Microsoft KB Archive/940060

= A hotfix is available that resolves several symptoms in Forefront Client Security Management Server =

Article ID: 940060

Article Last Modified on 12/18/2007

-

APPLIES TO


 * Microsoft Forefront Client Security

-



SYMPTOMS
When you use Microsoft Forefront Client Security (FCS) Management Server, you experience the following symptoms.

Symptom 1

When you enable SpyNet, FCS Management Server uses a blank proxy value as the default value.

Note See the &quot;More Information&quot; section for a description of the changes that have been made to the SpyNet setting.

Symptom 2

When you set the Ignore override policy setting, the client computer still receives notifications about potentially unwanted software. However, no alert is generated on the FCS management server based on the notification.

Note See the &quot;More Information&quot; section for a description of the changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides.

Symptom 3

Updates and hotfixes cannot be uninstalled on the FCS management server.

Symptom 4

You cannot reinstall any FCS role after you install FCS server-side updates or hotfixes.



Hotfix information
Important This hotfix removes any threat-level override settings that have been set. Therefore, we recommend that you note any Forefront Client Security policy override settings that you currently use before you apply this hotfix.

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

This hotfix is available from Microsoft Update or from Windows Server Update Services. If you want to obtain the file for deployment by using a different method, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Prerequisites
No prerequisites are required.

Restart requirement
If associated services cannot be stopped or files cannot be replaced dynamically, you may have to restart the computer.

Hotfix replacement information
This hotfix replaces hotfix 936729.

Update removal information
This hotfix cannot be removed.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



Changes that have been made to the SpyNet setting
When you enable SpyNet, FCS Management Server uses the current Internet Explorer proxy as the default proxy.

Changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides
We have made significant changes to the way that FCS Management Server handles policies that include threat-level overrides.

After you install this hotfix, you may receive the following message when you try to edit an existing policy for the first time:

Because of the recent update to your installation of Client Security, this policy has been automatically updated. The following changes have been made:

On the Overrides tab, all threat-based overrides that remove or quarantine the threat have been removed.

To apply the updated policy to your client computers, you must redeploy the policy.

The options that allow for threat-level overrides such as Remove or Quarantine have been removed. Therefore, only previously created threat-level overrides that were set to Ignore appear in the policy after you click OK in this message. Additionally, the threat-level overrides that were set to Ignore are converted to Ignore Always overrides.

The Ignore override was designed to let the detected item run, to notify the user that potentially harmful software is running, and to create an event that is based on the detected item. The Ignore Always override lets the item run. However, the Ignore Always override does not notify the user. After you install the hotfix, threat-level overrides completely override the default response to the malicious software. Threat-level overrides let the malicious software run without notification to the user and without generating an alert on the FCS management server. After you view the policy, if the overrides are as you intend, you must save the policy and redeploy it. If only Ignore threat-level overrides were present, and you not see this notification message when you edit the policy, you must still save the policy and redeploy it. You must do this because the default override response will be changed to Ignore Always without sending a notification to the client computer.

The Ignore Always override is also used in Severity and Category overrides. This is significant because before this update, Category overrides always take precedence over Severity overrides whether or not Ignore is selected. This means that if a malware threat occurs with a category whose override includes Remove while the severity is overridden to Ignore, the Remove action occurs. After you install this hotfix, Category overrides still typically take precedence over Severity overrides unless the Severity override is Ignore. In this case, even if a Category override of Remove is selected, the Severity override Ignore action is still taken because of the way that Ignore Always is enforced.

To verify installation of this update, view the log file that is located in the following location:

\Microsoft Forefront\Client Security\Server\Logs\FCSMSPatch.log

is the location in which you installed FCS. The default location is Program Files.

Keywords: kbexpertiseinter kbexpertisebeginner kbqfe kbsecurity kbbug kbfix kbpubtypekc KB940060

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.