When you use Microsoft Forefront Client Security (FCS) Management Server, you experience the following symptoms.Symptom 1
When you enable SpyNet, FCS Management Server uses a blank proxy value as the default value.Note
See the "More Information" section for a description of the changes that have been made to the SpyNet setting.Symptom 2
When you set the Ignore
override policy setting, the client computer still receives notifications about potentially unwanted software. However, no alert is generated on the FCS management server based on the notification.Note
See the "More Information" section for a description of the changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides.Symptom 3
Updates and hotfixes cannot be uninstalled on the FCS management server.
You cannot reinstall any FCS role after you install FCS server-side updates or hotfixes.
This hotfix removes any threat-level override settings that have been set. Therefore, we recommend that you note any Forefront Client Security policy override settings that you currently use before you apply this hotfix.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note
If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note
The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
No prerequisites are required.
If associated services cannot be stopped or files cannot be replaced dynamically, you may have to restart the computer.
Hotfix replacement information
This hotfix replaces hotfix 936729.
Update removal information
This hotfix cannot be removed.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
Collapse this tableExpand this table
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Changes that have been made to the SpyNet setting
When you enable SpyNet, FCS Management Server uses the current Internet Explorer proxy as the default proxy.
Changes that have been made to the way that FCS Management Server handles policies that include threat-level overrides
We have made significant changes to the way that FCS Management Server handles policies that include threat-level overrides.
After you install this hotfix, you may receive the following message when you try to edit an existing policy for the first time:
The options that allow for threat-level overrides such as Remove
have been removed. Therefore, only previously created threat-level overrides that were set to Ignore
appear in the policy after you click OK
in this message. Additionally, the threat-level overrides that were set to Ignore
are converted to Ignore Always
override was designed to let the detected item run, to notify the user that potentially harmful software is running, and to create an event that is based on the detected item. The Ignore Always
override lets the item run. However, the Ignore Always
override does not notify the user. After you install the hotfix, threat-level overrides completely override the default response to the malicious software. Threat-level overrides let the malicious software run without notification to the user and without generating an alert on the FCS management server. After you view the policy, if the overrides are as you intend, you must save the policy and redeploy it. If only Ignore
threat-level overrides were present, and you not see this notification message when you edit the policy, you must still save the policy and redeploy it. You must do this because the default override response will be changed to Ignore Always
without sending a notification to the client computer.
The Ignore Always
override is also used in Severity
overrides. This is significant because before this update, Category
overrides always take precedence over Severity
overrides whether or not Ignore
is selected. This means that if a malware threat occurs with a category whose override includes Remove
while the severity is overridden to Ignore
, the Remove
action occurs. After you install this hotfix, Category
overrides still typically take precedence over Severity
overrides unless the Severity
override is Ignore
. In this case, even if a Category
override of Remove
is selected, the Severity
action is still taken because of the way that Ignore Always
To verify installation of this update, view the log file that is located in the following location:
<Install Path>\Microsoft Forefront\Client Security\Server\Logs\FCSMSPatch.log
is the location in which you installed FCS. The default location is Program Files.