locked
Forefront Client Security engine crashing RRS feed

  • Question

  • Over the past few days, we've had a handful of Forefront client crashes. MOM alerts by sending Error Alert - Scanning Failed (Alert Level 3). Had both a server (Windows 2003 SP2)  and a handful of clients (XP SP2) crash. Has anyone else seen had recent behavior changes like this?

    Thursday, May 1, 2008 3:07 PM

All replies

  • Yup, we're getting a lot of reports of this happening when it tries to run the policy defined scan (2:00am)

     

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7031
    Date:  5/1/2008
    Time:  8:02:53 AM
    User:  N/A
    Computer: HNS277798
    Description:
    The Microsoft Forefront Client Security Antimalware Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 15000 milliseconds: Restart the service.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Error
    Event Source: FCSAM
    Event Category: None
    Event ID: 5008
    Date:  5/1/2008
    Time:  2:02:38 AM
    User:  N/A
    Computer: HNS277798
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:C:\Documents and Settings\boogername\Cookies\boogername@serving-sys[1].txt

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    Thursday, May 1, 2008 5:06 PM
  • If you can reproduce this easily please call in and open a case with CSS Security as we would definitely like to figure out if there is an issue here that needs to be fixed. Thanks.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response)
    Friday, May 30, 2008 7:48 PM
  • I am having the same problem too with about three of my servers.

     Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
    Failure Type: Crash
    Exception code: 0xc0000005
    Resource: file:C:\Documents and Settings\Administrator.PGC\Local Settings\Temporary Internet Files\Content.IE5\WPM3U5KJ\survey[2].js 

    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
    Failure Type: Crash
    Exception code: 0xc0000005
    Resource: file:C:\Documents and Settings\Administrator.PGC\Local Settings\Temporary Internet Files\Content.IE5\KPUR096V\survey[1].js Domain: PGC
    Computer: PGC03DC02
    Time: 6/7/2009 2:24:41 AM
    Type: Error
    Provider Name: Script-generated Data
    Event Number: 5008
    Provider Type: Generic Provider
    Source: FCSAM
    Category: 
    Raises Alert: True
    Consolidated: 
    From: 
    To: 
    Event Id: bb63911f-dcec-4e8c-836b-ea1bc4377ff9
     
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
    Failure Type: Crash
    Exception code: 0xc0000005
    Resource: file:C:\Documents and Settings\Administrator.PGC\Local Settings\Temporary Internet Files\Content.IE5\KPUR096V\survey[1].js Domain: PGC
    Computer: PGC03DC02
    Time: 6/7/2009 2:24:41 AM
    Type: Error
    Provider Name: Script-generated Data
    Event Number: 5008
    Provider Type: Generic Provider
    Source: FCSAM
    Category: 
    Raises Alert: True
    Consolidated: 
    From: 
    To: 
    Event Id: bb63911f-dcec-4e8c-836b-ea1bc4377ff9
     
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
    Failure Type: Crash
    Exception code: 0xc0000005
    Resource: file:C:\Documents and Settings\administrator.PGC\Local Settings\Temporary Internet Files\Content.IE5\01GD6JYH\survey[1].js Domain: PGC
    Computer: PGC03FPS01
    Time: 6/7/2009 2:24:47 AM
    Type: Error
    Provider Name: Script-generated Data
    Event Number: 5008
    Provider Type: Generic Provider
    Source: FCSAM
    Category: 
    Raises Alert: True
    Consolidated: 
    From: 
    To: 
    Event Id: eede7c4a-065d-4fde-84ae-b1a1437df836
     
    Sunday, June 7, 2009 6:43 AM
  • Erik if you could see if you can find those .js files in those profiles and email them to me.  kfalde is my email alias. Even if you can't find them send me an email this is 2nd case were seeing now with crashing on some .js files and trying to figure out what is going on. Thanks

    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Thursday, June 11, 2009 3:17 PM
  • Apparently this is probably due to a faulty signature that was in a definition release as we had another case like this.  Current signatures shouldn't have the problem let me know if you do experience it again though.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Monday, June 15, 2009 6:01 PM
  • Hi Kurt,

    I'm having the same problem as Erik was back in June - but with a different file.  THe most recent issue appears to be cropping up with MSDOS.SYS, as seen in these pulls from my Event Viewer:

    Event Type: Error
    Event Source: FCSAM
    Event Category: None
    Event ID: 5008
    Date:  8/30/2009
    Time:  4:08:07 PM
    User:  N/A
    Computer: CATSLAVE
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:C:\MSDOS.SYS

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Error
    Event Source: FCSAM
    Event Category: None
    Event ID: 5008
    Date:  8/30/2009
    Time:  5:35:00 PM
    User:  N/A
    Computer: CATSLAVE
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:C:\MSDOS.SYS

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Error
    Event Source: FCSAM
    Event Category: None
    Event ID: 5008
    Date:  8/31/2009
    Time:  9:44:02 PM
    User:  N/A
    Computer: CATSLAVE
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:C:\MSDOS.SYS

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Error
    Event Source: FCSAM
    Event Category: None
    Event ID: 5008
    Date:  9/3/2009
    Time:  4:17:27 PM
    User:  N/A
    Computer: CATSLAVE
    Description:
    Microsoft Forefront Client Security engine has been terminated due to an unexpected error.
      Failure Type: Crash
      Exception code: 0xc0000005
      Resource: file:C:\MSDOS.SYS

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    System is Windows XP Pro SP3, all OS and Forefront updates applied
    Forefront is client version 1.5.1972.0  
    Forefront engine 1.1.5005.0
    Antivirus definition 1.65.330.0
    ANtispyware definition 1.65.330.0

    This has been going on since 8/28, though 8/28 through 8/30 Forefront was crashing on a different file than MSDOS.SYS

    Thursday, September 3, 2009 9:47 PM