locked
Forefront deletes drivers RRS feed

  • Question

  • good day;
    We have Forefront 2007 client  installed at my employer. On one model computer the HP Slimline DC 7800 forefront is deleting the audio drivers at random. Is there a way to globally white list the drivers? Any help or suggestions would be greatly appreciated.
    Thank you
    Howard Magnes
     
    Tuesday, March 9, 2010 12:35 PM

Answers

  • Best thing would be to get the logs from a machine where this happened and see the actual files that it detected.  Get those event's as well as the threatname/id that we detected it as.  If you can also get that file that it deleted then submit that file at https://www.microsoft.com/security/portal/Submission/Submit.aspx and select to submit it as being incorrectly detected as malware. Don't just download the package from HP and submit it we need the actual file .drv .sys .dll whatever that it detects and removes.  Once you have that submitted just post the MMPC submission # that you get back to here.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, March 9, 2010 6:58 PM

All replies

  • Do you have event logs showing that it detected them and deleted them?  If so can you provide the events and and threatid that it detected these items as?  Also if you have copies of the actual driver files that it detected if you could throw those online somewhere and I'll have them checked out as a false positive.  Thanks
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, March 9, 2010 3:35 PM
  • Let me see if i can get the logs. Most often the machine is re-imaged when the drivers vanish. Where can i post the driver set? I can tel you we are using thr latest Vista driver from hp found http://h20000.www2.hp.com/bizsupport/TechSupport/SoftwareIndex.jsp?lang=en&cc=us&prodNameId=3459245&prodTypeId=12454&prodSeriesId=3459241&swLang=13&taskId=135&swEnvOID=2096#113165
    Tuesday, March 9, 2010 4:21 PM
  • Best thing would be to get the logs from a machine where this happened and see the actual files that it detected.  Get those event's as well as the threatname/id that we detected it as.  If you can also get that file that it deleted then submit that file at https://www.microsoft.com/security/portal/Submission/Submit.aspx and select to submit it as being incorrectly detected as malware. Don't just download the package from HP and submit it we need the actual file .drv .sys .dll whatever that it detects and removes.  Once you have that submitted just post the MMPC submission # that you get back to here.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, March 9, 2010 6:58 PM