Forefront Client Security is not registering itself in WMI root\SecurityCenter AntivirusProducts RRS feed

  • Question

  • Hello,

    We use a self developed software to run some checks on the clients (e.g. ServicePack, Antivirus etc) before they are allowed to connect via VPN.
    This works quite well normally, but we've got a few clients which we are not able to check properly, it sais that no Antivirus Product is installed, altough Forefront Client Security is installed and working.  The reason for this seems to be a missing instance of the AntivirusProduct Class in the WMI Namespace root\SecurityCenter (Our Software run its tests using those entries). A re-installation of Forefront Client Security didn't help.

    The strange thing is, that beside the fact that all our Clients run Vista Sp1 and the same Forefront Version, the problem just occurs on a few machines - most of the clients have got the needed entries in root\SecurityCenter.

    So it seems quite obvious that the Forefront Client does not create those entries in certain circumstances. I already searched the web for this, but I couldn't find anything helpful. 
    How can I force FCS to create those entries, or what are the reasons for not creating them? As we're trying to narrow down those circumstances, any Help or Information about this would be greatly appreciated.
    Friday, April 24, 2009 12:05 PM


  • Hello Michael, thanks for posting.


    First, a bit of background:

    With Vista SP1 Microsoft introduced a new API for interacting with the security center.  Beginning with the antimalware client update http://support.microsoft.com/?id=938054 and continuing with the later version http://support.microsoft.com/?id=956280 the antimalware client will look to see if the local machine is Vista SP1(or greater).  If so, it will use the new API set, if not it will use the older/traditional one.  As you have found, the traditional method is visible in a WMI query of root\SecurityCenter.  You will likely be able to see the new entries on Vista SP1 or greater in root\SecurityCenter2.


    Regarding your specific issue, although I am not aware of other FCS customers hitting this issue, we have seen a few sporadic instances of this in our internal ‘dogfood’ deployment.  Unfortunately, I do not believe we had a consistent repro to the point of being about to definitively root-cause the problem.  What we saw was that in most cases Windows Defender had become re-enabled and was also trying to register with the security center at the same time.  Since this is not a supported or desirable configuration, we re-disabled Defender.  After that we were not able to get the problem to repro at all.


    To check to see if Defender has been re-enabled:

    1. Start > All Programs > Windows Defender
    2. If you get a dialog that states "Windows Defender is turned off", then you are good to go.
    3. If you get the Defender UI then do the following:
      1. Tools > Options
      2. Scroll down and uncheck “Use Windows Defender”
      3. Click Save
      4. Click Close


    If Defender is enabled you may ask, “how did Defender get turned back on?”  That I don’t have an answer for.  Although I can help you tell “when did Defender get turned back on”.  If you would like to learn when, do the following:

    1. Start > Run : eventvwr
    2. Expand Windows Logs
    3. Right click System, choose Filter current log
    4. Under Event sources choose “Windows Defender”
    5. In the textbox that says <All Event IDs>, type  “5009,5010”   (these are the enabled and disabled event ids)

    Based upon this time you may be able to determine what was going on with your machine at that time.  If Defender is being re-enabled roughly 90 minutes after you disable it, check your group policies for a Defender policy enabling it.


    If Defender is not re-enabled and you are seeing this problem please contact Microsoft support so we can try to diagnose the issue.



    Craig Wiand

    Microsoft Forefront Escalation Engineer



    Forefront Client Security Support
    Friday, May 1, 2009 5:54 PM