locked
Forefront suddenly prompting for "more information" RRS feed

  • Question

  • Suddenly today, several of our Forefront client machines have begun displaying this prompt:

    Microsoft needs more information about this software

    Sending these files can help Microsoft improve the effectiveness of the protection for your system.  If you do not want to send a file, clear the check box next to it.

    The file path and name is often different.  One came up with the LogMeIn Rescue Card main executable, and another came up with something related to .Net Framework 1.1 during a Windows Update patch cycle.

    Can anyone tell me why this would have suddenly started happening today, and how to get rid of it, or if this is just something we have to deal with as a result of choosing Microsoft's AV product?

    Tuesday, August 21, 2012 3:46 PM

Answers

  • Hi,

    Thank you for the post.

    Because these files are flagged as unclassified, they are not considered trusted nor considered as malware. So FCS then requests to send the binaries to Microsoft for analysis and determination to be added in future signatures.

    The solution is to wait for Microsoft update these file in signature or add these file/folder to FCS exclusion with .reg file like:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths]
    "%ProgramFiles%\\folder1"=dword:00000000
    "%ProgramFiles%\\folder2"=dword:00000000
    ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes]
    "C:\\Program Files\\folder1\\processfilename1"=dword:00000000
    "C:\\Program Files\\folder2\\processfilename2"=dword:00000000
    ...

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Tuesday, August 28, 2012 1:25 AM
    Wednesday, August 22, 2012 6:53 AM
  • Hi,

    Here is answer from FCS team:
    The reason why this is only showing up right now has to do with some changes in our underlying technology (we deliver such changes via the signature update packages) which caused an overaggressive collection of metadata/files for highly prevalent files.

    So you should have no this issue when Microsoft complete the change on FCS backend these days.

    Regards,


    Rick Tan

    TechNet Community Support


    • Edited by Rick Tan Monday, August 27, 2012 2:18 AM
    • Marked as answer by Brett242 Monday, August 27, 2012 1:51 PM
    Monday, August 27, 2012 2:17 AM

All replies

  • Hi,

    Thank you for the post.

    Because these files are flagged as unclassified, they are not considered trusted nor considered as malware. So FCS then requests to send the binaries to Microsoft for analysis and determination to be added in future signatures.

    The solution is to wait for Microsoft update these file in signature or add these file/folder to FCS exclusion with .reg file like:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Paths]
    "%ProgramFiles%\\folder1"=dword:00000000
    "%ProgramFiles%\\folder2"=dword:00000000
    ...

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes]
    "C:\\Program Files\\folder1\\processfilename1"=dword:00000000
    "C:\\Program Files\\folder2\\processfilename2"=dword:00000000
    ...

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Tuesday, August 28, 2012 1:25 AM
    Wednesday, August 22, 2012 6:53 AM
  • OK, I see what you're saying, but have two follow-up questions for you:

    1.  The LogMeIn Rescue Calling Card program has been installed on our machines for months.  Why have they just now been determined to be "unclassified"?

    2.  One of the programs that brought up the "needs more information" prompt was a component or installer for the .NET Framework 1.1.  I find it very difficult to believe that Microsoft doesn't know how to classify its own products for Forefront.  Can you explain this one?

    Wednesday, August 22, 2012 1:41 PM
  • Hi,

    Here is answer from FCS team:
    The reason why this is only showing up right now has to do with some changes in our underlying technology (we deliver such changes via the signature update packages) which caused an overaggressive collection of metadata/files for highly prevalent files.

    So you should have no this issue when Microsoft complete the change on FCS backend these days.

    Regards,


    Rick Tan

    TechNet Community Support


    • Edited by Rick Tan Monday, August 27, 2012 2:18 AM
    • Marked as answer by Brett242 Monday, August 27, 2012 1:51 PM
    Monday, August 27, 2012 2:17 AM