locked
Repeated Alerts for handful of Server 2008 PCs with Forefront Client RRS feed

  • Question

  • We repeatedly get alerts for a few Server 2008 Standard machines our developers use (which have the client installed). Seems to have something to do with being unable to access a certain directory. What's the best way to determine the offending directory, etc?

    Alert details > Properties >

    Description:
    The antimalware component of Client Security was unable to scan the computer.


    Event details > Properties >

    Description:
    Microsoft Forefront Client Security Real-Time Protection checkpoint has encountered an error and failed.
    User: ouruser
    Checkpoint ID: 24
    Error Code: 0x8007010b
    Error description: The directory name is invalid. Domain: ourdomain
    Computer: compname
    Time: 6/17/2009 9:00:22 AM
    Type: Error
    Provider Name: Script-generated Data
    Event Number: 3003
    Provider Type: Generic Provider
    Source: FCSAM
    Category:
    Raises Alert: True
    Consolidated:
    From:
    To:
    Event Id: e31b950a-178f-478f-a3d3-021391ffa320

    Is this the proper place for this? If not, can you advise on some resources? Thanks, jt
    Wednesday, June 24, 2009 3:44 PM

Answers

  • Hi,

     

    Thank you for posting.

     

    As far as I know, it would appear the real-time scanner is failing to access a file/directory. Please check the specific files/directories that you've restricted permissions on.

     

    Regards,


    Nick Gu - MSFT
    Thursday, June 25, 2009 6:31 AM
  • I would run filemon.exe from sysinternals to monitor your files and directorys as you run a scan.

    apply a filter to the results to view access denied messages.

    Good Luck!
    /Johan


    MCSE, forefront spec | www.msforefront.com
    Thursday, June 25, 2009 11:42 AM
  • There are 6 of these 2008 machines, 3 of them are fine.  I think the 3 that are bad may have used the same jacked up image to create.  I used accessenum to create a list of permissions and found some locations with deny - everyone.  Some may not have also had access to allow the proper admin/system accounts (even if deny everyone wasn't applied). 

    Regardless, there were a ton of bad locations and my finagling didn't seem to work.  These are developers, and they still have the Forefront policy applied, so I'm not too worried about them.  Forefront is still actively protecting them, and if they can't get to the location either, I'm not too worried about them getting a virus there. 

    I figured out how to create exceptions in MOM, and haven't seen the alerts since.  First you have to determine the alert type, which you can see in the MOM operator console.  I'm no expert on this, but this seemed to work for me, if anyone is having similar issues:

    MOM Admin console > Management Packs > Rule Groups > Microsoft Forefront Client Security > Host Alerts (in my particular case, from here on out) > Alert Level 3 > Event Rules > Scanning Failed (Alert Level 3) > right-click, properties > click 'Enable rule-disable overrides for this rule' > Set Criteria > Add > click arrow, computer(or group) > browse to appropriate computer to exclude > OK > OK (leave Value on Disable (0)) > OK > OK

    Hope that helps someone.

    jt

    • Marked as answer by thejtluv2 Wednesday, July 8, 2009 4:52 PM
    Wednesday, July 8, 2009 4:52 PM

All replies

  • Hi,

     

    Thank you for posting.

     

    As far as I know, it would appear the real-time scanner is failing to access a file/directory. Please check the specific files/directories that you've restricted permissions on.

     

    Regards,


    Nick Gu - MSFT
    Thursday, June 25, 2009 6:31 AM
  • I would run filemon.exe from sysinternals to monitor your files and directorys as you run a scan.

    apply a filter to the results to view access denied messages.

    Good Luck!
    /Johan


    MCSE, forefront spec | www.msforefront.com
    Thursday, June 25, 2009 11:42 AM
  • Looking in the PC's event log, filtering by event id 3003, they're all FCSAMRtp for the Source.  Is this a process?  Will this use the same process during a scan as the realtime protection uses?  Tips on exactly which process to try to filter on?  Thanks

    Wednesday, July 1, 2009 2:39 PM
  • There are 6 of these 2008 machines, 3 of them are fine.  I think the 3 that are bad may have used the same jacked up image to create.  I used accessenum to create a list of permissions and found some locations with deny - everyone.  Some may not have also had access to allow the proper admin/system accounts (even if deny everyone wasn't applied). 

    Regardless, there were a ton of bad locations and my finagling didn't seem to work.  These are developers, and they still have the Forefront policy applied, so I'm not too worried about them.  Forefront is still actively protecting them, and if they can't get to the location either, I'm not too worried about them getting a virus there. 

    I figured out how to create exceptions in MOM, and haven't seen the alerts since.  First you have to determine the alert type, which you can see in the MOM operator console.  I'm no expert on this, but this seemed to work for me, if anyone is having similar issues:

    MOM Admin console > Management Packs > Rule Groups > Microsoft Forefront Client Security > Host Alerts (in my particular case, from here on out) > Alert Level 3 > Event Rules > Scanning Failed (Alert Level 3) > right-click, properties > click 'Enable rule-disable overrides for this rule' > Set Criteria > Add > click arrow, computer(or group) > browse to appropriate computer to exclude > OK > OK (leave Value on Disable (0)) > OK > OK

    Hope that helps someone.

    jt

    • Marked as answer by thejtluv2 Wednesday, July 8, 2009 4:52 PM
    Wednesday, July 8, 2009 4:52 PM