Event issues
This topic contains the following sections:
Event ID 3002
Event ID 3006 incorrectly occurs
Event ID 5000 and 5001 occur periodically
Agent installation fails with event ID 11724
Running a scan results in event ID 10004
Event ID 3002
After installing the Client Security agent on computers running Windows XP Service Pack 2 (SP2), you may receive the following error in the System log of Event Viewer:
| Error message |
|---|
Event ID 3002: Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed. User: NT AUTHORITY\SYSTEM Agent: OnAccessAgent Error Code: 0x80070032 Error description: The request is not supported. |
Background
When the Client Security agent is installed, a Windows XP hotfix (KB914882) is installed prior to the agent component. This is a required hotfix for Client Security to run on Windows XP SP2. However, clientsetup.exe does not restart the client system, which is required by the hotfix.
Solution
Restart the affected client computers.
Event ID 3006 incorrectly occurs
In some instances, you may see event ID 3006 appear with the following information:
| Error message |
|---|
Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer. |
Solution
Restart the affected computers.
Event ID 5000 and 5001 occur periodically
You may see an error with event ID 5000 followed by an information event ID 5001.
Background
This pair of events is generated by the Antimalware Service when it reports statistics back to SpyNet. For more information about SpyNet, see Configuring SpyNet reporting in the Client Security Administrator's Guide (https://go.microsoft.com/fwlink/?LinkId=86670).
Note
The user is prompted for consent if there is any identifying personal data in the submission. If there is no identifying personal data and the user has selected the option to use SpyNet, there will be no prompt.
Solution
These messages can be ignored.
Agent installation fails with event ID 11724
Installation of the Client Security agent might fail with an error in the event log that contains the following text: "Product: Forefront Client Security -- Installation Operation Failed."
Solution
To determine the cause of the failure, on the client computer, in the Client Security installation folder, open the clientsetup.log file. If you did not specify a custom installation location when running clientsetup.exe, the log file is in the following location:
%Program Files%\Microsoft Forefront\Client Security\Client\Logs
The clientsetup.log file lists the log file for the appropriate agent component that failed.
Running a scan results in event ID 10004
When you attempt to run an SSA scan on a Client Security agent, the scan fails and logs event ID 10004, with the following text:
| Error message |
|---|
The Forefront Client Security State Assessment Service could not access the installation directory. A scan will not be performed. |
Background
This occurs when the Client Security State Assessment Service cannot read the install path in the registry.
Solution
In the registry, for the Security State Assessment Service, enter the correct installation folder.
To correct the registry information
On the affected Client Security agent, find the location of the FcsSas.exe file.
Click Start, click Run, type regedit, and click OK.
Browse to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Forefront\Client Security\1.0\SSA
In the right pane, double-click InstallDir.
In the Edit String dialog box, in the Value Data box, enter the path to the FcsSas.exe file, and then click OK.