locked
Vulnerabilities Engine and Definitions not updating RRS feed

  • Question

  • I have been taking a more detailed look into my reports in the morning, and I noticed that the Vulnerabilities Engine and the Vulnerabilities Definitions are not being updated on all systems.  I checked my policies and the SSA Scans are enabled and run nightly, but I still see versions 1.0.1703.0, 1.0.1710.103, 1.0.1725.0, 1.0.1728.0 and 1.0.1736.0.

    I have ALL Forefront products set to auto-approve through WSUS, and systems have been getting the Spyware and Virus definitions as well as the antimalware definitions just fine.  I am currently only using Forefront for my servers, but I have over 150 servers, so it would be very difficult to resolve this with a manual fix, and anything automated must be zero risk and not processor or memory intensive.

    Thursday, March 29, 2012 3:21 PM

Answers

  • Hi,

    I dig more on SSA not updated issue and it's behavior by design. So no need to care the SSA update status, thank you for your understanding.

    1. Each FCS package KB (like KB2508824,KB2394439) have the statement below:
    The service host (FcsSAS.exe) functionality has not changed from the release to manufacturing build, but its version number has been incremented to match the version in the title of the update package.
    Since there are no functional behavior changes, the version will not reflect any updates.
    2. The manually download latest SSA updates KB938202 includes latest SSA file which version is 1.0.1710.103.
    3. Only new installed clients will reflect a higher version.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Thursday, April 19, 2012 3:06 AM
    • Unmarked as answer by Mwilliam4 Friday, April 20, 2012 2:44 PM
    • Marked as answer by Rick Tan Wednesday, June 20, 2012 3:12 AM
    Thursday, April 19, 2012 3:04 AM
  • Hi,

    I'd like suggest that you contact Microsoft Customer Service and Support (CSS) for this. You can speak directly with a Microsoft Support Professional to analyze the problem.
     
    How and when to contact Microsoft Customer Service and Support
    http://support.microsoft.com/kb/295539
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Wednesday, June 20, 2012 3:12 AM
    Wednesday, April 25, 2012 1:43 AM

All replies

  • Hi,

    Thank you for the post.

    1. Ensure the 1.0.1736.0 FCS packet update installed to all FCS clients in WSUS console,
    http://support.microsoft.com/kb/2508824

    2. Ensure the SSA scans enabled on all FCS policies to FCS clients.

    3. Since the downloaded Vulnerabilities Engine will be effective when SSA scans. So please run a full scan from FCS server console with the FCS clients which Vulnerabilities Engine not updated.
    http://social.technet.microsoft.com/Forums/en/ForefrontclientSSA/thread/35c48de8-7a52-4c22-91ae-b5d9f210c744

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Monday, April 9, 2012 1:30 AM
    • Unmarked as answer by Mwilliam4 Thursday, April 12, 2012 4:12 PM
    Friday, March 30, 2012 4:45 AM
  • 1. Yes, this package is installed on all FCS clients and is listed as assigned and installed to the applicable groups in WSUS

    2. SSA scans are enabled in all FCS policies

    3. Full scans are set to run nightly, would the scheduled scans not handle this?

    Monday, April 2, 2012 8:19 PM
  • Hi,

    To view the SSA engine version on servers manually:

    1. Check the SSA engine file bpacommon.dll, bpaconfigcollector.dll version in directory C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\Manifests
    2. Check the SSA registry key InstalledManifestVersion, WorkingManifestVersion value in HKLM\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\SSA

    To view the SSA scheduled scans: Check the LastRun, NextRun registry key value in  HKLM\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\SSA\ScanAction

    Regards


    Rick Tan

    TechNet Community Support

    Thursday, April 5, 2012 2:45 AM
  • Thanks for the reply.

    1. File version of the bpacommon.dll and bpaconfigcollector.dll do appear to coincide with the versions displayed in the Forefront reports.  In the client I'm checking right now, that value is 1.0.1710.103

    2. InstalledManifestVersion and WorkingManifestVersion also coincide with what Forefront is showing.

    3. LastRun value is 0x4f867735 (1334212405)

        NextRun value is 0x4f87c8d8 (1334298840)

    Also, the LastSuccessfulUpdateSearch contains today's date...  You don't suppose that the Windows Firewall is actually blocking the connections even though I specifically allowed the ports through?

    Thursday, April 12, 2012 1:40 PM
  • Anyone?
    Tuesday, April 17, 2012 2:22 PM
  • Hi,

    Sorry to reply later.
    It seems latest SSA has not installed on this client. Try to run KB2508824 or Fcsssa.msi manually to update the version.
    However, the SSA client version just increased without SSA change.    

    Regards


    Rick Tan

    TechNet Community Support

    Wednesday, April 18, 2012 5:35 AM
  • so where do I go to download the latest version of that KB? 
    Wednesday, April 18, 2012 1:31 PM
  • Hi,

    I dig more on SSA not updated issue and it's behavior by design. So no need to care the SSA update status, thank you for your understanding.

    1. Each FCS package KB (like KB2508824,KB2394439) have the statement below:
    The service host (FcsSAS.exe) functionality has not changed from the release to manufacturing build, but its version number has been incremented to match the version in the title of the update package.
    Since there are no functional behavior changes, the version will not reflect any updates.
    2. The manually download latest SSA updates KB938202 includes latest SSA file which version is 1.0.1710.103.
    3. Only new installed clients will reflect a higher version.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Thursday, April 19, 2012 3:06 AM
    • Unmarked as answer by Mwilliam4 Friday, April 20, 2012 2:44 PM
    • Marked as answer by Rick Tan Wednesday, June 20, 2012 3:12 AM
    Thursday, April 19, 2012 3:04 AM
  • Good Morning,

    Thanks for the info, but the fact remains that two of my graphs in my deployment summary are almost 50% red and I need to fix that.  Again, they show up as "Vulnerabilities Engine Deployment Status" and "Vulnerabilities Definition Deployment Status".  If I need to call in and open a support ticket to get this fixed, I will do so -- just tell me how to get into the team I need to get my issue resolved.

    Friday, April 20, 2012 2:44 PM
  • Anyone?

    Monday, April 23, 2012 1:22 PM
  • Hi,

    I'd like suggest that you contact Microsoft Customer Service and Support (CSS) for this. You can speak directly with a Microsoft Support Professional to analyze the problem.
     
    How and when to contact Microsoft Customer Service and Support
    http://support.microsoft.com/kb/295539
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Wednesday, June 20, 2012 3:12 AM
    Wednesday, April 25, 2012 1:43 AM