Forefront Client Security Alerting and Monitoring Forum

FCS Management Console Issue: Snap-in error

Wed, 02 Dec 2009 11:56:45 Z

Every time I attempt to run the FCS Management Console it closes down, with a pop-up error message: "MMC has detected an error in a snap-in and will unload it". If I unload and continue running the MCC I get another message: "FX:{f337d96e-45c1-4106-88b1-e417a7703d6b} Exception has been thrown by the target of an invocation."

Exception Type: System.Reflection.TargetInvocationException
Exception stack trace:
at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
at System.Windows.Forms.Control.InvokeMarshaledCallbacks()
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Please can someone advise me on how to get my Management Console to work again, I tried to run the FCSMS.msi install file again, but it doesn't run.

My name is Jeff Tatum, and I should be already a member of your Forums. The Microsoft Help Menue had the right answers about the servers and any other additions to sending an email to bdefer1@mac.com. . I believe, since I am an Administrator, I should bf

Fri, 20 Nov 2009 11:48:10 Z

I do not believe that The Webmaster has the right to keep me off the 1973 Bell High School Page, and since I am customizing everything within my control, I, Jeff Tatum, amg4322 will change any and all settings that an Administrator ha s at his disposal.

Jeff Tatum.

i found a problem as below when i log in my window live messenger,can anybody help me?

Fri, 13 Nov 2009 05:02:03 Z

Problem Event Name: APPCRASH
Application Name: msnmsgr.exe
Application Version: 14.0.8089.726
Application Timestamp: 4a6ce533
Fault Module Name: kernel32.dll
Fault Module Version: 6.0.6001.18215
Fault Module Timestamp: 49953395
Exception Code: c0000005
Exception Offset: 0004502e
OS Version: 6.0.6001.2.1.0.768.2
Locale ID: 17417

Additional information about the problem:
LCID: 2052

Read our privacy statement:
http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Forefront Alerting - Do not want alerts on successful cleans. How do I configure that in MOM

Thu, 05 Nov 2009 20:28:05 Z

I am getting to much alert noise from FCS. All my workstation 8000 are set at alert level 3. I do not want to recieve an alert if FF successfully responded to an event. How do I configure this? I recieve emails that tell me Forefront successfuly removed stuff.

Sending Alerts to different users depending on a server

Thu, 29 Oct 2009 15:30:29 Z

Hi all,

I don't know if this is the right forum for my question (it could be a MOM question).

I have one central Forefront Server. But we have several Servers in severals sites which are all reporting to the central forefront server.
If a alert is taken I want to send this mail only to the site administrator.
All servers are running in one child domain, but they are reside in different organizational units.

I don't see any configuration settings to do it.
Does anybody know a solution for me?

many thanks,
Thomas

S070004

Configuring E-Mail alert

Fri, 24 Apr 2009 02:31:28 Z

Hi people!
First of all, i'm not another guy asking for the same thing... this time is quite different. I don't have an email server in the enterprise so i have to rely on my external ISP e-mail server. ¿Is there a way to configure e-mail alerting in FCS with Authentication-Required SMTP servers? I couldn't find the option :(

Thanks!!!!
Mat.

Forefront Client Security SNMP Traps

Mon, 26 Oct 2009 13:30:28 Z

How do you configure the FCS management infrastructure to send traps?

Mom 2005 (Forefront) Client Settings

Thu, 08 Oct 2009 21:48:39 Z

Hello,

I had a question regarding the configuration of the Global setting for the Agents.

This is the settings under mom 2005 admin console, global settings, and agents.

I was wandering if anyone knew of a Microsoft document highlighting recommended settings or best practices for these settings.
Also, would anyone mind sharing some information about their settings and if they tweaked any settings and if there was a reason behind the tweak.

I am wanting to learn more about the impact, or helpfulness of these settings as well as the defaults that came out of the box. But, i have not found much information.

Many Thanks

FCS on a domain controller with SCOM agent

Fri, 25 Sep 2009 17:54:05 Z

We have FCS deployed with agents on all domain controllers.

We are now deploying SCOM 2007 R2 and would like to monitor the domain controllers. As I understand it, multi homing between SCOM and MOM on a domain controller is not supported due to the incompatible versions of the helper objects.

Is it possible to support FCS agents with alerting and monitoring on the DCs as well as SCOM agents?

Thanks,

Guy

mom 2005 generates thousands of blank e-mail alerts

Wed, 09 Sep 2009 13:14:10 Z

we've got mom 2005 as installed by forefront, with alerts being sent for antivirus activities... has anybody observed mom 2005 go bonkers and spew thousands of blank alerts each day?

Forefront reports sent out to email address

Mon, 14 Sep 2009 12:32:32 Z

Hi,
I have been asked to setup scheduled Forefront reports to be emailed out to one of our admin staff. I am the SCOM admin not the Forefront server admin. Can these emailed reports not be sent out directly from the Forefront server? If so, how is this setup, similar to SCOM? (channel, subscription, etc..)
Thanks for any help,
L

Accurate, point in time report.

Thu, 03 Sep 2009 19:11:12 Z

The reporting in Forefront shows a 24 hour window. I want to know status of my clients right now. I need to know, right now, what computers have viruses and what viruses they have.

How can I do this?

Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging Administrator
Do you still have Exchange 2000? Looking to upgrade to Exchange 2010? Read how.

ForeFront removal reports

Wed, 01 Apr 2009 15:39:27 Z

We've been getting lots of emailed reports from ForeFront lately to do with conficker, the report says

Description: Client Security failed to eliminate the following threat:

- Threat name: Worm:Win32/Conficker.B!inf

- Attempted action: Remove

However when we visit the PC in its history it has successfully removed. One one occasion we found successfully removed but using the DART disc the virus was still there.

We're a bit sensitive about conficker here and any help on why the reports differ from the information on the client machine would be appreciated.

VISTA APPCRASH WHILE ON WINDOWS LIVE MESSENGER

Thu, 13 Sep 2007 23:53:42 Z

HELP!

Every time I am on my Windos Vista pc and log on to Window Live Messenger the program crashes. I need help because I do not know how to fix this problem.

The following shows the error message that I receive as soon as it crashes:

Problem signature:

Problem Event Name: APPCRASH

Application Name: msnmsgr.exe

Application Version: 8.1.178.0

Application Timestamp: 45b12d6a

Fault Module Name: dfsr.dll

Fault Module Version: 8.1.178.0

Fault Module Timestamp: 45b12b28

Exception Code: c0000005

Exception Offset: 00002ef4

OS Version: 6.0.6000.2.0.0.768.3

Locale ID: 1033

Additional information about the problem:

LCID: 1033

Read our privacy statement:

http://go.microsoft.com/fwlink/?linkid=50163&clcid=0x0409

Email Alerts - Windows 2008 Standard Server

Thu, 16 Jul 2009 23:06:17 Z

I've got FCS running on a Windows 2008 box. Clients can report in, things seem to be working. However I can't get email alerts to work when a virus is detected on a client machine. I've followed the steps here http://blogs.microsoft.co.il/blogs/yanivf/archive/2008/02/06/configure-e-mail-notifications-for-forefront-client-security-step-by-step-guide.aspx

To test whether or not it was my internal relay I followed the steps in http://support.microsoft.com/kb/920736 and was able to get the email from the generated alert as a test. Has anyone had issues, or been able to get email notifications to work from a FCS client that has a detected a virus? Should there not be alerts setup in MOM for this? I dont see it in the step by step article above

Any way to determine which clients have been uninstalled?

Mon, 13 Jul 2009 16:19:15 Z

We noticed in the FCS Management console that the number of managed computers fluctuates (usually because of newly installed FCS Clients.) However recently we noticed this number decrease , causing to be concerned that certain end-users (with administrative privileges on their PC) have possibly uninstalled the FCS Client.

Is there a way to see the recent "uninstall activity", either with a report or via a SQL query? (I looked through the MOM logs, but couldn't decipher anything useful.)

Thanks,
Dan Chiasson

Forefront Domain controller

Tue, 07 Jul 2009 03:17:55 Z

Hi All.

We have a client that installed forefront in his domain. All the updates are deployed to all the agents. The problem we have is that the Domain controllers aren't being updated. I assume that we need to create a GPO policy that will point to the WSUS server.

Is this to correct approach or are there other troubleshooting avenues I could use to indentify the problem?

Thanks, all tips will help.

Client security management console spyware & virus logs

Tue, 14 Jul 2009 13:56:44 Z

Hi

I want to make sure that Forefront is working correctly and catching viruses/anti spyware. On the management console it displays alerts and malware detected as zero. Is this correct? I would have assumed we'd have had some viruses/spyware detected.

thanks!

email administrator for infected systems?

Mon, 04 Feb 2008 22:35:53 Z

In our current environment we are running TrendMicro OfficeScan version 6. When a workstation encounters a virus, OfficeScan immediately notifies via e-mail the A/V administrator indicating username and machine name and other pertinent information concerning the virus. We are looking for the same functionality in FFCS.

We introduced a test virus (eicar.com) to a Vista workstation with FFCS installed. FFCS detected the test virus and allowed the user to take appropriate action. This was also indicated in the Forefront reporting feature. However, we also need to receive immediate notification via email when such an event occurs anywhere among our 600+ workstations.

Most application that we administer have direct, built-in SMTP notification features that allow set up and testing of the notification process without having to have prior knowledge of what Event ID to filter.

Does FFCS have this capability, and if so, what are the steps to set it up. Other than what you send me yesterday concerning the setup steps in MOM?

window registery

Sat, 04 Jul 2009 16:27:05 Z

Hi;
How to detect changes in window Regisitry using c#

Illegal file download

Mon, 29 Jun 2009 15:06:12 Z

I have been ordered to find the person(computer) from my network who downloaded an illegal file from the internet. How do i do this please?

Thanks

Enabling managed clients to "Always Allow" instead of just "Permit"

Mon, 01 Jun 2009 13:57:55 Z

The FCS client alerts when turned on to prompt users for unclassified software imply that the user can select "Always Allow", however that is not listed as an option in the alert action field when an alert is generated. For example, our environment is a Windows domain with WSUS/MOM, but being a university our end users are all administrators. This means we must try to protect them as much as possible, but allow them to make customized exceptions. If a department is using an application that loads in the startup, instead of excluding it globally, can the individual not just be offered the option to always allow, or is this just a feature of the unmanaged FCS? If so, and we can only add this as a policy exclusion, when do you add a path as an exclusion vs. adding as an "Override"?

Thanks!

computer security

Tue, 02 Jun 2009 15:03:46 Z

Can anyone explain why Internet Explorer is factory preset with Internet Options Security Restricted Sites allowing font download.

Using existing SCOM

Sun, 17 May 2009 14:31:35 Z

HI

I have a customer who have an existing SCOM, and they want to know if they can get alerts from FCS MOM over to SCOM, so they only need to look one place?
The customer have a one-server topology where everything is configured on 1 server. From what I have read it is not possible to replace FCS's MOM with SCOM, but is the other thing possible?

Regards
Thomas

Forefront Client no longer updating from WSUS, showing alert

Mon, 04 May 2009 14:12:16 Z

I have migrated approx. half of my enterprise to Forefront. Deployed through GPO and WSUS. Updates are managed through WSUS as well.

For about 2 weeks now, some of my clients show an alert ( ! ) status and out of date definition files. The clients' Forefront definitions never get updated, all though other WSUS updates are coming down. WSUS shows that many clients have not downloaded the new definitions, but the Forefront Client Security console is only alerting to a couple machines with out of date definition files and not most of the ones showing an alert.

If I go to update.microsoft.com one one of these machines I see there is an available definition update and I can apply it then my status is then updated reflecting green check mark. However, by default my clients cannot download updates from microsoft.com, they have to go through wsus.

Also, where do I look for logs on Forefront updates? I have checked windowsupdate.log and it does not show issues re forefront definition udpates.

Any suggestions/throughts on where to go next?

Building client into 'image' for desktops

Wed, 01 Apr 2009 15:41:56 Z

Our technicians are re-building their images for lab computers and want to know if they can put forefront in the image, which will then be deployed using SCCM (new SMS).

My gut reaction was no, is this right?

I thought FF writes to the registry with it's computer name, also it'd want added to the mom server with forefront. The technicians are a bit wary about putting an image out which contains no AV and just waits on SCCM (new SMS) to eventually deploy the software to the newly imaged machine.

Thanks,
Pete

No Longer receiving Alerts

Wed, 15 Apr 2009 14:48:58 Z

About a month ago we realized that our Transaction Logs were full. We cleared them out. Ever since then we have not been receiving alerts such as when some gets a virus.

We received them before this happened. Can someone help me with this?

Justin Cochran

Alerts and reporting for machines in a workgroup

Tue, 07 Apr 2009 12:44:01 Z

I have several machines I want to protect with FCS that are not part of my domain. I know how to get the client installed, but I'm not clear on how alerting and reporting will work for these machines. I don't see anywhere to set up any alerting. Can someone please help?
Thanks

Repeatedly asked to "review changes".

Wed, 01 Apr 2009 15:46:56 Z

We have a group policy to set the home page of a machine depending on how logs onto it, staff to an intranet. Students to another site.

However we are getting continually prompted by the wee blue box with a white question mark asking to approve the change to IE.

I'm guessing this isnt normal!

We recently opened forefront up to staff/students to help with removing conficker, if it was locked down they weren't being prompted to remove it and that wasn't working very well. So we've ticked "prompt user when unclassified software is detected". Since giving them rights they've been prompted to approve this change several times per day.

Thanks for any help

Pete

Summary:

Internet Explorer Configurations change occurred.

This agent monitors end user and security related configuration changes made to Internet Explorer, including the default home page.

Detected changes:

New: http://ABCweb

Original: Not available

iemain (New):

HKCU@S-1-5-21-2428622596-161815611-3700723485-4076\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page

Advice:

Permit this configuration change only if you trust its origin. It is recommended that you run a quick scan if you choose to deny this change.

Detected by:

Definition file

Checkpoint:

Internet Explorer Home Page

Category:

Configuration Change

Automatic Scanning

Mon, 19 Jan 2009 14:32:55 Z

I have the client installed and setup the automatic scanning at 2 AM and it did it the first day and now it is stopped scanning at 2AM. Is there something wrong or do I need to do something else? I do leave the computer on so it can scan.

Repeating Alerts...

Mon, 16 Mar 2009 17:39:40 Z

Windows XP Professional SP3
ForeFront Client Security
Client: 1.5.1958.0
Engine: 1.1.4405.0
AntiVirus: 1.53.612.0
AntiSpyware: 1.53.612.0

Out of over 500 clients, this one machine throws the same 45 alerts approximately every 30 minutes. Even though I've chosen "permit" every time it alerts, the same alerts continue.

"Review items that haven't been classified yet: 45 total"

Any ideas on how to eliminate the unnecessary alerts?

Thanx.

Hey Guys really hoping some one can help me with this problem

Thu, 05 Mar 2009 22:06:14 Z

The Data Access Server (DAS) on computer localhost returned an error.

System error code: -2147024891
System error text: Access is denied.
DAS method called: ProcessRuleSelectWithPK_Fields_all
Called from file: d:\bt\4\private\product\config\tools\managementpacksupport\drivers\momdb\src\db2mpsupport.cpp
Called from line: 1234

I am getting this error on my forefront collection server every hour.

I have checked that the DAS account has db_owner on both OnePoint and the SystemReporting database.

FCS client can not add Allowed Items

Tue, 03 Mar 2009 16:22:27 Z

I have configured my Policy to allow Clients to "Allow users to add exclusions and overrrides" with the hope that it will allow exactly that.

What happens on the client side is the FCS detects a change, the user is then presented with two Action options: PERMIT, DENY. They chose PERMIT, and then the next time GP refreshes they get prompted again, and again, and again.

What is lacking from this list is 'ALWAYS ALLOW' - the help documentation shows this option and I hope that this is what checking that box on the FCS server meant. My guess is that it then would put these "ALWAYS ALLOW" items in the ALLOWED ITEMS "repository" under the TOOLS menu.

Currently there is no other way for me to allow items except for by doing it at the POLICY level. This is actually a step backward in functionality and my users are letting me know it!

My policy is getting messy with all of the users exceptions.... and some aren't even working correctly. Not to mention I'm allowing things for users that don't even need them. I know what you'll say, add more POLICYS and then deploy them all seperatly. Why should I have to do this?.. if the software is setup to allow users to PERMIT their own.

How can i enable this setting in the FCS client - PERMIT ALWAYS (search FCS help for Allowed Items to see what I mean). I think that this is a bug?

Thanks in advance,
Ray

SCOM 2007 & FCS Management Pack

Fri, 14 Nov 2008 14:03:29 Z

Hello!

Is there a operations manager 2007 management pack for forefront client security? If not, are there plans to make one? Or has anyone been able to successfully convert the MOM 2005 MP to import into 2007? Thanks in advance!

Last scan alert

Mon, 06 Oct 2008 13:40:56 Z

Hi,
We have a policy in which we execute a daily quick scan and we would like to monitor if there are clients for which their last scan was older then 7 days. I can however not find back any report to obtain this information nor is it included in the alerts.

Is it possible to make a custom event rule and generate an alert in the category warning for such a situation?
Thanks!

Rgds,
Gert

Registry change involving C:\WINDOWS\web\AOpenClient.htm

Wed, 23 May 2007 15:06:27 Z

I keep getting a warning with the following information:

Summary:

Internet Explorer Add-ons change occurred.

This agent monitors additions to IE, such as new toolbars, browser helper objects, and ActiveX controls. These add-ons can automatically run when IE is started.

Path:

C:\WINDOWS\web\AOpenClient.htm

Detected changes:

regkey:

HKCU@S-1-5-21-1592928892-2373870068-2624222429-1135\Software\Microsoft\Internet Explorer\MenuExt\Open Client to monitor &2

iemenuext:

HKCU@S-1-5-21-1592928892-2373870068-2624222429-1135\Software\Microsoft\Internet Explorer\MenuExt\Open Client to monitor &2

file:

C:\WINDOWS\web\AOpenClient.htm

Advice:

Permit this detected item only if you trust the program or the software publisher.

Programs that may compromise your privacy or damage your computer were detected. You can still access the file without removing the threat, although this is not recommended. To do so, select "Always Allow" as the action and click the "Apply Actions" button. If this option is not available, log on as an administrator or ask an administrator for help.

Detected by:

Definition file

Publisher:

Not available

Digitally Signed By:

NOT SIGNED

Product name:

Not available

Description:

Not available

Size:

1173 bytes

Version:

Not available

Type:

file type unknown

Checkpoint:

Internet Explorer Menu Extension

Category:

Not Yet Classified

I select permit and a few minutes later it comes back. Does anyone know what this is and how can I get the warning to stop if it is harmless?

Bill Walter

Forefront Clients are not reporting - Dashboard

Tue, 02 Sep 2008 05:46:53 Z

Hello Everyone i have a little query regarding Forefront Client Security Reporting & Monitoring, i hope i will get appropriate answers from you guys...

i have set up Forefront Client Security (Stand-Alone Server with all components), it is working well & configured properly, everything was good, clients were reporting but from last week suddenly they stoped reporting & there is only one client in "Reporting No Issue" & all others are in "NOT REOPORTING" even i have detected viruses in my computer but that is not shown in "Reporting Critical Issues", only one computer is reporting i guess that is forefront itself.

how can i troubleshoot this issue & what is the cause behind this problem.?

BRegards

M.Yasir Memon

ISA gives RST Segment error when RDP

Tue, 26 Aug 2008 15:59:19 Z

I am not able to RDP into my ISA server. I can RDP into all of my other servers and computers on the network. When checking the logs, I get the message

"A connection was abortively closed after one of the peers sent an RST segment"

Can anyone tell me how to go about fixing this so I can RDP into my ISA server (2004).

Thank you.

Total viruses cleaned

Fri, 18 Jul 2008 19:50:38 Z

Hello!

How would I find the total number of viruses cleaned by virus type within a 24 hour period? Is there a log file, database or something that will give me this information?

Thanks in advance.

False Virus Alarm

Thu, 21 Aug 2008 14:22:22 Z

Hello,

This is Cristina from Customer Service Department of Interactive Networks. Our company develops instant messaging software and we have recently received a report from one of our customers about a false virus detected by Forefront Client Security software in one of our files.
The name of the file is "bircd.exe" and it is part of the IRC component integrated in one of our chat modules.
I have been trying to reach Forefront Client Security support people but it was not possible, I have just received automatic replies.
Our customers need a quick solution since they are no longer able to use our product because of this false alarm.
Who should I contact to help me out with this?

Thank you.

Cristina
Interactive Networks Inc.
crodriguez@interactiveni.com