Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

A hotfix is available to resolve some problems with the Forefront Client Security client


Symptoms

You experience the following symptoms when you are using Microsoft Forefront Client Security.

Symptom 1

On a computer that is running Microsoft Windows 2000 Service Pack 4, the Anti-malware user interface cannot open when you log on to the computer by using a non-administrator account.

Symptom 2

In the notification area, the Forefront Client Security icon becomes orange to indicate that an issue has occurred. When you open the Forefront Client Security client to view the issue, the client incorrectly reports that a product update is available for the Forefront Client Security client. A product update is not available.

Note In this scenario, the new product update notification differs from the new definition update notification.

Symptom 3

When you save a Microsoft Office Word document that already exists on a FAT32 volume, the file disappears unexpectedly. This occurs only when antivirus real-time protection (RTP) is enabled.

Symptom 4

The Microsoft Forefront Client Security Anti-malware Service stops unexpectedly. Then, this service does not recover automatically. This symptom occurs if the signature or the engine update is invalid.

↑ Back to the top


Cause

Cause 1

Symptom 1 occurs because of a permission issue that is specific to Windows 2000. In Windows 2000, a non-administrator user is denied access to the RegisterGPNotification function. This function is used to monitor policy changes.

Cause 2

Symptom 2 occurs because a registry value is not reset as expected after a successful upgrade. To determine the current state of Forefront Client Security Agent, the Forefront Client Security client queries the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\ProductUpdateAvailable
Note A value of 0 indicates that new updates are not needed. A value of 1 indicates that new updates are needed.

However, the Forefront Client Security client update package did not reset this registry value to 0 after the last upgrade.

Cause 3

Symptom 3 occurs for one of the following reasons:
  • Word sometimes deletes files when the temporary backup file cannot be accessed.
  • The I/O manager does not close a file correctly on a FAT32 volume if the Object Manager rejects the open action during security checks when the file is accessed.

Cause 4

Symptom 4 occurs because the Microsoft Forefront Client Security Anti-malware Service registers with the Service Control Manager (SCM) to automatically start two times after a failure. If an invalid signature causes the service to stop repeatedly, the SCM makes only two restart attempts and does not continue to restart the service.

↑ Back to the top


Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Note This hotfix is available from Microsoft Update or from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, follow these steps:
  1. Visit the following Microsoft Update Catalog Web site:
  2. Type 938054 in the Search box, and then click Search.
  3. Click Add to add the hotfix to the basket.
  4. Near the search bar at the top, click the view basket link.
  5. Locate and then click the Download button.
  6. Click Browse, specify the folder to download the hotfix to, and then click OK.
  7. Click Continue, and then accept the EULA. The hotfix will start to download.

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, x64-based versions
FileNameFileSizeVersionDateTime
AMHelp.chm65,216March 8, 20071:43:26 AM
Mpasbase.vdm572,7201.0.0.0March 8, 20071:44:44 AM
MpAsDesc.dll53,1361.5.1941.0August 2, 20071:24:14 AM
Mpasdlta.vdm9,0081.0.0.0March 8, 20071:44:44 AM
Mpavbase.vdm204,6241.0.0.0March 8, 20071:44:44 AM
Mpavdlta.vdm9,0401.0.0.0March 8, 20071:44:44 AM
MpAvRtm.dll154,5121.5.1941.0August 2, 20071:12:12 AM
MpClient.dll549,2641.5.1941.0August 2, 20071:12:18 AM
MpCmdRun.exe494,9921.5.1941.0August 2, 20071:12:18 AM
MpEngine.dll3,758,9841.1.2701.0July 4, 20071:18:14 AM
Mpevmsg.dll27,0241.5.1941.0August 2, 20071:23:32 AM
Mpfilter.cat10,672July 7, 200712:09:12 AM
Mpfilter.inf2,941March 8, 20071:44:42 AM
Mpfilter.sys89,4881.5.1941.0July 7, 200712:09:12 AM
MpOAv.dll121,2321.5.1941.0August 2, 20071:12:08 AM
MpRtMon.dll1,184,6561.5.1941.0August 2, 20071:12:22 AM
MpSigDwn.dll183,1841.5.1941.0August 2, 20071:12:12 AM
MpSoftEx.dll795,0241.5.1941.0August 2, 20071:12:22 AM
MpSvc.dll|MpSvc.dll406,9281.5.1941.0August 2, 20071:12:18 AM
MpUtil.dll250,2561.5.1941.0August 2, 20071:12:14 AM
MSASCui.exe1,640,3361.5.1941.0August 2, 20071:12:24 AM
MsMpCom.dll309,1361.5.1941.0August 2, 20071:12:18 AM
MsMpEng.exe|MsMpEng.exe18,3201.5.1941.0August 2, 20071:12:08 AM
MsMpLics.dll12,6881.5.1941.0August 2, 20071:12:02 AM
MsMpRes.dll767,8881.5.1941.0August 2, 20071:24:48 AM
Forefront Client Security, x86-based versions
FileNameFileSizeVersionDateTime
AMHelp.chm65,216March 8, 20071:43:26 AM
Mpasbase.vdm572,7201.0.0.0March 8, 20071:44:44 AM
MpAsDesc.dll52,6241.5.1941.0August 1, 200711:52:44 PM
Mpasdlta.vdm9,0081.0.0.0March 8, 20071:44:44 AM
Mpavbase.vdm204,6241.0.0.0March 8, 20071:44:44 AM
Mpavdlta.vdm9,0401.0.0.0March 8, 20071:44:44 AM
MpAvRtm.dll128,9121.5.1941.0August 1, 200711:19:44 PM
MpClient.dll369,5521.5.1941.0August 1, 200711:19:54 PM
MpCmdRun.exe341,9041.5.1941.0August 1, 200711:19:52 PM
MpEngine.dll2,783,6241.1.2701.0July 3, 20071:18:18 AM
Mpevmsg.dll27,0241.5.1941.0August 1, 200711:51:40 PM
Mpfilter.cat10,672July 7, 200712:09:12 AM
Mpfilter.inf2,941March 8, 20071:44:42 AM
Mpfilter.sys70,9281.5.1941.0July 7, 200712:09:12 AM
MpOAv.dll95,6321.5.1941.0August 1, 200711:19:42 PM
MpRtMon.dll734,6081.5.1941.0August 1, 200711:19:56 PM
MpSigDwn.dll133,5201.5.1941.0August 1, 200711:19:46 PM
MpSoftEx.dll521,6161.5.1941.0August 1, 200711:19:56 PM
MpSvc.dll299,9201.5.1941.0August 1, 200711:19:52 PM
MpUtil.dll180,6241.5.1941.0August 1, 200711:19:46 PM
MSASCui.exe1,037,2001.5.1941.0August 1, 200711:19:58 PM
MsMpCom.dll225,1681.5.1941.0August 1, 200711:19:50 PM
MsMpEng.exe18,8321.5.1941.0August 1, 200711:19:38 PM
MsMpLics.dll12,6881.5.1941.0August 1, 200711:19:30 PM
MsMpRes.dll769,9361.5.1941.0August 1, 200711:53:50 PM

↑ Back to the top


Workaround

Workaround 1

To work around symptom 1, log on to the Windows 2000-based computer by using an administrator account.

Workaround 2

To work around symptom 2, follow these steps:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM
  3. Right-click the AM registry subkey, and then click Permissions.
  4. Click Advance.
  5. On the Owner tab, click Other Users or Groups.
  6. In the Select User, Computer, or Group dialog box, add the Administrators group, and then click OK.
  7. Click OK to exit the Advanced Security Settings dialog box.
  8. Click OK to exit the Permissions dialog box.
  9. Under the AM registry subkey that you located in step 2, right-click the ProductUpdateAvailable registry entry, and then click Modify.
  10. In the Value data box, type 0, and then click OK.
  11. Exit Registry Editor.
Note When the next Forefront Client Security client update becomes available, this problem will disappear because the update will reset the ProductUpdateAvailable registry entry to 0. The current resolution is for users who want to resolve the status immediately.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: fep2010swept, kbprb, kbexpertiseinter, kbpubtypekc, kbfix, kbqfe, kb, kbbug, kbautohotfix, kbhotfixserver

↑ Back to the top

Article Info
Article ID : 938054
Revision : 1
Created on : 1/7/2017
Published on : 6/21/2014
Exists online : False
Views : 221