locked
Forefront Client Security - KB915597 RRS feed

  • Question

  • I have setup the Forefront Client Security with WSUS 3.0 about 3 months ago and it was working perfectly. I have a total of 1700 computers and of those computers about 200 have Forefront Client installed. I am in the process of installing Forefront to replace our current AV. In WSUS, i have it set to automatically approve definition updates for ForeFront. GPO Policy is set for all computers to point to WSUS Server. Also have the Forefront Policy setup and deployed.

    Just recently, computers WITHOUT Forefront Client Installed is receiving a notification to install Definitions for Forefront Client Security - KB915597 thru Automatic Updates. From what i can see, this didn't start happening until the release of Forefront Client Security - KB915597 (Definition 1.69.1007.0) and has been happening ever since.

    So i am looking to see why or what has changed to start causing computers to attempt to install this definition update when it DOES NOT have Forefront Cleint installed on it?


    Currently running Forefront Client Security on a windows 2003 server
    WSUS 3.0 Service Pack 2 on Windows Server 2003 x64
    Clients running XP Pro w/ Service pack 3

    Monday, November 23, 2009 8:02 PM

Answers

  • The detection logic for this is on track to be fixed within a couple of weeks by mid this month I believe.  Not sure of any dates or anything so don't hold me to it :)...
    The fix for now is to ensure that you are not pushing FCS policy to clients that are not actually systems with FCS installed.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Nick Gu - MSFT Wednesday, January 6, 2010 7:22 AM
    Tuesday, January 5, 2010 6:46 PM

All replies

  • Are they getting this from the Automatic Updates client?

    Any chance these clients have Windows Defender installed on them (just wondering)

    I know the product group made some changes recently with signatures with regards to a more efficient signature type but wasn't aware of changes to detection that would cause the issue you are seeing.  I would recommend you get a case going with us if you haven't so we can get detection logging from a client.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, November 24, 2009 5:33 PM
  • Hello Dearmge,

     

    We have been researching this issue internally at Microsoft in response to your posting.  We believe that we have an understanding of what is happening, and it appears to be tied to FCS policy.  We would like to ensure that our understanding matches your configuration.  Can you answer the following questions:

     

    ·        You say “have it set to automatically approve definition updates for ForeFront” and “Also have the Forefront Policy setup and deployed”.  Is it accurate that the computers which are being offered FCS definitions, which do not have the client installed, have received the FCS policy published from the management console?
    Rephrased:  Is it accurate that you intended the affected clients to receive FCS policy but not definitions or the client deployment package?

     

    ·        You say “Just recently  would you say that the problem started last week?  You may have also noticed a change in the FCS definition titles at this time.

    ·        Have you attempted to undeploy/block policy from being applied to the affected clients (with FCS)?  If so, does that stop the offering cycle?

     

    Thank you,

    Craig Wiand

     


    Forefront Client Security Support
    Wednesday, November 25, 2009 7:30 PM
  • Reply to your question:


    1.  Is it accurate that the computers which are being offered FCS definitions, which do not have the client installed, have received the FCS policy published from the management console?

    Yes this is true, I have the policy for FCS deployed to computers that DO NOT have the Forefront Client installed. This is because I have a team deploying new computers each day and each computer has the FCS Client installed. So in order for me to make sure that FCS policy is applied, I deployed it to all computers in Active Directory. I also have random users that have the FCS Client installed.

    2. Yes the problem started last week. Yes it was when i noticed the FCS Definition Title had changed. It now includes the KB915597 (Definition x.xx.xx.x) when before it would have (Antimalware x.xx.xxx.x) at the end.

    3. When you state "affected clients (with FCS)" Do you mean stop applying the FCS policy to computers that have FCS installed or stop applying the FCS policy to computers that DO NOT have FCS installed. Either way I have not tried that.

    Also, I will be out of the office until Dec. 3. so if you don't hear from me for a while this is why. I will, however, do some testing with the FCS policy and let you know the results. 

    Thursday, November 26, 2009 2:09 AM
  • I have a similar infrastructure and have noticed the same behavior on machines that DO NOT have Forefront Client Security installed.  Yes, they are in an OU that have a FCS policy applied, but previously to a couple weeks ago did not ask for FCS update KB915597 to be installed. I would rather not have to change my OU structure and block FCS policy, because previously these machines would not ask for a definition update if they did not have the client installed.

    Monday, November 30, 2009 3:43 PM
  • I have the same issue on 600 servers which are still running Symantec, the FCS GPO has been applied to these machines. the definition updates keeps filling up the system drive c:\windows\softwaredistribution\downloads, The GPO has been applied on July 2009 and we have this problem since November and not before so there must something that  has been changed in the defenition detection.

    • Edited by Arroun Monday, December 7, 2009 2:54 PM typo
    Monday, December 7, 2009 1:58 PM
  • Happy new year to all!!

    Got the same dilemma, so I am "reviving" this thread in this new year...

    Any solution yet how to get this update (aside from "hiding" it) to stop appearing...
    Monday, January 4, 2010 1:20 PM
  • Hi Dearmge,

    If i understand you well, you dont want those computers to have Forefront installed & windows update is like forcing you to? if so, I think all all your computers are in an OU that your policy was applied to, right? so, to get this right (not recieving notification for install), you need to remove those computers from that OU so that the policy is never applicable to them. However, the "Definitions for Forefront Client Security - KB915597" or whatever, seems like an update but in the real sence its the client agent itself, so it attempts to install to those computers without the agent and the simple reason is that because they are in the same OU that has the policy deployed to. Hope this'll solve your problem, wish you the best & let me know if you neen additional help.

    Nura
    • Proposed as answer by Nuratech Tuesday, January 5, 2010 4:48 PM
    Tuesday, January 5, 2010 4:47 PM
  • The detection logic for this is on track to be fixed within a couple of weeks by mid this month I believe.  Not sure of any dates or anything so don't hold me to it :)...
    The fix for now is to ensure that you are not pushing FCS policy to clients that are not actually systems with FCS installed.
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    • Marked as answer by Nick Gu - MSFT Wednesday, January 6, 2010 7:22 AM
    Tuesday, January 5, 2010 6:46 PM
  • Kurt!

    Thank you for your answer...

    I'll try removing the server from the Group that as the GPO related to FCS and see if this makes the update goes away...

    Regards!
    Serge
    Wednesday, January 6, 2010 12:13 PM
  • This fix is being combined with other improvements to the Client Security definition set.  We expect the change in the detection logic to prevent definitions from being offered to non-FCS clients by the end of this month.
    Forefront Client Security Support
    Tuesday, January 19, 2010 6:15 PM
  • The detection logic changes for this have been published.  Those computers affected which did not have the FCS client installed should no longer be offered definition updates. 

    Thank you for your patience while we corrected this issue.

    Best Regards,
    Craig Wiand
    Microsoft Forefront Escalation Engineer


    Forefront Client Security Support
    Monday, February 1, 2010 7:45 PM
  • We are currently experienceing the same issues, and have been since November. We have a call logged with Microsoft but they do not seem to have an answer as yet, but have just sent them this link. Can you inform me what update you have applied and where to fix this issue, we are currently runnning.

    Client version 1.5.1973.0
    engine evrsion 1.1.5406.0
    def 1.75.1035.0
    wsus 3.1.6001.65 on 2008
    FCS Managment console 1.0.1703.0

    for the time being we have stopped automatic approvals and carrying out manual updates, which is very laborious.
    Tuesday, February 23, 2010 12:06 PM
  • The detection metadata should all be fixed.  Might be that possibly the older ones are not declined yet in your WSUS server which should happen automatically if you have not modified that setting.  If you have a case opened with us we should be able to figure it out.. you have the case# by any chance you can provide?
    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, February 23, 2010 3:06 PM
  • Thanks, in december we turned automatic updating off as our servers and WAN PC's were getting the updates as well, and shouldn't as FCS is not installed, then on Jan 20th 2010 we tried it again with the same issues, so we have now turned this off again. Do you think that was enough time to purge the old files? Due to our current WAN bandwidth, or lack of, we do not want another update going out, especially the monthly update, the delta updates are OK, so is there anyway of just doing delta updates only? Microsoft Support Incident SRZ100125000286.
    Tuesday, February 23, 2010 5:07 PM
  • So are your definitions up to date at the moment or not at all?
    What is the engine version currently on your clients click Help>about in the client
    If you did not pick up last months update I think we rebased around the 23rd or so and then had some issues that forced another rebase at beginning of Feb then you would probably see a "monthly" looking rebase happen.  Also we we are looking at the Feb monthly rebase coming up relatively soon here as well not sure on exact dates but it's usually around the mid 20's of the month.
    If you are that far out of date signature wise and wan bandwidth is that much of a premium you may want to consider waiting a few days until the Feb rebase happens and then making sure that only the rebase package and later approved and nothing else signature wise.

    Unfortunatley I can't seem to find your case# :(  I'm guessing that's probably in our EMEA Clarify system which I don't have access to.


    CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfalde
    Tuesday, February 23, 2010 5:52 PM