Event IDs

Applies To: Forefront Client Security

This topic contains the following sections:

Data transfer job fails with event ID 81

Event ID 3002

Numerous 3004 events are logged with no corresponding action-taken events

3004 event is logged with no corresponding action event

Event ID 3006 incorrectly occurs

Event ID 5000 and 5001 occur periodically

Event ID 9029

Error 10002 occurs

Running a scan results in event ID 10004

Event ID 10016 occurs

On Demand scan produces 10096 and 10069 events on the MOM server

Agent installation fails with event ID 11724

Agent incoming queue data submission has been blocked with event IDs 21268 and 21269

Event ID 21711

Server outgoing data processing has been blocked with event ID 22061

Event ID 25100

Agents are rejected with event ID 26017

Data transfer job fails with event ID 81

If the collection database and the reporting database reside on different systems and the SQL Server Agent service is running as Local System on the server containing the reporting database, you may see the following error in the Application log:

Error message

Source: DataTransformationServices

ID: 81

Error Source: Microsoft Data Transformation Services (DTS) Package

Error Description:Package failed because Step 'DTSStep_DTSTransferObjectsTask_1' failed.

Error code: 80040428

\Error Help File:sqldts80.hlp

Error Help Context ID:700

Background

This error occurs if the account that the SQL Server agent runs as on the server with the Reporting database does not have permissions to the collection database on the other server. This most frequently happens if the SQL Server agent is running as Local System.

Solution

It is recommended that the SQL Server Agent service account be a domain user account. If you are using an existing SQL Server computer for Client Security, you may not have the SQL Server Agent service using a domain user account.

For Client Security to work correctly, you must give permissions for the account under which the SQL Server Agent service runs on the reporting database to the collection database on the management, collection, and reporting servers. By doing so, you will enable the Client Security DTS account to access the collection database.

To grant permissions, do the following: on the management, collection, and reporting servers, add the domain user account that the SQL Server Agent service for the reporting database runs under to the SQLServer2005MSSQLUser $computername$ MSSQLSERVER group.

For more information about the recommended accounts for Client Security, see Installing and deploying Client Security (https://go.microsoft.com/fwlink/?LinkID=86650).

Event ID 3002

After installing the Client Security agent on computers running Windows XP Service Pack 2 (SP2), you may receive the following error in the System log of Event Viewer:

Error message

Event ID 3002: Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed.

User: NT AUTHORITY\SYSTEM

Agent: OnAccessAgent

Error Code: 0x80070032

Error description: The request is not supported.

Background

When the Client Security agent is installed, a Windows XP hotfix (KB914882) is installed prior to the agent component. This is a required hotfix for Client Security to run on Windows XP SP2. However, clientsetup.exe does not restart the client system, which is required by the hotfix.

Solution

Restart the affected client computers.

Numerous 3004 events are logged with no corresponding action-taken events

You may receive a large number of detection events (3004) from the Real Time Protection component of the Client Security agent, with no corresponding action-taken events (3005 or 3006).

Background

This can occur if the Windows Indexing Service acts on a disk location that has malware on it and there is no user logged on to the computer. The auto-clean procedure of the Client Security agent requires interaction with the desktop, which is not possible if no one is logged on.

Solution

Have the user log on to the computer and run a quick scan.

3004 event is logged with no corresponding action event

You may see periodic instances of the Malware Detected event (3004) logged without a corresponding action succeeded (3005) or failed (3006). Additionally, the status field in the 3004 events indicates that the thread is suspended.

Background

When a user attempts to access malware through Microsoft Internet Explorer®, the Client Security agent is called to evaluate the file. After the agent detects the malware (generating a 3004 event), Internet Explorer deletes the file before it can be cleaned by the agent, thereby skipping the 3005 event.

Solution

There is no action required on the part of the administrator, because the malware was removed.

Event ID 3006 incorrectly occurs

In some instances, you may see event ID 3006 appear with the following information:

Error message

Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software.

Error Code: 0x80508022

Error description: To finish removing spyware and other potentially unwanted software, restart the computer.

Solution

Restart the affected computers.

Event ID 5000 and 5001 occur periodically

You may see an error with event ID 5000 followed by an information event ID 5001.

Background

This pair of events is generated by the Antimalware Service when it reports statistics back to SpyNet. For more information about SpyNet, see Configuring SpyNet reporting in the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86670).

Note

The user is prompted for consent if there is any identifying personal data in the submission. If there is no identifying personal data and the user has selected the option to use SpyNet, there will be no prompt.

Solution

These messages can be ignored.

Event ID 9029

When opening either the MOM Administrator console or the MOM Operator console, you might receive the following error: "Error connecting to server: servername."

Additionally, event ID 9029 is logged in the Application log of Event Viewer.

Background

This error can occur when the password for the MOM action account has been changed.

Solution

Use the MOM tool SetActionAccount.exe to inform MOM of the new password. The SetActionAccount.exe tool can be found in the Client Security installation folder, in the following location:

Client Security\Server\Microsoft Operations Manager 2005

The tool uses the following command-line syntax:

SetActionAccount.exe <configname> <options>

Option Result

-query

Returns the current action account settings.

-set domain  username [password]

Changes the action account, setting it to the specified account. Use the computer name in place of the domain for local accounts.

Note

configname is the Management Group name and must be specified. Also, you must restart the MOM service for any changes to take effect.

Important

Event ID 9029 can also occur during the installation process, if insufficient permissions are granted to the accounts specified during setup. For more information, see Setup issues.

Error 10002 occurs

Immediately after completing installation of Client Security, but before you run the Configuration wizard, you may see the following error in the System log of Event Viewer:

Error message

Event Type:Error

Event Source:FcsMs

Event Category:None

Event ID:10002

Description:

The Management Server Service could not import the updated antimalware definition. The component reporting the error returned the following details:

Cannot open database "OnePoint" requested by the login. The login failed.

The details may also contain the following sentence: "Could not find stored procedure 'fcs_Get_AM_Version_Information'."

Background

Error 10002 occurs due to the installation of Client Security not being fully configured.

Solution

Run the Configuration wizard by launching the Client Security console for the first time.

Running a scan results in event ID 10004

When you attempt to run an SSA scan on a Client Security agent, the scan fails and logs event ID 10004, with the following text:

Error message

The Forefront Client Security State Assessment Service could not access the installation directory.

A scan will not be performed.

Background

This occurs when the Client Security State Assessment Service cannot read the install path in the registry.

Solution

In the registry, for the Security State Assessment Service, enter the correct installation folder.

To correct the registry information

  1. On the affected Client Security agent, find the location of the FcsSas.exe file.

  2. Click Start, click Run, type regedit, and click OK.

  3. Browse to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Forefront\Client Security\1.0\SSA

  4. If InstallDir is missing, recreate it by clicking Edit, choose New, and choose String Value. Type InstallDir in the right pane and press Enter.

  5. In the right pane, double-click InstallDir.

  6. In the Edit String dialog box, in the Value Data box, enter the path to the FcsSas.exe file, including the final " \ ", and then click OK.

Event ID 10016 occurs

In the System log of your reporting server, you may see event ID 10016 with information similar to the following:

Error message

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID

{BA126AD1-2166-11D1-B1D0-00805FC1270E}

to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Background

The "NETWORK SERVICE" account does not have Activate permissions in DCOM.

Solution

To resolve 10016 errors

  1. In Administrative Tools, open Component Services.

  2. In the tree, expand Component Services, expand Computers, expand My Computer, click DCOM Config.

  3. In the right pane, right-click the COM application labeled netman, and then click Properties.

  4. Click the Security tab, click Edit under Launch and Activation Permissions, and then in the Launch Permissions box, click Add.

  5. In the Select Users, Computers or Groups box, type network service and click OK.

  6. Under Permissions for NETWORK SERVICE, select the Allow check box for Remote Launch, Local Activation, and Remote Activation. Click OK to close the remaining dialog boxes.

On Demand scan produces 10096 and 10069 events on the MOM server

When Client Security is installed in a topology that separates the collection server from the Client Security console, running an On Demand scan causes two failed events to occur on the collection server. The first is event 10096, with the following error: "Create Process failed result = '9'". The second is event 10069, with the following error: "Error reading string from registry '2'".

Background

The Client Security agent is not automatically installed on the collection server. However, because the collection server runs MOM, it is considered to be a managed computer and is subject to any actions targeted to "all managed computers." The antimalware portion of the scan generates one set of these errors, and the security state assessment (SSA) scan generates a second set of these errors.

Solution

These errors can be ignored.

Agent installation fails with event ID 11724

Installation of the Client Security agent might fail with an error in the event log that contains the following text: "Product: Forefront Client Security -- Installation Operation Failed."

Solution

To determine the cause of the failure, on the client computer, in the Client Security installation folder, open the clientsetup.log file. If you did not specify a custom installation location when running clientsetup.exe, the log file is in the following location:

%Program Files%\Microsoft Forefront\Client Security\Client\Logs

The clientsetup.log file lists the log file for the appropriate agent component that failed.

Agent incoming queue data submission has been blocked with event IDs 21268 and 21269

Periodically, the following events may be logged on the MOM agent (in the order listed):

Error message

Event ID 21268: The agent incoming queue data submission has been blocked. This may indicate that the queue does not have sufficient space or is unavailable to accept data.

Event ID 21269: The Agent incoming queue now has sufficient space or is available to process new data.

Background

This set of events can occur under heavy load or when the network connection to the MOM server is unavailable.

The MOM agent accumulates events and alerts to send to the MOM server in a queue. Normally, when the agent can communicate with the MOM server, the queue will not completely fill. However, when an agent is disconnected from its MOM server for an extended period of time or when there are a large number of events or alerts accumulating, the queue can become full. When that occurs, you will see the preceding events.

Note

It is important to note that if this situation continues for a long period of time, Client Security events and alerts (from the client) may be lost.

Solution

Investigate why the event is occurring. If the client computer has been disconnected from the network for a long period of time (such as when its user has been on vacation), there may be some alerts or events that are lost.

You can adjust the agent's queue-size parameters. This allows the agent to hold more temporary data should the agent be unable to communicate with the MOM server. You should set this value such that you no longer regularly get the agent queue full event. The default is 3,000 kilobytes (KB), so doubling that to 6,000 KB would allow twice the time to pass before the queue fills.

Before you can adjust the agent's queue size, you must first enable configuration changes.

To enable agent configuration changes

  1. On the management server, open the MOM Administrator console.

  2. In the tree, expand Administration and click Global Settings.

  3. In the details pane, double-click Management Servers and click the Heartbeat Checking tab.

  4. In the Interval to scan for agent heartbeats box, enter 602 and click OK.

To adjust the agent's queue size

  1. In the MOM Administrator console, in the tree, expand Administration and click Global Settings.

  2. In the details pane, double-click Agents and click the Temporary Storage tab.

  3. In the Maximum disk space box, enter the desired queue size and click OK.

After changing the agent queue size, resolve the alert in the MOM Operator console and monitor for future occurrences of the alert. Should the alert reappear, increase the queue size further.

Event ID 21711

After the second agent for Client Security is deployed, you might see event ID 21711 in the Application log:

Error message

There are x more managed computers in this management group than the number of specified MOM management licenses.

Where x is the number of clients you currently have deployed, minus one.

Background

The MOM server installation provided by Client Security is not configured for any specific number of client licenses.

Solution

To eliminate the error

  1. Open the MOM Administrator console. To do this, on the MOM server, click Start, point to All Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.

  2. Expand the Administration node and select Global Settings.

  3. In the right pane, double-click Licenses.

  4. On the Licenses tab, under Licenses Purchased, enter the number of client computers you are managing, and then click OK.

Server outgoing data processing has been blocked with event ID 22061

On the MOM server, you may see the following event:

Error message

Event ID 22061: The Server outgoing data processing has been blocked. This indicates problems with communication or database processing.

Background

This event occurs when the collection (OnePoint) database is unavailable or unable to handle the volume of data requests in its queue. This situation can occur with heavy data input or a large number of outstanding inserts into the database.

Data submitted to the Client Security database by client agents is first stored in a queue on the MOM server before being written to the database. If this queue becomes full, the server can no longer accept events and alerts from the agents.

Solution

If this is occurring as a normal operation scenario on the server, it may be advisable to move the SQL Server databases to faster disks or to augment the processing capabilities of the MOM server or the computer running SQL Server by adding additional processors.

Additionally, the MOM server's incoming queue size can be adjusted. You should size this queue such that you no longer receive this error. The default size is 30 megabytes (MB), and increasing the queue to 100 MB may help to reduce the queue issues.

To adjust the MOM server's incoming queue size

  1. On the management server, open the MOM Administrator console.

  2. In the tree, expand Administration and click Global Settings.

  3. In the details pane, double-click Management Servers and click the Temporary Storage tab.

  4. Enter a new value in the Maximum disk space field and click OK.

After changing the server queue size, resolve the alert in the MOM Operator console and monitor for future occurrences of the alert. Should the alert reappear, increase the queue size further.

For more information about MOM events, see Monitoring MOM (https://go.microsoft.com/fwlink/?LinkId=86549).

Event ID 25100

Event ID 25100 is logged from DCOM. The event contains the following error: "DCOM got error 'logon failure: unknown user name or bad password.'"

Background

This error indicates that the Data Access Server (DAS) account needs to be updated.

Solution

To change the DAS account information

  1. Click Start, point to Administrative Tools, and then click Component Services.

  2. In the tree, expand Component Services, expand Computers, expand My Computer, expand COM+ Applications, right-click Microsoft Operations Manager Data Access Server, and then click Properties.

  3. Click the Identity tab, enter the correct password, and then click OK.

For more information about updating Client Security service account passwords, see Updating service account passwords in the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86743).

Agents are rejected with event ID 26017

After installing the Client Security agent on client systems, you begin to see (in the Application log) agent rejection events with event ID 26017. Additionally, a MOM alert is raised and can be viewed in the MOM Operator console.

Solution

On the Agent Install tab of Management Servers properties, verify that the Reject new manual agent installations check box is cleared, and then restart the MOM service.