locked
Security State Assessment Engine is not being updated

    问题

  • Hi,
    I have released Client Update for Microsoft Forefront Client Security (1.0.1725.0) recently in our Configuration Manager updates deployment (update package kb976669). The update appears in the list of updates to install and then installs successfully. The PC reboots and the version is still the old one of 1.0.1703.0, which also shows up on the forefront deployment summary report. I have checked the fcsas.exe version and it is definately 1.0.1703.0, with no sign of any other files trying to install. It is as if the update pretends to install. This also happened with update kb976668, i.e. it said it was installed but did nothing.

    So on my Deployment summary report, Vunerabilities Engine Deployment Status, I have a big red pie chart showing 1671 out of 1921 clients have an older security state engine.

    The majority of our clients are XP SP3, with some SP2 machines.

    Could someone let me know if there is a problem with the SSA engine update, and how I can fix my problem.

    Thanks

    2010年1月13日 13:28

答案

全部回复

  • Hi,
    Looks like the SSA engine is being updated if I look at my registry keys. I was looking at the files in the ssa folder namely FCSsas.exe, but these just appear to be client versions. It's a shame that the ssa engine info is not on the about screen with all the other version numbers.

    Anyway, the SSA scans are disabled in our environment and the reports are showing as Red (out of date) for everything. I guess I need to run the scan from the forefront server console which will run the ssa scan on every computer and then report back that they are at the correct version (thought that the version numbers would report back even without running an ssa scan though).

    Does anyone know if I will have any problems by running the scan from the server console? All clients will run a virus checking scan as well which they wont be expecting, but I guess by running this scan it wont have that much affect on the clients, server or network?

    Any info would be helpful.

    Thanks
    2010年1月16日 10:03
  • Hi,

     

    Thank you for the post.

     

    Please refer to this link to download the latest Security State Assessment definition: http://support.microsoft.com/kb/938202/en-us

     

    Regards,


    Nick Gu - MSFT
    2010年1月25日 4:34
  • Without knowing how your network is configured you should run the scan off hours, either configure the clients to do it or manually set it up with task scheduler.

    This is what happens when you initiate a SSA scan:

    The Forefront checks the computer on the client, creates a report then sends it to the management server with the results.

    You can check to see the results by looking in the %programfiles%\microsoft forefront\client security\client\SSA\results
    2010年2月7日 12:13
  • Hi,

    Just following up on JazK's original question.  We recently (in June) deployed Forefront Client Security and WSUS.  The system has been working well deploying the definition updates to our servers.  Client Update for Microsoft Forefront Client Security (1.0.1728.0) and Critical Update for Microsoft Forefront Client Security 2394433 were recently released.  They were approved in WSUS and the console indicate they have been deployed successfully.  I checked our servers and sure enough the updates from 2394433 have been installed (checked the versions of files on the servers).  However, the updates from 1.0.1728.0 do not appear to have been installed (for example FCSSAS.EXE which is part to the Security State Assessment (SSA) Client).  In fact, most of our servers are indicating version 1.0.1703.0 for FCSSAS.EXE on our servers.  Both updates 1.0.1725.0 and 1.0.1728.0 included FCSSAS.EXE with the updated version numbers, respectively. 

    So, question #1, why doesn't the update deploy the latest version of the FCSSAS.EXE (and other files)?  My only thought is, the actual content of the file(s) have not changed from 1.0.1703.0 to 1.0.1728.0 (only the version number has changed), as result the update process does not bother to replace the file(s) (e.g. FCSSAS.EXE).  Can anyone confirm this is the true?  Or is there a problem with the SSA update process.  Any other thoughts/ideas?

    If this is true, then the results in the Forefront Deployment Summary Report are somewhat misleading and annoying for the "Vulnerabilities Engine Deployment Status chart and the Vulnerabilities Definition Deployment Status chart.  It's showing most of our servers are running 1.0.1703.0, some are running 1.0.1725.0 and none are running 1.01728.0.  The report should either combine the 3 versions together and display them as one color in the chart or modify the update process so that files are replaced with the new files regardless of whether the content of the file has not changed.

    Your input and thoughts are appreciated.

    Thanks.

    2010年10月18日 15:36