FCS v1 March 2011 update

Update 10 March 2011

We have received reports of an installation issue with our March update of Forefront Client Security when the option of “install updates and shutdown” is used. We wanted to be clear on the issue and exactly what steps we are taking to rectify it.

Symptom:

A computer attempts to use the install updates and shutdown Windows feature to update to the latest version of FCSv1. After restart, the computer does not have the Antimalware agent installed, but will still have the Security State Assessment(SSA) and Microsoft Operation Manager components installed.

The problem:

This issue only occurs on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. It does not occur on Windows XP, Windows Server 2003 or Windows 2000. This issue was not introduced in the March Update. It is caused by a previously undetected problem in the October 2010 update. Please review the steps below for what options you should take.

For the bug to occur, the system must have either th policy setting changing the default shutdown behavior or the user clicks on “Apply updates at Shutdown”. If the update is deployed or manually installed in other ways, this bug does not occur.

Key facts:

  1. If you have already successfully installed the March update, you do NOT need to roll it back.
  2. This bug doesn’t apply to either Microsoft Security Essentials or Forefront Endpoint Protection in anyway.
  3. It can only occur if the option for “Install Updates and Shutdown” is selected by the user or is set by policy.
  4. On unaffected computers, it in no way impacts the ability to get definition updates to stay secure.

What can I do to address this issue myself?

There are a number of workarounds that can be used currently.

Avoiding the issue

  • WSUS administrators can decline or not approve for installation
  • Avoid installing KB2508823 with “Install updates and shutdown”. This may be accomplished by
    • a recommendation by administrators to user
    • enforcement by Automatic Updates group policy: Computer Configuration/Administrative Templates/Windows Components/Windows Update- Do not display ‘Install Updates and shut down’ option in Shut Down Windows dialog box.
    • installing the update KB2508823 through WSUS deadlines. That triggers to install immediately.

Issue correction

If you have computers which experience this issue and are now unprotected, there are a number of options

  • Download and install KB2508823 manually. There are steps to do this in the KB: https://support.microsoft.com/kb/2508823 in the Hotfix information section
  • Approve in WSUS “Client Update for Microsoft Forefront Client Security (1.0.1728.0)” and decline both the March update(KB2508823) and the Client Update for Microsoft Forefront Client Security (1.0.1736.0) (2508824). This will redeploy the prior update
  • Approve the “Client Update for Microsoft Forefront Client Security (1.0.1736.0)” slipstream update.
    NOTE: We have seen that in some cases this will fail with 0x666 ERROR_PRODUCT_VERSION
    If you are seeing ERROR_PRODUCT_VERSION failures installing the slipstream you can uninstall SSA and that should allow it to work. To do this, choose to uninstall "Microsoft Forefront Client Security State Assessment Service" in Control Panel>Programs>Uninstall a program or by executing the command line: msiexec.exe /x {2AB5A838-9DAC-45F5-8EC2-019DDDC4B4F6} /quiet

What is Microsoft doing to address this?

We are doing the following:

  1. We have already throttled downloads of KB2508823 on Microsoft update so that users connecting directly Microsoft Update, will not have the package proactively delivered.
  2. We are changing the logic on Microsoft update to only allow the update to apply to Windows 2000, Windows XP, and Windows Server 2003 today. That will prevent further incidents from occurring. We are testing this change now, and will update the blog on when you can expect to see this change.
  3. We are authoring a patch update that will address this issue on Microsoft update. This patch will supersede the current patches for all platforms. We will provide more information soon on when you can expect to see that package.

We take the support of our customers very seriously. If you need additional assistance please contact your support professional or visit https://support.microsoft.com/ph/12632 .

Sincerely, the Microsoft Forefront Client Security Engineering team.


Update 9 March 2011

 

 

Hello all,

 

 

Today (8 March 2011), we released an update to FCSv1. Changes include:

  • This update enables computers running Forefront Client Security to update definitions at the scheduled time while running on battery power.
  • This update contains changes to allow computers running Forefront Client Security service to open files encrypted by Prim'X ZoneCentral that are located in a network shared folder.
  • This update corrects issues in the mpfilter.sys kernel component used by Client Security that causes real-time protection errors on computers running Windows 2000.

For already installed FCS client installations, install the update for Microsoft Knowledge Base article 2508823 (https://support.microsoft.com/kb/2508823).
For new FCS Client installations, deploy the client components listed in Microsoft Knowledge Base article 2508824 (https://support.microsoft.com/kb/2508824).

For more information about the update, Microsoft Knowledge Base article 2508823 (https://support.microsoft.com/kb/2508823) has the detail.

 

Thanks!


 

We have recieved reports that in some cases the FCS update fails to install correctly. We are reviewing these reports now, and will update this blog when we have details we can share. If you are a WSUS administrator you may want to hold off approving this update for the moment.