Event ID 3003 event error RRS feed

  • Question

  • I started getting the following message from one of my servers almost daily. Any idea what's causing it?


    Event ID: 3003

    Source: FCSAMRtp


    Microsoft Forefront Client Security Real-Time Protection checkpoint has encountered an error and failed.
    User: DOMAIN\user
    Checkpoint ID: 21
    Error Code: 0x8000ffff
    Error description: Catastrophic failure
    Thanks in advance

    Thursday, December 13, 2007 4:17 PM

All replies

  • there is also the following error:


    Event Type: Error
    Event Source: FCSAMRtp
    Event Category: None
    Event ID: 3003
    Date:  12/12/2007
    Time:  11:31:48 PM
    User:  N/A
    Computer: CL0001
    Microsoft Forefront Client Security Real-Time Protection checkpoint has encountered an error and failed.
      User: DOMAIN\user
      Checkpoint ID: 5
      Error Code: 0x80070005
      Error description: Access is denied.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Thursday, December 13, 2007 4:26 PM
  • The MOM alert that's generating the error is FCS\Alert Level 4\Scanning Failed


    Thursday, December 13, 2007 4:29 PM
  • Hello!

    From that error code, it would appear the real-time scanner is failing to access a file/directory.  If you have specific files/directories that you've restricted permissions on, this could occur




    Forefront Client Security PM

    Thursday, January 3, 2008 7:27 PM
  • Any idea how I tell what files or directories are causing problems?


    Thursday, January 3, 2008 9:05 PM
  • You have not changed the identity under which the Microsoft Forefront Client Security Antimalware Service runs, correct? (should be localystem)


    Checkpoint #5 is a driver check

    Checkpoint #21 is a services check


    Unfortunately, this does not pinpoint the problem.  We could specifically determine what it is unhappy about by taking a trace using %programfiles%\Microsoft Forefront\Client Security\client\antimalware\MpCmdRun -Trace, reproducing the issue, then stopping the trace.  Once stopped it will point you to a .bin trace file in the %AllUsersProfile% directory.


    If you are not comfortable posting that or, even zipped, the file is too large, you can use the feedback mechanism Chris outlines in http://forums.microsoft.com/forefront/ShowPost.aspx?PostID=949686&SiteID=41 to submit the file directly to Microsoft where we can take a look.




    Tuesday, January 8, 2008 9:48 PM
  • And what's Checkpoint ID: 7 ?
    I get some of those "access denied" alerts, and have no clue where to look for the source of the problem...

    Thursday, January 22, 2009 10:49 AM