on servers. Rebooting all the servers in the middle of the day is generally not a good idea.

  • KB2831316 failed the update with error 0x80070643 on all workstations. (!) Sounds familiar?

  • Does it now detect bProtector as a malware and remove it? Because before this update it was happy to coexist with it. Blind as a bat...

  • Where is the knowledge base article for this update?  The link displayed in the "Automatic Updates" window references a page that does not exist; Article KB2831316 is nowhere to be found.

  • What are the anti-tampering improvements, out of curiosity? One big thing we've been struggling with in moving from Symantec to SCEP is that Symantec password protects the uninstall. Our users are local admins on their machines and with SCEP it is very easy to uninstall.

  • @Todd

    SCEP should automatically reinstall itself.  Inside the EndpointProtectionAgent log on the client, you should see that it looks in a reg entry to see if the the installed version matches the expected version. If it does not find the key, it will reinstall SCEP.

  • Thanks, SCCM Guy. Our users are mostly laptop users and are often times away from the network. We have been messing around with things like changing the permissions on setup.exe and SRP (not working for us) for to block setup.exe to hopefully make uninstall difficult enough that we can get acceptance to use SCEP. I'll keep looking.

  • Any issues through SCCM 2007? checking the compliance only a really small percantage of our estate requires this using, Update is Not Required, Update is Required. But all have FEP 2010 Client Installed

  • @Jimmy, is online and working for me.

  • Is 2831316 still available on Microsoft Update? Looking at the update catalog, I cant find this update and its not appearing in the catalog for my new WSUS server.

  • KB2831316 failed the update with error code 8004FF80...... all clients are SCEP 2012 SP1

  • KB2831316 was available to my clients but I can't install it.  All my other WIndows update worked except for this.  The error I get is "code:0x80070659. This installation is forbidden by system policy. Contact your system administrator".  Only my adminstrator can install it and I wonder if the problem was because the file was dated 4/9th.  Am I suppose to see a newer dated KB2831316?  I Already set "Not Configured, Never, Always, Disabled" the DisableMSI installed on my GPO but to no avail.  Maybe there is something wrong with this installer.