Client issues

Applies To: Forefront Client Security

This topic contains the following sections:

Windows Defender and Client Security are both running on Windows Vista

Client user not able to set the scan time

Client user can turn off scans

Excepted files do not remain excepted

Scheduled scans fail to run

Client Security UI will not open after installation

Update Now in the Windows Security Center does not work

Using fcslocalpolicytool.exe on localized Windows fails

Warnings are logged in client setup log during client installation

The Client Security agent consists of three components:

  • The Microsoft Forefront Client Security Antimalware Service (MsMpeng.exe)

  • The Microsoft Forefront Client Security State Assessment Service (FcsSas.exe)

  • The MOM agent (MOMHost.exe and MOMService.exe)

To begin determining the source of a problem on the client side, start Event Viewer and look in the logs for messages from the preceding services. The MOM agent logs errors, warnings, and informational data in the Application log. The Antimalware Service and the Security State Assessment Service log errors, warnings, and informational data in the System log.

Windows Defender and Client Security are both running on Windows Vista

Background

When you deploy the Client Security agent to a client computer running Windows Vista, Windows Defender is disabled. However, a Network Access Protection policy or similar technology may enable Defender again.

Additionally, when you upgrade a computer (with Client Security already installed) from Windows XP to Windows Vista, Defender is still installed with Windows Vista. This results in both Defender and Client Security running. This is an unsupported configuration, and Defender needs to be disabled via Group Policy.

Solution

Defender comes with an .adm file to use with Group Policy to control its behavior. Using this file, you can disable Defender.

To disable Defender via Group Policy

  1. On the client computer with Defender installed, browse to the Defender installation folder and copy the windowsdefender.adm file to a location accessible from the network.

  2. In Group Policy Object Editor, expand Computer Configuration, right-click Administrative Templates, and click Add/Remove Templates.

  3. In the Add/Remove Templates dialog box, click the Add button.

  4. In the Policy Templates dialog box, locate and select windowsdefender.adm, click Open, and then click Close in the Add/Remove Templates dialog box.

  5. In Group Policy Object Editor, expand Administrative Templates, expand Windows Components, and click Windows Defender.

  6. In the main pane, double-click Turn off Windows Defender, click Enabled, and then click OK.

    The Group Policy takes effect on the next Group Policy refresh interval.

Client user not able to set the scan time

Although you have allowed client users to schedule their own scans, users still might not be able to select a start time for the scans.

Background

To permit user-scheduled scans, you must change two start-time settings on the Protection tab of the New Policy or Edit Policy dialog boxes. If you set only the hour value to User controlled, client users will not be able to schedule scans.

Solution

In the relevant policy's Edit Policy dialog box, on the Protection tab, do one of the following:

  • For both Start time lists, select User controlled.

    Note

    This allows the user to turn off the Automatically scan my computer setting in the Client Security user interface (UI).

  • Select a day and time for scans.

Client user can turn off scans

Client users might be able to prevent their computers from being scanned.

Background

If client users are permitted to schedule scans, they are likewise permitted to turn them off.

Solution

In the relevant policy's Edit Policy dialog box, on the Protection tab, for both Start time lists, specify a day and time.

Excepted files do not remain excepted

When you select Always Allow to exempt a file or program from being detected and removed as malware, the exemption might not persist.

Background

There are various levels of user access and control that can be defined in the Client Security console. For users to be able to modify the list of exclusions, the administrator must select the Allow users to add exclusions and overrides option for the Client Security policy that applies to the clients.

Solution

On the relevant policy's Edit Policy dialog box, on the Protection tab, select the Allow users to add exclusions and overrides check box.

For more information about configuring policies, see Controlling the end-user experience in the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86661).

Scheduled scans fail to run

Scheduled scans might fail to start. No errors or events are logged by Client Security.

Background

Before you can deploy Client Security to the client computers, the Task Scheduler service must be running and properly configured to run tasks. If you had stopped scheduled tasks manually from the Scheduled Tasks dialog box, the service stops and does not initialize the next time you start the computer. If the service is not configured to log on as the local system account, it may not start.

Solution

Verify that the Task Scheduler service is running.

To verify that the Task Scheduler service is running

  1. On the client computer, in the Computer Management snap-in, expand Services and Applications, and then click Services.

  2. Right-click the Task Scheduler service, and then click Properties.

  3. On the General tab, make sure that the startup type is set to Automatic and that the service status is Started. If the service is not running, click Start. Click OK.

Client Security UI will not open after installation

Immediately after installation, you might attempt to start the Client Security UI on a client computer running Windows Vista, but nothing happens.

Background

This occurs due to clientsetup.exe running in an elevated context on the Windows Vista operating system.

Solution

Do one of the following:

  • Log off and log back on.

  • Right-click the Client Security icon in the notification area, click Exit, and then from the Start menu, reopen Client Security.

Update Now in the Windows Security Center does not work

After installing the Client Security agent on Windows Vista, you are prompted by the Windows Security Center to update the antimalware definitions. Clicking the Update Now button should bring up the Client Security UI, but immediately after installation, it might do nothing.

Background

This occurs due to clientsetup.exe running as an elevated account.

Solution

Restart the client computer.

Using fcslocalpolicytool.exe on localized Windows fails

When deploying Client Security policies manually to computers running localized (non-English) Windows operating systems, fcslocalpolicytool.exe ignores the input of yes and repeatedly prompts for yes or no.

Solution

To work around this problem, run fcslocalpolicytool.exe with the /f option. The /f option suppresses the confirmation message, entering yes automatically.

Warnings are logged in client setup log during client installation

During client installation on certain versions of the Windows Vista operating system, the warning "Warning: This version of Vista is not supported" is logged during client setup.

As long as you are installing on a supported version of Windows Vista, you can disregard this message. For a list of supported versions, see Verifying your system requirements in the Client Security Deployment Guide.