Can't create new VMs with MS Forefront Antivirus enabled
I'm running Hyper-V RC0 on Server 2008 X64 and an HP DL380G5 using drivers from the Proliant Support Pack 8.0. If Forefront is enabled, trying to create a virtual machine gets stuck at the configuring network adaptor screen:
"The server encountered an error while configuring memory on test3. Wizard failed in rolling back the created virtual machine. Please delete it manually afterwards.
Failed to add device 'Microsoft Synthetic Ethernet Port'.
'test3' failed to add device 'Microsoft Synthetic Ethernet Port'.
<GUID removed>
The Virtual Machines configuration <GUID removed> at 'E:\VServers\test3\test3' is no longer accessible: The requested operation cannot be performed on a file with a user-mapped section open. (0x800704C8)
When Forefront is enabled, no go. When I stop the Forefront services, everything is fine. It seems that this issue may be related to a fairly recent Forefront engine update, as I think this worked previously with Forefront enabled, though I'm not sure.
Has anyone else had this issue?
Odpovědi
Hello TJ,
Unfortunately, we have seen this issue before internally. The problem is related a low-level synchronization issue in Windows whereby Forefront Client Security has a memory mapped section opened while Hyper-V is trying to call SetEndOfFile on the temporary configuration xml file. The best way to correct the issue is actively being discussed between the Forefront, Windows, and Hyper-V teams.
In the meantime, it will likely not correct the issue entirely, but you may get a measure of relief by doing the following:
- Create the following key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters”
- Add a DWORD value “ScanOnCleanup” and set it to 0
- Restart FCSAM service
This registry key should also help the DFSR issue. I will send you an email status update on that offline. Also, I was unable to locate a support case you opened on this hyper-v issue, but if you have one please reply to that email with the case number and I’ll make sure it gets linked in properly.
Brian – since the issue has its roots in Windows and not necessarily FCS, it is possible that Trend performing similar memory mapping behavior. Do you have a pointer to this thread?
PS. Microsoft does indeed have a dogfood implementation of Forefront Client Security J
Best regards,
Craig
- Craig Wiand, I tried your fix and it didn't seem to work.
http://forums.technet.microsoft.com/en-US/winserverhyperv/thread/d872c7a9-8755-4919-ba60-4bd42ebe0cc8
My problem was being caused because of the config file being saved to incorrectly. When HyperV saved the file, it didn't clear it first, so after the config file shrunk it left garbage XML at the end. It wouldn't parse right, and so HyperV crapped the bed.
Alexi Nostavich- Navržen jako odpověďAlexiNostavich 23. června 2008 8:30
- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor24. června 2008 2:42
- Just to close the loop on this. A workaround is no longer necessary, the issue should be corrected by applying the update described at
http://support.microsoft.com/kb/952265 or latest cumulative Forefront Client Security antimalware update.
Thanks,
Craig
Forefront Client Security Support- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor29. srpna 2008 5:54
Všechny reakce
Interestingly enough, there is another thread about a similar Trend Micro issue.
Have you mentioned this behavior to the Forefront folks?
I'm going to open a Pro Support case. I thought I would post here in case I missed something that everyone else knew about.
I'm not having good luck with MS Forefront and x64 Server 2008. I have had another open issue for more than a month where DFS-R doesn't work. Apparently MS doesn't "doogfood" Forefront.
Hello TJ,
Unfortunately, we have seen this issue before internally. The problem is related a low-level synchronization issue in Windows whereby Forefront Client Security has a memory mapped section opened while Hyper-V is trying to call SetEndOfFile on the temporary configuration xml file. The best way to correct the issue is actively being discussed between the Forefront, Windows, and Hyper-V teams.
In the meantime, it will likely not correct the issue entirely, but you may get a measure of relief by doing the following:
- Create the following key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpFilter\Parameters”
- Add a DWORD value “ScanOnCleanup” and set it to 0
- Restart FCSAM service
This registry key should also help the DFSR issue. I will send you an email status update on that offline. Also, I was unable to locate a support case you opened on this hyper-v issue, but if you have one please reply to that email with the case number and I’ll make sure it gets linked in properly.
Brian – since the issue has its roots in Windows and not necessarily FCS, it is possible that Trend performing similar memory mapping behavior. Do you have a pointer to this thread?
PS. Microsoft does indeed have a dogfood implementation of Forefront Client Security J
Best regards,
Craig
Here is the OfficeScan thread:
http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=3128489&SiteID=17
I had not yet placed a MS support call for the Hyper-V issue as it was late in my day when I posted here. Thanks for your responses, I will try the registry key change you mentioned.
TJ
I tried the registry change and it did not solve my problem. One note - I had to create the Parameters key - that wasn't there already. Should it have been there?- Craig Wiand, I tried your fix and it didn't seem to work.
http://forums.technet.microsoft.com/en-US/winserverhyperv/thread/d872c7a9-8755-4919-ba60-4bd42ebe0cc8
My problem was being caused because of the config file being saved to incorrectly. When HyperV saved the file, it didn't clear it first, so after the config file shrunk it left garbage XML at the end. It wouldn't parse right, and so HyperV crapped the bed.
Alexi Nostavich- Navržen jako odpověďAlexiNostavich 23. června 2008 8:30
- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor24. června 2008 2:42
- Just to close the loop on this. A workaround is no longer necessary, the issue should be corrected by applying the update described at
http://support.microsoft.com/kb/952265 or latest cumulative Forefront Client Security antimalware update.
Thanks,
Craig
Forefront Client Security Support- Označen jako odpověďDavid Shen - MSFTMSFT, Moderátor29. srpna 2008 5:54
