Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Forefront Client Security anti-malware client update: April 2010

Forefront Client Security anti-malware client update: April 2010

INTRODUCTION

This article describes the Microsoft Forefront Client Security (FCS) anti-malware client issues that are fixed in this hotfix package.

Issues that this hotfix package fixes

Issue 1

Forefront Client Security real-time protection detects, suspends, and takes action against malware threats. After a threat is suspended, the user is notified. The user may be given an option to decide which action is taken, depending on the configuration of the client. If no action is taken after 10 minutes, then a default action that is defined either by policy or by definitions is executed. During this time, the malware threats are suspended and cannot be read or executed by other applications.

This real-time protection delay period is implemented by a user interface process. If a user does not log on to the computer, then this process does not run. Therefore, FCS does not take action on the suspended malware.

↑ Back to the top

Workaround
When malware is detected by real-time protection, the malware is suspended and cannot be read or executed by other applications. This behavior occurs both when a user is logged on to the computer and when a user is not logged on to the computer. Therefore, the computer is under protection. However, the malware still resides on the disk.

If a user logs on to the computer after the malware is detected, they are notified in the user interface and the real-time protection delay period begins.

When you deploy a policy to client computers, FCS takes action automatically on malware detected during scheduled scans. If you perform a scheduled full scan of the computer, action is taken against any malware that is detected and suspended after the scan is finished. A full scan includes all hard disk drives on the computer and takes action regardless of whether a user is logged on to the computer during the scan.
Resolution
This update adds an additional timer to the malware protection service. This additional timer implements the real-time protection delay period. Therefore, the default action that is defined either by policy or by definitions is executed when no user is logged on to the computer.

↑ Back to the top

Issue 2

A change to the libraries of the Driver Install Frameworks (DIFx) for Applications is described under the "Issue 1" heading in the "Resolution" section of the following article Knowledge Base (KB) article:
976668 Forefront Client Security anti-malware client update: December 2009

Many automated installation methods install updates by using the LocalSystem account. For example, Automatic Updates and System Center Configuration Manager use the LocalSystem account for updates. When the hotfix 976668 is installed by using the LocalSystem account on a Windows 2000-based computer, the update fails and the following error is logged in the Mp_ambits.log file:
DIFXAPP: INFO: creating HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D} (User's SID: 'S-1-5-18') ...
DIFXAPP: ERROR 0x57 encountered while creating subkey for component '{153AA63E-3BFD-495C-A35F-85F66650141D}'
DIFXAPP: RETURN: ProcessDriverPackages() 87 (0x57)
Workaround
To install the update that is described in KB 976668 on a Windows 2000-based Computer, log on the computer as an interactive user, and then run the update. To obtain the update, use the Microsoft Update Web site by using a Web browser, or download and then run the update from the Microsoft Update catalog that is described in KB 976668.
Resolution
This update no longer uses DIFx for Applications during installation. The update uses a custom installation technology that can be used on all currently supported FCS operating systems.

↑ Back to the top

Issue 3

The FCS anti-malware service exits unexpectedly on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
Resolution
This update corrects a problem in the FCS anti-malware service on the on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.

↑ Back to the top

More Information

Hotfix information

A supported hotfix is available from Microsoft.

Note This hotfix is available from Microsoft Update and from Windows Server Update Services. Additionally, the hotfix can be obtained by following these steps:
  1. Visit the following Microsoft Update Catalog Web site:
    http://catalog.update.microsoft.com/v7/site/Home.aspx
  2. Type 979536 in the Search box, and then click Search.
  3. Click Add to add the hotfix to the basket.
  4. Near the search bar at the top, click the view basket link.
  5. Click Download.
  6. Click Browse, specify the folder to which you want to download the hotfix, and then click OK.
  7. Click Continue, and then click I Accept to accept the Microsoft Software License Terms.
  8. When the update is downloaded to the location that you specified, click Close.

Prerequisites

There are no prerequisites for installing this hotfix.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix replaces the anti-malware client that is deployed by using the Forefront Client Security deployment package (1.0.1725.0) on a computer.
976669 Forefront Client Security deployment package (1.0.1725.0): December 2009

This hotfix replaces the following hotfixes:
976668 Forefront Client Security anti-malware client update: December 2009

971026 A hotfix is available to resolve some problems with the Forefront Client Security anti-malware client

952265 Data corruption may occur on a computer that has Forefront Client Security installed

938054 A hotfix is available to resolve some problems with the Forefront Client Security client

956280 The Forefront Client Security kernel-mode mini-filter unloads when you browse a network file share that contains many malicious files

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Forefront Client Security, 32-bit versions
File nameFile versionFile sizeDateTime
Amhelp.chmNot applicable65,21628-Oct-200817:55
Mpasbase.vdm1.0.0.0572,72028-Oct-200817:58
Mpasdesc.dll1.5.1981.049,02419-Jan-201022:10
Mpasdlta.vdm1.0.0.09,00828-Oct-200817:58
Mpavbase.vdm1.0.0.0204,62428-Oct-200817:58
Mpavdlta.vdm1.0.0.09,04028-Oct-200817:58
Mpavrtm.dll1.5.1981.0128,38419-Jan-201021:51
Mpclient.dll1.5.1981.0366,97619-Jan-201021:51
Mpcmdrun.exe1.5.1981.0349,04819-Jan-201021:49
Mpengine.dll1.1.3520.03,308,62428-Oct-200817:57
Mpevmsg.dll1.5.1981.023,42419-Jan-201022:10
Mpfilter.sys1.5.1969.069,61615-May-0917:35
Mpoav.dll1.5.1981.092,03219-Jan-201021:51
Mprtmon.dll1.5.1981.0731,00819-Jan-201021:51
Mpsigdwn.dll1.5.1981.0129,92019-Jan-201021:51
Mpsoftex.dll1.5.1981.0518,01619-Jan-201021:51
Mpsvc.dll1.5.1981.0316,28819-Jan-201021:51
Mputil.dll1.5.1981.0177,02419-Jan-201021:51
Msascui.exe1.5.1981.01,033,60019-Jan-201021:51
Msmpcom.dll1.5.1981.0221,05619-Jan-201021:51
Msmpeng.exe1.5.1981.016,88019-Jan-201021:49
Msmplics.dll1.5.1981.09,08819-Jan-201021:51
Msmpres.dll1.5.1981.0766,33619-Jan-201022:10
Forefront Client Security, 64-bit versions
File nameFile versionFile sizeDateTime
Amhelp.chmNot Applicable65,21628-Oct-200817:55
Mpasbase.vdm1.0.0.0572,72028-Oct-200817:58
Mpasdesc.dll1.5.1981.049,53619-Jan-201023:59
Mpasdesc.dll (WOW64)1.5.1981.049,02419-Jan-201022:10
Mpasdlta.vdm1.0.0.09,00828-Oct-200817:58
Mpavbase.vdm1.0.0.0204,62428-Oct-200817:58
Mpavdlta.vdm1.0.0.09,04028-Oct-200817:58
Mpavrtm.dll1.5.1981.0155,00819-Jan-201023:41
Mpclient.dll1.5.1981.0546,68819-Jan-201023:41
Mpclient.dll (WOW64)1.5.1981.0366,97619-Jan-201021:51
Mpcmdrun.exe1.5.1981.0504,09619-Jan-201023:38
Mpengine.dll1.1.3520.04,431,95228-Oct-200817:57
Mpevmsg.dll1.5.1981.023,42419-Jan-201023:59
Mpfilter.sys1.5.1969.088,94415-May-200917:35
Mpoav.dll1.5.1981.0117,63219-Jan-201023:41
Mpoav.dll (WOW64)1.5.1981.092,03219-Jan-201021:51
Mprtmon.dll1.5.1981.01,181,05619-Jan-201023:41
Mpsigdwn.dll1.5.1981.0179,58419-Jan-201023:41
Mpsoftex.dll1.5.1981.0791,42419-Jan-201023:41
Mpsvc.dll1.5.1981.0434,56019-Jan-201023:41
Mputil.dll1.5.1981.0247,16819-Jan-201023:41
Mputil.dll (WOW64)1.5.1981.0177,02419-Jan-201021:51
Msascui.exe1.5.1981.01,636,73619-Jan-201023:41
Msmpcom.dll1.5.1981.0305,53619-Jan-201023:41
Msmpeng.exe1.5.1981.016,36819-Jan-201023:38
Msmplics.dll1.5.1981.09,08819-Jan-201023:41
Msmplics.dll (WOW64)1.5.1981.09,08819-Jan-201023:41
Msmpres.dll1.5.1981.0764,28819-Jan-201023:59

↑ Back to the top

Known issues

If you perform the workaround that is described under the "Issue 2" heading by installing hotfix 976668 as an interactive user on a computer that is running Windows 2000, you must also run this update as an interactive user. This requirement is necessary because this update uninstalls the update that is described in KB article 976668 before this update is installed. If you install this update by using the LocalSystem account, the same issues that are described in KB article 976668 occur during that uninstall stage of the update.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

Keywords: kbexpertiseinter, kbsurveynew, kbqfe, fep2010swept, kb

↑ Back to the top

Article Info
Article ID : 979536
Revision : 4
Created on : 3/30/2017
Published on : 3/30/2017
Exists online : False
Views : 144