locked
Forefront interfering with other software RRS feed

  • Question

  • We have just deployed Forefront to our corporate network and I'm having an issue with a single machine that appears to be directly caused by Forefront.  One of our machines has the X-Rite ColorEYE iControl software on it.  When Forefront is running normally, the iControl software believes that it is unlicensed.  Killing the MsMpEng.exe process and then starting the iControl software opens with a valid license.

    I have added the following directory exclusions:
    C:\Program Files\GretagMacbeth
    c:\Program Files\GretagMacbeth\Common Files\Control  (this is where the license files are stored as hidden system files)

    I have also added the following extension exclusions:
    .41s
    .ent
    .key
    .rst

    The exclusions shown were suggested by this article from the Xrite website:  http://www.xrite.com/product_overview.aspx?ID=774&Action=support&SupportID=3906

    The symptoms listed appear to be identical to what we're experiencing on this machine, although it refers to a different product as the culprit.  I've done all the exclusions shown, updated group policy on this machine, verified in the registry that the settings are present, and restarted the machine.  The problem persists.  Does anyone have any other ideas?  This is having a business impact and we are looking at having to remove all anti-virus from the machine or go back to our previous anti-virus in order for this software to work even though this is an undesirable situation.

    Thanks for any help!
    Monday, November 17, 2008 4:08 PM

Answers

  • It's hard to know without knowing more about how the software determines that it is unlicensed.
    You might have to open a case with us on this one and Xrite so we can get to the bottom of it.
    Did Xrite ever give you any more info?
    • Marked as answer by Nick Gu - MSFT Wednesday, January 6, 2010 7:22 AM
    Tuesday, January 5, 2010 12:54 AM

All replies

  • Hi,

    I would also exclude the process(es) of your application. This has to be done locally on the computer running the software. Just open the FCS client UI, under Tools -> options you can make process exclusions.

    good luck!

    /Johan
    MCSE, forefront spec | www.msforefront.com
    Tuesday, November 18, 2008 4:00 PM
  • We have the clients locked down so that no changes can be made, except through policy from the Console server.

    Is there a way to temporarily allow Administrator access to the client to make this change?
    Friday, November 21, 2008 1:12 PM
  •  

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\Exclusions\Processes]
    "C:\\Program Files\\Microsoft Virtual PC\\Virtual PC.exe"=dword:00000000


    create a .reg file like the above and have them add it on the machine.  Of course replace that Virtual PC thing with your app instead :)


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, November 21, 2008 7:54 PM
  • Here is what I have done so far:

    I've excluded the program folders as shown earlier in the thread and the file extensions for the license files.  I've added an exclusion for the iControl process.  I found that XRite is using CrpyKey for their licensing validation and I have added the Crypserv.exe process to the exclusion list.

    The program is still coming up as not licensed if the Antimalware Service is running.  If I stop the service from the services.msc or kill the MsMPEng.exe process, then the software will start up and be licensed.  For now, I have stopped the Antimalware Service on this machine and the ColorEYE software appears to be working OK now.

    What else can I try?

    Thanks!
    Wednesday, November 26, 2008 5:30 PM
  • Wow, tricky one!

    Have you talked to the support for your app? This might be a general AV problem? or they might have a clue as to why this is happening.

    Does this happen during a scan or is it instant when you turn on the service? any errors in the eventlog? Maybe you can run processmonitor (sysinternals) to find out which files and reg keys are accessed when you turn on the service

    Hope this gives you some ideas

    /Johan
    MCSE, forefront spec | www.msforefront.com
    Wednesday, November 26, 2008 6:20 PM
  • I have a case opened with Xrite on this, but have not heard back yet.

    This is not happening during a scan, the service just has to be running.  If the service is running and I start the app, it says it's not licensed.  If I close the app, stop the service, and open the app, it opens faster, does not give an error message about licensing, and appears to work correctly.

    I've checked the event log for any errors, and the only ones I see are when the user of the machine killed the MsMpEng.exe process from Task Manager.

    I'll get sysinternals and see if I can figure anything out from that.
    Wednesday, November 26, 2008 7:26 PM
  • OK, I got totally distracted by a plethora of other issues, but have finally gotten back to this issue.

    I downloaded Process Monitor and ran the Color iControl software twice, once with the Forefront Antimalware service running and one time without.

    I have these two log files now.  I've tried to read through them, and I only understand a little bit of what they are telling me.  Could someone take a look at the and possibly decipher what's happening?
    Monday, May 4, 2009 5:49 PM
  • bump...still have this unresolved
    Monday, January 4, 2010 6:24 PM
  • It's hard to know without knowing more about how the software determines that it is unlicensed.
    You might have to open a case with us on this one and Xrite so we can get to the bottom of it.
    Did Xrite ever give you any more info?
    • Marked as answer by Nick Gu - MSFT Wednesday, January 6, 2010 7:22 AM
    Tuesday, January 5, 2010 12:54 AM
  • I did open a support case with Xrite, however, they were not able to do much, and apparently claimed that their anti-piracy software (CrypKey) was so tightly integrated into the program that it wasn't a simple fix and we might have to wait for a new version.

    I did download Process Monitor and made some recordings of system activities going on when Forefront was and was not running, but I can't make any sense of the output.
    Friday, January 29, 2010 5:02 PM
  • No, they never gave me any more info, and they haven't been responding to requests concerning this issue and if a new version of the software would correct it.

     

    I'll plan on opening a case soon.

    Friday, April 2, 2010 4:17 PM
  • Post the Process Monitor logs somewhere with a link to them and I'll take a look when I can.. that or just get a case going with us.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Friday, April 2, 2010 8:16 PM