locked
Antimalware service stopped RRS feed

  • Question

  • We deploying Microsoft Forefront Endpoint 2010 to Windows XP SP3 clients. We have SCCM 2007 installed and configured. After deploying Forefront to 100 clients we got a number of clients reporting that the Microsoft Antimalware Service stops immediately after de installation. On the clients we can start the service manually and update the virus definition. But after we restart the clients the Antimalware service stopped again. The service is set to Automatic start. The strange thing is that all clients have the same Windows image. 10 out of 100 clients report back with a stopped Antimalware service. After we reinstall Windows completely on a client the problem went a away. But that’s not a solution for us because we have to install Forefront on about 20.000 clients.

    This is the log file MPDetection after the installation:
    2012-02-09T07:18:25.296Z Service started - Microsoft Forefront Endpoint Protection 2010 (1F383481-F70E-4E7A-8B69-C4B4A23928E3)
    2012-02-09T07:18:28.406Z Service stopped with exit code 0x80096001

    When we manual start the service and update de virus definition we get this log file:
    2012-02-13T07:30:17.221Z Service started - Microsoft Forefront Endpoint Protection 2010 (1F383481-F70E-4E7A-8B69-C4B4A23928E3)
    2012-02-13T07:30:36.589Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 0.0.0.0 AS 0.0.0.0 AV 0.0.0.0
    2012-02-13T07:39:08.375Z Version: Product 3.0.8107.0 Service 3.0.8107.0 Engine 1.1.8001.0 AS 1.119.1846.0 AV 1.119.1846.0

    Everything works correct until we restart the client:
    2012-02-08T07:21:50.765Z Service started - Microsoft Forefront Endpoint Protection 2010 (1F383481-F70E-4E7A-8B69-C4B4A23928E3)
    2012-02-08T07:21:59.984Z Service stopped with exit code 0x80096001


    The event view displays:

    Event-id: 2004
    Microsoft Antimalware Microsoft Antimalware heeft een fout aangetroffen bij het laden van handtekeningen en probeert terug te keren naar een juiste set handtekeningen.
      Geprobeerde handtekeningen: Huidig
      Foutcode: 0x80096001
      Foutbeschrijving: Er is een systeemniveaufout opgetreden bij het controleren van vertrouwen.
      Handtekeningversie: 1.119.1942.0;1.119.1942.0
      Engineversie: 1.1.8001.0
    Gebeurtenis-id: 2004
    De Microsoft Antimalware Service-service is gestopt met de volgende foutcode:
    Er is een systeemniveaufout opgetreden bij het controleren van vertrouwen. .
    Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.

    Event-id: 7023
    De Microsoft Antimalware Service-service is gestopt met de volgende foutcode:
    Er is een systeemniveaufout opgetreden bij het controleren van vertrouwen. .
    Zie Help en ondersteuning op http://go.microsoft.com/fwlink/events.asp voor meer informatie.


    Its Dutch and translated to English :):

    Event-id: 2004
    Microsoft Antimalware Microsoft Antimalware has encountered an error trying to load signatures and return to a correct set of signatures.
      Signatures Attempted: Current
      Error Code: 0x80096001
      Error Description: There is a system-level error while checking trust.
      Signature Version: 1.119.1942.0; 1.119.1942.0
      Engine Version: 1.1.8001.0
     See Help and Support Center at http://go.microsoft.com/fwlink/events.asp


    Event-id: 7023
    The Microsoft Antimalware Service service terminated with the following error:
    There is a system-level error checking trust. .
    See Help and Support Center at http://go.microsoft.com/fwlink/events.asp for more information.

    I tried reinstalling forefront on a client manually under the local administrator and domain administrator account. Also tried installing de newest version 2.1.1116.0. But no luck.

    Does anyone have a solution?


    • Edited by danielkel Monday, February 20, 2012 9:53 AM
    Wednesday, February 15, 2012 9:57 AM

Answers

  • Unfortunately installing the latest definition manually didn’t work. We stopped deploying Forefront because we couldn’t find a solution… till now.

    It had indeed something to do with Windows Updates. Although Windows Updates where installed correctly the Forefront definitions had problems described in the first post. After running “fix it” from http://support.microsoft.com/kb/971058/en-us the problem was solved.

    On the clients where de Antimalware services stopped, Microsoft “ fix it” reported there was an issue with the Windows Update paths. Since we had this problem on more than 300 clients we decided to script the steps described in the section “ Let me fix it myself”. Unfortunately that didn’t work out even when we walked through the steps manually.

    The only solution we could found was to run “fix it” silent on the clients. We made a script that logs the user off and automatically logs the client on as a locale administrator. Then we called another script that took care of the installation.  We had to do it this way because “fix it” didn’t run silent under the system account. It even did not allowed us to start it with the “run as” command.

    After spending hours and hours it worked :)


    • Marked as answer by danielkel Friday, December 14, 2012 9:22 AM
    • Edited by danielkel Friday, December 14, 2012 9:23 AM
    Friday, December 14, 2012 9:22 AM

All replies

  • Hi,

    I think your problem is related to windows Update agent not being able to download and install the latest definition file during installation.

    If you look in the Windowsupdateagent.log file are there any error messsages there? The problem could perhaps be resolved using this method for troubleshooting Windows Udpates not installing,

    http://support.microsoft.com/kb/822798 

    Hope it hels

    regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec


    Wednesday, February 15, 2012 10:09 AM
  • Thx for reply.

    Below the WindowsUpdate.log after starting the Antimalware service and updating the virusdefinition. Can't find anything wrong. It looks like the updates are installed correctly and Forefront isn't displaying any errors only after a restart.

    Allready tried the fix it tool from kb822789 which covers method 1-5 .  Perhaps I also have to try method 6-11.

    WindowsUpdate.log:

    2012-02-15 12:02:49:738 2152 734 Misc ===========  Logging initialized (build: 7.4.7600.226, tz: +0100)  ===========
    2012-02-15 12:02:49:738 2152 734 Misc   = Process: c:\Program Files\Microsoft Security Client\Antimalware\MpCmdRun.exe
    2012-02-15 12:02:49:738 2152 734 Misc   = Module: C:\WINDOWS\system32\wuapi.dll
    2012-02-15 12:02:49:738 2152 734 COMAPI -------------
    2012-02-15 12:02:49:738 2152 734 COMAPI -- START --  COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:02:49:738 2152 734 COMAPI ---------
    2012-02-15 12:02:49:738 2152 734 COMAPI <<-- SUBMITTED -- COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:02:49:879 1108 f48 Agent *************
    2012-02-15 12:02:49:879 1108 f48 Agent ** START **  Agent: Finding updates [CallerId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:02:49:879 1108 f48 Agent *********
    2012-02-15 12:02:49:879 1108 f48 Agent   * Online = Yes; Ignore download priority = No
    2012-02-15 12:02:49:879 1108 f48 Agent   * Criteria = "(IsInstalled = 0 and IsHidden = 0 and CategoryIDs contains 'a38c835c-2950-4e87-86cc-6911a52c34a3' and CategoryIDs contains 'e0789628-ce08-4437-be74-2495b842f43b')"
    2012-02-15 12:02:49:879 1108 f48 Agent   * ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
    2012-02-15 12:02:49:879 1108 f48 Agent   * Search Scope = {Machine}
    2012-02-15 12:02:49:894 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
    2012-02-15 12:02:50:207 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:50:301 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\9482F4B4-E343-43B6-B170-9A65BC822C77\muv4wuredir.cab:
    2012-02-15 12:02:50:316 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:50:394 1108 f48 Agent Checking for updated auth cab for service 7971f918-a847-4430-9279-4a52d1efe18d at http://download.windowsupdate.com/v9/microsoftupdate/redir/muauth.cab
    2012-02-15 12:02:50:394 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\AuthCabs\authcab.cab:
    2012-02-15 12:02:50:426 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:50:441 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\AuthCabs\authcab.cab:
    2012-02-15 12:02:50:472 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:50:988 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:51:035 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:51:051 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:51:082 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:51:082 1108 f48 PT +++++++++++  PT: Starting category scan  +++++++++++
    2012-02-15 12:02:51:082 1108 f48 PT   + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
    2012-02-15 12:02:53:707 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:53:722 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:53:738 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:53:769 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:53:785 1108 f48 PT +++++++++++  PT: Synchronizing server updates  +++++++++++
    2012-02-15 12:02:53:785 1108 f48 PT   + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
    2012-02-15 12:02:58:863 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:58:879 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:58:894 1108 f48 Misc Validating signature for C:\WINDOWS\SoftwareDistribution\WuRedir\7971F918-A847-4430-9279-4A52D1EFE18D\muv4muredir.cab:
    2012-02-15 12:02:58:910 1108 f48 Misc  Microsoft signed: Yes
    2012-02-15 12:02:58:926 1108 f48 PT +++++++++++  PT: Synchronizing extended update info  +++++++++++
    2012-02-15 12:02:58:926 1108 f48 PT   + ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}, Server URL = https://www.update.microsoft.com/v6/ClientWebService/client.asmx
    2012-02-15 12:02:59:410 1108 12c AU Triggering Offline detection (non-interactive)
    2012-02-15 12:02:59:410 1108 12c AU #############
    2012-02-15 12:02:59:410 1108 12c AU ## START ##  AU: Search for updates
    2012-02-15 12:02:59:410 1108 12c AU #########
    2012-02-15 12:02:59:410 1108 12c AU <<## SUBMITTED ## AU: Search for updates [CallId = {DA54643D-F055-42AE-A0A5-53F2E70E03F4}]
    2012-02-15 12:02:59:426 1108 f48 Agent Update {73083F0C-E3C9-4F21-97D3-2A3681125B3A}.100 is pruned out due to potential supersedence
    2012-02-15 12:02:59:426 1108 f48 Agent Update {137CFEB3-22AF-4B2C-B007-6FBE8F69C1D2}.100 is pruned out due to potential supersedence
    2012-02-15 12:02:59:426 1108 f48 Agent Update {8B6A4BC4-84C5-493A-9D6A-9C22C482C0A5}.100 is pruned out due to potential supersedence
    2012-02-15 12:02:59:426 1108 f48 Agent   * Added update {322993E9-580B-4E84-959E-DB2FAB8F62B3}.100 to search result
    2012-02-15 12:02:59:426 1108 f48 Agent   * Found 1 updates and 4 categories in search; evaluated appl. rules of 29 out of 36 deployed entities
    2012-02-15 12:02:59:988 1108 f48 Agent *********
    2012-02-15 12:02:59:988 1108 f48 Agent **  END  **  Agent: Finding updates [CallerId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:02:59:988 1108 f48 Agent *************
    2012-02-15 12:02:59:988 1108 f48 Agent *************
    2012-02-15 12:02:59:988 1108 f48 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2012-02-15 12:02:59:988 1108 f48 Agent *********
    2012-02-15 12:02:59:988 1108 f48 Agent   * Online = No; Ignore download priority = No
    2012-02-15 12:02:59:988 1108 f48 Agent   * Criteria = "IsHidden=0 and IsInstalled=0 and DeploymentAction='Installation' and IsAssigned=1 or IsHidden=0 and IsPresent=1 and DeploymentAction='Uninstallation' and IsAssigned=1 or IsHidden=0 and IsInstalled=1 and DeploymentAction='Installation' and IsAssigned=1 and RebootRequired=1 or IsHidden=0 and IsInstalled=0 and DeploymentAction='Uninstallation' and IsAssigned=1 and RebootRequired=1"
    2012-02-15 12:02:59:988 1108 f48 Agent   * ServiceID = {9482F4B4-E343-43B6-B170-9A65BC822C77} Windows Update
    2012-02-15 12:02:59:988 1108 f48 Agent   * Search Scope = {Machine}
    2012-02-15 12:03:00:035 2152 640 COMAPI >>--  RESUMED  -- COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:00:066 2152 640 COMAPI   - Updates found = 1
    2012-02-15 12:03:00:066 2152 640 COMAPI ---------
    2012-02-15 12:03:00:066 2152 640 COMAPI --  END  --  COMAPI: Search [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:00:066 2152 640 COMAPI -------------
    2012-02-15 12:03:00:238 2152 42c COMAPI -------------
    2012-02-15 12:03:00:238 2152 42c COMAPI -- START --  COMAPI: Download [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:00:238 2152 42c COMAPI ---------
    2012-02-15 12:03:00:238 2152 42c COMAPI   - Forced: No; Download priority: 3
    2012-02-15 12:03:00:238 2152 42c COMAPI   - Updates in request: 1
    2012-02-15 12:03:00:238 2152 42c COMAPI   - ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
    2012-02-15 12:03:00:269 2152 42c COMAPI <<-- SUBMITTED -- COMAPI: Download [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:19:379 1108 f48 Agent Update {846185A2-40DA-4909-91D1-064AE329A0FF}.100 is pruned out due to potential supersedence
    2012-02-15 12:03:19:379 1108 f48 Agent Update {CB8DEF72-11C8-4EAE-A231-93BD6A563B8B}.100 is pruned out due to potential supersedence
    2012-02-15 12:03:19:379 1108 f48 Agent Update {7476CEBA-FD46-4DCF-B952-EADE591691BC}.100 is pruned out due to potential supersedence
    2012-02-15 12:03:19:379 1108 f48 Agent   * Added update {037490F0-2291-4C45-A381-C90416AEC79E}.101 to search result
    2012-02-15 12:03:19:379 1108 f48 Agent   * Added update {F0B50507-6C86-41D6-9350-6A8AF21F76C7}.101 to search result
    2012-02-15 12:03:19:379 1108 f48 Agent   * Added update {CD3119A7-E717-4311-82C1-87C6D3AF0018}.101 to search result
    2012-02-15 12:03:19:379 1108 f48 Agent   * Added update {A36B97D6-1A1A-4564-9933-649CDD2D2914}.100 to search result
    2012-02-15 12:03:19:379 1108 f48 Agent   * Added update {BDEAFDB3-03F6-4333-BD33-F5492F9C6D87}.102 to search result
    2012-02-15 12:03:19:379 1108 f48 Agent   * Found 5 updates and 13 categories in search; evaluated appl. rules of 363 out of 1096 deployed entities
    2012-02-15 12:03:19:832 1108 f48 Agent *********
    2012-02-15 12:03:19:832 1108 f48 Agent **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
    2012-02-15 12:03:19:832 1108 f48 Agent *************
    2012-02-15 12:03:19:863 1108 9b0 AU >>##  RESUMED  ## AU: Search for updates [CallId = {DA54643D-F055-42AE-A0A5-53F2E70E03F4}]
    2012-02-15 12:03:19:863 1108 9b0 AU   # 5 updates detected
    2012-02-15 12:03:19:941 1108 9b0 AU #########
    2012-02-15 12:03:19:941 1108 9b0 AU ##  END  ##  AU: Search for updates [CallId = {DA54643D-F055-42AE-A0A5-53F2E70E03F4}]
    2012-02-15 12:03:19:941 1108 9b0 AU #############
    2012-02-15 12:03:19:941 1108 9b0 AU Featured notifications is disabled.
    2012-02-15 12:03:20:019 1108 f48 Agent WARNING: fail to get localized metadata for installed categories with error 0x80248007
    2012-02-15 12:03:20:019 1108 f48 DnldMgr *************
    2012-02-15 12:03:20:019 1108 f48 DnldMgr ** START **  DnldMgr: Downloading updates [CallerId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:20:019 1108 f48 DnldMgr *********
    2012-02-15 12:03:20:035 1108 f48 DnldMgr   * Call ID = {042EF910-1355-4620-B87D-D216FB06B89C}
    2012-02-15 12:03:20:035 1108 f48 DnldMgr   * Priority = 3, Interactive = 1, Owner is system = 1, Explicit proxy = 1, Proxy session id = -1, ServiceId = {7971F918-A847-4430-9279-4A52D1EFE18D}
    2012-02-15 12:03:20:035 1108 f48 DnldMgr   * Updates to download = 1
    2012-02-15 12:03:20:035 1108 f48 Agent   *   Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.119.1998.0)
    2012-02-15 12:03:20:035 1108 f48 Agent   *   UpdateId = {322993E9-580B-4E84-959E-DB2FAB8F62B3}.100
    2012-02-15 12:03:20:035 1108 f48 Agent   *     Bundles 4 updates:
    2012-02-15 12:03:20:035 1108 f48 Agent   *       {A58D0A65-BF1F-411E-845C-3AB6AADE60CD}.100
    2012-02-15 12:03:20:035 1108 f48 Agent   *       {D3300218-3816-444B-92D2-FB1374F3E259}.100
    2012-02-15 12:03:20:035 1108 f48 Agent   *       {03EC26E1-0C41-43AF-9F6C-77AD0B52EF80}.100
    2012-02-15 12:03:20:035 1108 f48 Agent   *       {3694997D-B768-4024-B487-46CFA2EF67A7}.100
    2012-02-15 12:03:20:129 1108 f48 DnldMgr ***********  DnldMgr: New download job [UpdateId = {D3300218-3816-444B-92D2-FB1374F3E259}.100]  ***********
    2012-02-15 12:03:20:269 1108 f48 DnldMgr   * All files for update were already downloaded and are valid.
    2012-02-15 12:03:20:269 1108 f48 DnldMgr ***********  DnldMgr: New download job [UpdateId = {03EC26E1-0C41-43AF-9F6C-77AD0B52EF80}.100]  ***********
    2012-02-15 12:03:22:801 1108 f48 DnldMgr   * All files for update were already downloaded and are valid.
    2012-02-15 12:03:22:816 1108 f48 DnldMgr ***********  DnldMgr: New download job [UpdateId = {3694997D-B768-4024-B487-46CFA2EF67A7}.100]  ***********
    2012-02-15 12:03:23:676 1108 f48 DnldMgr   * BITS job initialized, JobId = {3704E167-D26D-4476-8DAE-050118BD4184}
    2012-02-15 12:03:24:332 1108 f48 DnldMgr   * Downloading from http://download.windowsupdate.com/msdownload/update/software/defu/2012/02/am_delta_c4213cc656cbdff07ee71d193c61a9ded81f34c9.exe to C:\WINDOWS\SoftwareDistribution\Download\08eae67b283343b9312fcc9612c37e78\c4213cc656cbdff07ee71d193c61a9ded81f34c9 (full file).
    2012-02-15 12:03:24:816 1108 f48 Agent *********
    2012-02-15 12:03:24:816 1108 f48 Agent **  END  **  Agent: Downloading updates [CallerId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:24:816 1108 f48 Agent *************
    2012-02-15 12:03:24:816 1108 f48 Report REPORT EVENT: {1798D74D-5953-4CA7-AFCC-A10C9B5F3767} 2012-02-15 12:02:59:988+0100 1 147 101 {00000000-0000-0000-0000-000000000000} 0 0 Microsoft Forefront Endpoint Pr Success Software Synchronization Windows Update Client successfully detected 1 updates.
    2012-02-15 12:03:31:488 1108 23c DnldMgr BITS job {3704E167-D26D-4476-8DAE-050118BD4184} completed successfully
    2012-02-15 12:03:32:332 1108 23c Misc Validating signature for C:\WINDOWS\SoftwareDistribution\Download\08eae67b283343b9312fcc9612c37e78\c4213cc656cbdff07ee71d193c61a9ded81f34c9:
    2012-02-15 12:03:32:410 1108 23c Misc  Microsoft signed: Yes
    2012-02-15 12:03:32:410 1108 23c DnldMgr   Download job bytes total = 4135616, bytes transferred = 4135616
    2012-02-15 12:03:32:410 1108 23c DnldMgr ***********  DnldMgr: New download job [UpdateId = {3694997D-B768-4024-B487-46CFA2EF67A7}.100]  ***********
    2012-02-15 12:03:32:457 1108 23c DnldMgr   * All files for update were already downloaded and are valid.
    2012-02-15 12:03:32:629 2152 640 COMAPI >>--  RESUMED  -- COMAPI: Download [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:32:629 2152 640 COMAPI   - Download call complete (succeeded = 1, succeeded with errors = 0, failed = 0, unaccounted = 0)
    2012-02-15 12:03:32:629 2152 640 COMAPI ---------
    2012-02-15 12:03:32:879 2152 640 COMAPI --  END  --  COMAPI: Download [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:32:879 2152 640 COMAPI -------------
    2012-02-15 12:03:33:019 2152 93c COMAPI -------------
    2012-02-15 12:03:33:019 2152 93c COMAPI -- START --  COMAPI: Install [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:33:019 2152 93c COMAPI ---------
    2012-02-15 12:03:33:019 2152 93c COMAPI   - Allow source prompts: Yes; Forced: No; Force quiet: Yes
    2012-02-15 12:03:33:019 2152 93c COMAPI   - Updates in request: 1
    2012-02-15 12:03:33:019 2152 93c COMAPI   - ServiceID = {7971F918-A847-4430-9279-4A52D1EFE18D} Third party service
    2012-02-15 12:03:33:035 2152 93c COMAPI   - Updates to install = 1
    2012-02-15 12:03:33:035 2152 93c COMAPI <<-- SUBMITTED -- COMAPI: Install [ClientId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:33:035 1108 994 Agent *************
    2012-02-15 12:03:33:035 1108 994 Agent ** START **  Agent: Installing updates [CallerId = Microsoft Forefront Endpoint Protection (1F383481-F70E-4E7A-8B69-C4B4A23928E3)]
    2012-02-15 12:03:33:035 1108 994 Agent *********
    2012-02-15 12:03:33:035 1108 994 Agent   * Updates to install = 1
    2012-02-15 12:03:33:176 1108 994 Agent WARNING: fail to get localized metadata for installed categories with error 0x80248007
    2012-02-15 12:03:33:176 1108 994 Agent   *   Title = Definition Update for Microsoft Endpoint Protection - KB2461484 (Definition 1.119.1998.0)
    2012-02-15 12:03:33:176 1108 994 Agent   *   UpdateId = {322993E9-580B-4E84-959E-DB2FAB8F62B3}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *     Bundles 6 updates:
    2012-02-15 12:03:33:176 1108 994 Agent   *       {365FE498-CD95-4980-B097-64DBAA5322B2}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *       {B983761E-CA44-47EB-9E0D-8F7B4597ABF1}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *       {A58D0A65-BF1F-411E-845C-3AB6AADE60CD}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *       {D3300218-3816-444B-92D2-FB1374F3E259}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *       {03EC26E1-0C41-43AF-9F6C-77AD0B52EF80}.100
    2012-02-15 12:03:33:176 1108 994 Agent   *       {3694997D-B768-4024-B487-46CFA2EF67A7}.100
    2012-02-15 12:03:37:613 1108 f48 Report REPORT EVENT: {98E92936-3751-4A19-AF97-F38682E728D3} 2012-02-15 12:03:32:613+0100 1 162 101 {322993E9-580B-4E84-959E-DB2FAB8F62B3} 100 0 Microsoft Forefront Endpoint Pr Success Content Download Download succeeded.
    2012-02-15 12:04:07:488 1108 994 DnldMgr Preparing update for install, updateId = {D3300218-3816-444B-92D2-FB1374F3E259}.100.
    2012-02-15 12:04:09:457  428 a0c Misc ===========  Logging initialized (build: 7.4.7600.226, tz: +0100)  ===========
    2012-02-15 12:04:09:457  428 a0c Misc   = Process: C:\WINDOWS\system32\wuauclt.exe
    2012-02-15 12:04:09:457  428 a0c Misc   = Module: C:\WINDOWS\system32\wuaueng.dll
    2012-02-15 12:04:09:457  428 a0c Handler :::::::::::::
    2012-02-15 12:04:09:457  428 a0c Handler :: START ::  Handler: Command Line Install
    2012-02-15 12:04:09:457  428 a0c Handler :::::::::
    2012-02-15 12:04:09:457  428 a0c Handler   : Updates to install = 1
    2012-02-15 12:04:20:254  428 a0c Handler   : Command line install completed. Return code = 0x00000000, Result = Succeeded, Reboot required = false
    2012-02-15 12:04:20:254  428 a0c Handler :::::::::
    2012-02-15 12:04:20:254  428 a0c Handler ::  END  ::  Handler: Command Line Install
    2012-02-15 12:04:20:254  428 a0c Handler :::::::::::::
    2012-02-15 12:04:20:426 1108 994 DnldMgr Preparing update for install, updateId = {03EC26E1-0C41-43AF-9F6C-77AD0B52EF80}.100.
    2012-02-15 12:05:11:176  428 1e0 Handler :::::::::::::
    2012-02-15 12:05:11:176  428 1e0 Handler :: START ::  Handler: Command Line Install
    2012-02-15 12:05:11:176  428 1e0 Handler :::::::::
    2012-02-15 12:05:11:176  428 1e0 Handler   : Updates to install = 1
    2012-02-15 12:05:22:441  428 1e0 Handler   : Command line install completed. Return code = 0x00000000, Result = Succeeded, Reboot required = false
    2012-02-15 12:05:22:441  428 1e0 Handler :::::::::
    2012-02-15 12:05:22:441  428 1e0 Handler ::  END  ::  Handler: Command Line Install
    2012-02-15 12:05:22:441  428 1e0 Handler :::::::::::::
    2012-02-15 12:05:22:582 1108 994 DnldMgr Preparing update for install, updateId = {3694997D-B768-4024-B487-46CFA2EF67A7}.100.
    2012-02-15 12:05:22:691  428 a0c Handler :::::::::::::
    2012-02-15 12:05:22:691  428 a0c Handler :: START ::  Handler: Command Line Install
    2012-02-15 12:05:22:691  428 a0c Handler :::::::::
    2012-02-15 12:05:22:691  428 a0c Handler   : Updates to install = 1
    2012-02-15 12:05:46:238  428 a0c Handler   : Command line install completed. Return code = 0x00000000, Result = Succeeded, Reboot required = false
    2012-02-15 12:05:46:238  428 a0c Handler :::::::::
    2012-02-15 12:05:46:238  428 a0c Handler ::  END  ::  Handler: Command Line Install
    2012-02-15 12:05:46:238  428 a0c Handler :::::::::::::
    2012-02-15 12:05:46:894 1108 12c AU Triggering Offline detection (non-interactive)
    2012-02-15 12:05:46:894 1108 12c AU #############


    • Edited by danielkel Wednesday, February 15, 2012 11:40 AM
    Wednesday, February 15, 2012 11:30 AM
  • Hi,

    You could try downloading the latest definiton manually and see if it works or what error it will show.

    http://www.microsoft.com/security/portal/Definitions/HowToForeFront.aspx

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    • Marked as answer by Rick TanModerator Wednesday, June 20, 2012 3:30 AM
    • Unmarked as answer by danielkel Friday, December 14, 2012 9:22 AM
    Wednesday, February 15, 2012 5:36 PM
  • Unfortunately installing the latest definition manually didn’t work. We stopped deploying Forefront because we couldn’t find a solution… till now.

    It had indeed something to do with Windows Updates. Although Windows Updates where installed correctly the Forefront definitions had problems described in the first post. After running “fix it” from http://support.microsoft.com/kb/971058/en-us the problem was solved.

    On the clients where de Antimalware services stopped, Microsoft “ fix it” reported there was an issue with the Windows Update paths. Since we had this problem on more than 300 clients we decided to script the steps described in the section “ Let me fix it myself”. Unfortunately that didn’t work out even when we walked through the steps manually.

    The only solution we could found was to run “fix it” silent on the clients. We made a script that logs the user off and automatically logs the client on as a locale administrator. Then we called another script that took care of the installation.  We had to do it this way because “fix it” didn’t run silent under the system account. It even did not allowed us to start it with the “run as” command.

    After spending hours and hours it worked :)


    • Marked as answer by danielkel Friday, December 14, 2012 9:22 AM
    • Edited by danielkel Friday, December 14, 2012 9:23 AM
    Friday, December 14, 2012 9:22 AM