locked
A large number of Windows 2000 PC's have removed the Forefront Antimalware Service RRS feed

  • Question

  • Hi all

    We have a problem where over half of our Windows 2000 machines (300 out of 600) which had Forefront installed have now removed the Forefront Client Security Antimalware Service. It has left the Forefront Client Security State Assessment Service installed and the MOM agent.

    Client Setup log shows

    2009-12-22 14:42:44  AM Installation Failed.  See FCSAM.log for details.

    FCSAM Log shows

    DIFXAPP: ERROR 0x57 encountered while creating subkey for component '{153AA63E-3BFD-495C-A35F-85F66650141D}'

    The only way I can seem to fix it is to uninstall the Forefront Client Security State Assessment Service and re-install manually with the /nomom switch.

    Has anyone else experienced this?  Am I going to have to re-install on all these machines?

    Any help would be much appreciated.  I first noticed this last week on a couple of machines but didn’t realise the scale until running an SCCM query today.

    Thank you

    Tuesday, December 22, 2009 3:14 PM

Answers

  • Not sure why this has failed on your systems..

    A procmon of the install while failing would probably be interesting but not sure if it's reproducable?

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\mpfilter_D6B535DB58109141EC54DB38529166E09F8027C1

    Are the keys it is probably trying to create during this time so it would be interesting to see if we had a rights issue or something while trying to create those.

    as for the /q not sure that that works you could try /quiet though.. if you are going to manually install then try extracting the packages from the .exe that you get when you manually download 976668 from the microsoft update catalog and you should wind up with a mp_ambits.msi package which is the actual FCSAM installer which updates to AMQFE7 which is the latest release of the FCSAM client in december.  Running that .msi with a /? will give you a whole list of switches which will work with that directly.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by Nick Gu - MSFT Thursday, December 31, 2009 7:09 AM
    • Marked as answer by Nick Gu - MSFT Saturday, January 2, 2010 1:44 PM
    Monday, December 28, 2009 6:40 PM

All replies

  • Hi,

     

    Thank you for the post.

     

    Before going any further, you may check the system version refer to this link: http://technet.microsoft.com/en-us/library/bb404245.aspx

    If you use /NOMOM flag, it will install everything except the MOM agent.

     

    Regards,


    Nick Gu - MSFT
    Wednesday, December 23, 2009 6:19 AM
  • Thanks for your reply

    The clients do all meet the pre-recs and is not the problem.  I deployed all pre-recs and Forefront to all these machines back in May and there has not been a problem. 

    I'm trying to re-install using the nomom switch as mom is already on these machines and the Forefront Client Security State Assessment service.

    The only way I can seem to fix the problem is by removing the Security State Assessment Service and re-installing all.  If I try to re-install with the Security State Assessment Service still installed, the install fails. 

    I'm wondering if its the same problem as described in this thread KB956280 is approved by our WSUS server.

    http://social.technet.microsoft.com/Forums/en/Forefrontclientgeneral/thread/030ba289-cbc8-4127-a468-7fd4edbc6080


    Wednesday, December 23, 2009 11:03 AM
  • From what I have found it looks as if a patch was released around 10th December sometime (KB976668) which upgrades the client to version 1.0.1725.0.  This looks like what has caused us our problems.  This upgrade is failing and leaving the machine un-protected. 300 machines is not acceptable.

    A manual installation of patch KB976668 fixes the problem without having to uninstall anything.  However we already have this patch downloaded and approved in WSUS.  Running a report on this patch shows that it has failed on the majority of Windows 2000 machines.  But if I install it manually it installs without a problem!! 

    I have tried manually downloading the patch again and adding it back into WSUS.  I will probably look at rolling out this patch to only windows 2000 machines through SCCM if this does not work. 

    Does anyone know if there are any switches for this? as there are prompts and license agreements during the installation.  /q does nothing!

    We ran Mcafee for over four years and in that time we had half the problems then we have had running forefront in less then a year!!

    We've had

    patch re-offering problem
    Slow log on problems
    Scanning network files problem
    MSMPENG.exe hammering the CPU
    cannot right click and scan USB sticks
    No central management console (to manage this you need to use WSUS, Group Policy and Forefront Management console)

    Lets hope the next version is better!

    Thanks

    Paul.
    Thursday, December 24, 2009 3:06 PM
  • Not sure why this has failed on your systems..

    A procmon of the install while failing would probably be interesting but not sure if it's reproducable?

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFxApp\Components\{153AA63E-3BFD-495C-A35F-85F66650141D}

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DIFx\DriverStore\mpfilter_D6B535DB58109141EC54DB38529166E09F8027C1

    Are the keys it is probably trying to create during this time so it would be interesting to see if we had a rights issue or something while trying to create those.

    as for the /q not sure that that works you could try /quiet though.. if you are going to manually install then try extracting the packages from the .exe that you get when you manually download 976668 from the microsoft update catalog and you should wind up with a mp_ambits.msi package which is the actual FCSAM installer which updates to AMQFE7 which is the latest release of the FCSAM client in december.  Running that .msi with a /? will give you a whole list of switches which will work with that directly.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Proposed as answer by Nick Gu - MSFT Thursday, December 31, 2009 7:09 AM
    • Marked as answer by Nick Gu - MSFT Saturday, January 2, 2010 1:44 PM
    Monday, December 28, 2009 6:40 PM
  • Hi

    Thanks for your help

    I resolved this problem by uncompressing the patch 976668 and sent out the containing .msi silently via SCCM to all windows 2000 machines.  This has appeared to have resolved the problem.  However we did notice machines that did have the problem the disk space was slowly being used up and required the Softwaredistribution folder to be emptied as it was full of Forefront Client download files. 

    Paul.
    Wednesday, January 27, 2010 11:06 AM