Event IDs
Applies To: Forefront Client Security
This topic contains the following sections:
Data transfer job fails with event ID 81
Event ID 3002
Numerous 3004 events are logged with no corresponding action-taken events
3004 event is logged with no corresponding action event
Event ID 3006 incorrectly occurs
Event ID 5000 and 5001 occur periodically
Event ID 9029
Error 10002 occurs
Running a scan results in event ID 10004
Event ID 10016 occurs
On Demand scan produces 10096 and 10069 events on the MOM server
Agent installation fails with event ID 11724
Agent incoming queue data submission has been blocked with event IDs 21268 and 21269
Event ID 21711
Server outgoing data processing has been blocked with event ID 22061
Event ID 25100
Agents are rejected with event ID 26017
Data transfer job fails with event ID 81
If the collection database and the reporting database reside on different systems and the SQL Server Agent service is running as Local System on the server containing the reporting database, you may see the following error in the Application log:
Error message |
---|
Source: DataTransformationServices ID: 81 Error Source: Microsoft Data Transformation Services (DTS) Package Error Description:Package failed because Step 'DTSStep_DTSTransferObjectsTask_1' failed. Error code: 80040428 \Error Help File:sqldts80.hlp Error Help Context ID:700 |
Background
This error occurs if the account that the SQL Server agent runs as on the server with the Reporting database does not have permissions to the collection database on the other server. This most frequently happens if the SQL Server agent is running as Local System.
Solution
It is recommended that the SQL Server Agent service account be a domain user account. If you are using an existing SQL Server computer for Client Security, you may not have the SQL Server Agent service using a domain user account.
For Client Security to work correctly, you must give permissions for the account under which the SQL Server Agent service runs on the reporting database to the collection database on the management, collection, and reporting servers. By doing so, you will enable the Client Security DTS account to access the collection database.
To grant permissions, do the following: on the management, collection, and reporting servers, add the domain user account that the SQL Server Agent service for the reporting database runs under to the SQLServer2005MSSQLUser $computername$ MSSQLSERVER group.
For more information about the recommended accounts for Client Security, see Installing and deploying Client Security (https://go.microsoft.com/fwlink/?LinkID=86650).
Event ID 3002
After installing the Client Security agent on computers running Windows XP Service Pack 2 (SP2), you may receive the following error in the System log of Event Viewer:
Error message |
---|
Event ID 3002: Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed. User: NT AUTHORITY\SYSTEM Agent: OnAccessAgent Error Code: 0x80070032 Error description: The request is not supported. |
Background
When the Client Security agent is installed, a Windows XP hotfix (KB914882) is installed prior to the agent component. This is a required hotfix for Client Security to run on Windows XP SP2. However, clientsetup.exe does not restart the client system, which is required by the hotfix.
Solution
Restart the affected client computers.
Numerous 3004 events are logged with no corresponding action-taken events
You may receive a large number of detection events (3004) from the Real Time Protection component of the Client Security agent, with no corresponding action-taken events (3005 or 3006).
Background
This can occur if the Windows Indexing Service acts on a disk location that has malware on it and there is no user logged on to the computer. The auto-clean procedure of the Client Security agent requires interaction with the desktop, which is not possible if no one is logged on.
Solution
Have the user log on to the computer and run a quick scan.
3004 event is logged with no corresponding action event
You may see periodic instances of the Malware Detected event (3004) logged without a corresponding action succeeded (3005) or failed (3006). Additionally, the status field in the 3004 events indicates that the thread is suspended.
Background
When a user attempts to access malware through Microsoft Internet Explorer®, the Client Security agent is called to evaluate the file. After the agent detects the malware (generating a 3004 event), Internet Explorer deletes the file before it can be cleaned by the agent, thereby skipping the 3005 event.
Solution
There is no action required on the part of the administrator, because the malware was removed.
Event ID 3006 incorrectly occurs
In some instances, you may see event ID 3006 appear with the following information:
Error message |
---|
Microsoft Forefront Client Security Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. Error Code: 0x80508022 Error description: To finish removing spyware and other potentially unwanted software, restart the computer. |
Solution
Restart the affected computers.
Event ID 5000 and 5001 occur periodically
You may see an error with event ID 5000 followed by an information event ID 5001.
Background
This pair of events is generated by the Antimalware Service when it reports statistics back to SpyNet. For more information about SpyNet, see Configuring SpyNet reporting in the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86670).
Note
The user is prompted for consent if there is any identifying personal data in the submission. If there is no identifying personal data and the user has selected the option to use SpyNet, there will be no prompt.
Solution
These messages can be ignored.
Event ID 9029
When opening either the MOM Administrator console or the MOM Operator console, you might receive the following error: "Error connecting to server: servername."
Additionally, event ID 9029 is logged in the Application log of Event Viewer.
Background
This error can occur when the password for the MOM action account has been changed.
Solution
Use the MOM tool SetActionAccount.exe to inform MOM of the new password. The SetActionAccount.exe tool can be found in the Client Security installation folder, in the following location:
Client Security\Server\Microsoft Operations Manager 2005
The tool uses the following command-line syntax:
SetActionAccount.exe <configname> <options>
Option | Result |
---|---|
-query |
Returns the current action account settings. |
-set domain username [password] |
Changes the action account, setting it to the specified account. Use the computer name in place of the domain for local accounts. |
Note
configname is the Management Group name and must be specified. Also, you must restart the MOM service for any changes to take effect.
Important
Event ID 9029 can also occur during the installation process, if insufficient permissions are granted to the accounts specified during setup. For more information, see Setup issues.
Error 10002 occurs
Immediately after completing installation of Client Security, but before you run the Configuration wizard, you may see the following error in the System log of Event Viewer:
Error message |
---|
Event Type:Error Event Source:FcsMs Event Category:None Event ID:10002 Description: The Management Server Service could not import the updated antimalware definition. The component reporting the error returned the following details: Cannot open database "OnePoint" requested by the login. The login failed. |
The details may also contain the following sentence: "Could not find stored procedure 'fcs_Get_AM_Version_Information'."
Background
Error 10002 occurs due to the installation of Client Security not being fully configured.
Solution
Run the Configuration wizard by launching the Client Security console for the first time.
Running a scan results in event ID 10004
When you attempt to run an SSA scan on a Client Security agent, the scan fails and logs event ID 10004, with the following text:
Error message |
---|
The Forefront Client Security State Assessment Service could not access the installation directory. A scan will not be performed. |
Background
This occurs when the Client Security State Assessment Service cannot read the install path in the registry.
Solution
In the registry, for the Security State Assessment Service, enter the correct installation folder.
To correct the registry information
On the affected Client Security agent, find the location of the FcsSas.exe file.
Click Start, click Run, type regedit, and click OK.
Browse to the following location in the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Forefront\Client Security\1.0\SSA
If InstallDir is missing, recreate it by clicking Edit, choose New, and choose String Value. Type InstallDir in the right pane and press Enter.
In the right pane, double-click InstallDir.
In the Edit String dialog box, in the Value Data box, enter the path to the FcsSas.exe file, including the final " \ ", and then click OK.
Event ID 10016 occurs
In the System log of your reporting server, you may see event ID 10016 with information similar to the following:
Error message |
---|
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {BA126AD1-2166-11D1-B1D0-00805FC1270E} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool. |
Background
The "NETWORK SERVICE" account does not have Activate permissions in DCOM.
Solution
To resolve 10016 errors
In Administrative Tools, open Component Services.
In the tree, expand Component Services, expand Computers, expand My Computer, click DCOM Config.
In the right pane, right-click the COM application labeled netman, and then click Properties.
Click the Security tab, click Edit under Launch and Activation Permissions, and then in the Launch Permissions box, click Add.
In the Select Users, Computers or Groups box, type network service and click OK.
Under Permissions for NETWORK SERVICE, select the Allow check box for Remote Launch, Local Activation, and Remote Activation. Click OK to close the remaining dialog boxes.
On Demand scan produces 10096 and 10069 events on the MOM server
When Client Security is installed in a topology that separates the collection server from the Client Security console, running an On Demand scan causes two failed events to occur on the collection server. The first is event 10096, with the following error: "Create Process failed result = '9'". The second is event 10069, with the following error: "Error reading string from registry '2'".
Background
The Client Security agent is not automatically installed on the collection server. However, because the collection server runs MOM, it is considered to be a managed computer and is subject to any actions targeted to "all managed computers." The antimalware portion of the scan generates one set of these errors, and the security state assessment (SSA) scan generates a second set of these errors.
Solution
These errors can be ignored.
Agent installation fails with event ID 11724
Installation of the Client Security agent might fail with an error in the event log that contains the following text: "Product: Forefront Client Security -- Installation Operation Failed."
Solution
To determine the cause of the failure, on the client computer, in the Client Security installation folder, open the clientsetup.log file. If you did not specify a custom installation location when running clientsetup.exe, the log file is in the following location:
%Program Files%\Microsoft Forefront\Client Security\Client\Logs
The clientsetup.log file lists the log file for the appropriate agent component that failed.
Agent incoming queue data submission has been blocked with event IDs 21268 and 21269
Periodically, the following events may be logged on the MOM agent (in the order listed):
Error message |
---|
Event ID 21268: The agent incoming queue data submission has been blocked. This may indicate that the queue does not have sufficient space or is unavailable to accept data. Event ID 21269: The Agent incoming queue now has sufficient space or is available to process new data. |
Background
This set of events can occur under heavy load or when the network connection to the MOM server is unavailable.
The MOM agent accumulates events and alerts to send to the MOM server in a queue. Normally, when the agent can communicate with the MOM server, the queue will not completely fill. However, when an agent is disconnected from its MOM server for an extended period of time or when there are a large number of events or alerts accumulating, the queue can become full. When that occurs, you will see the preceding events.
Note
It is important to note that if this situation continues for a long period of time, Client Security events and alerts (from the client) may be lost.
Solution
Investigate why the event is occurring. If the client computer has been disconnected from the network for a long period of time (such as when its user has been on vacation), there may be some alerts or events that are lost.
You can adjust the agent's queue-size parameters. This allows the agent to hold more temporary data should the agent be unable to communicate with the MOM server. You should set this value such that you no longer regularly get the agent queue full event. The default is 3,000 kilobytes (KB), so doubling that to 6,000 KB would allow twice the time to pass before the queue fills.
Before you can adjust the agent's queue size, you must first enable configuration changes.
To enable agent configuration changes
On the management server, open the MOM Administrator console.
In the tree, expand Administration and click Global Settings.
In the details pane, double-click Management Servers and click the Heartbeat Checking tab.
In the Interval to scan for agent heartbeats box, enter 602 and click OK.
To adjust the agent's queue size
In the MOM Administrator console, in the tree, expand Administration and click Global Settings.
In the details pane, double-click Agents and click the Temporary Storage tab.
In the Maximum disk space box, enter the desired queue size and click OK.
After changing the agent queue size, resolve the alert in the MOM Operator console and monitor for future occurrences of the alert. Should the alert reappear, increase the queue size further.
Event ID 21711
After the second agent for Client Security is deployed, you might see event ID 21711 in the Application log:
Error message |
---|
There are x more managed computers in this management group than the number of specified MOM management licenses. |
Where x is the number of clients you currently have deployed, minus one.
Background
The MOM server installation provided by Client Security is not configured for any specific number of client licenses.
Solution
To eliminate the error
Open the MOM Administrator console. To do this, on the MOM server, click Start, point to All Programs, point to Microsoft Operations Manager 2005, and then click Administrator Console.
Expand the Administration node and select Global Settings.
In the right pane, double-click Licenses.
On the Licenses tab, under Licenses Purchased, enter the number of client computers you are managing, and then click OK.
Server outgoing data processing has been blocked with event ID 22061
On the MOM server, you may see the following event:
Error message |
---|
Event ID 22061: The Server outgoing data processing has been blocked. This indicates problems with communication or database processing. |
Background
This event occurs when the collection (OnePoint) database is unavailable or unable to handle the volume of data requests in its queue. This situation can occur with heavy data input or a large number of outstanding inserts into the database.
Data submitted to the Client Security database by client agents is first stored in a queue on the MOM server before being written to the database. If this queue becomes full, the server can no longer accept events and alerts from the agents.
Solution
If this is occurring as a normal operation scenario on the server, it may be advisable to move the SQL Server databases to faster disks or to augment the processing capabilities of the MOM server or the computer running SQL Server by adding additional processors.
Additionally, the MOM server's incoming queue size can be adjusted. You should size this queue such that you no longer receive this error. The default size is 30 megabytes (MB), and increasing the queue to 100 MB may help to reduce the queue issues.
To adjust the MOM server's incoming queue size
On the management server, open the MOM Administrator console.
In the tree, expand Administration and click Global Settings.
In the details pane, double-click Management Servers and click the Temporary Storage tab.
Enter a new value in the Maximum disk space field and click OK.
After changing the server queue size, resolve the alert in the MOM Operator console and monitor for future occurrences of the alert. Should the alert reappear, increase the queue size further.
For more information about MOM events, see Monitoring MOM (https://go.microsoft.com/fwlink/?LinkId=86549).
Event ID 25100
Event ID 25100 is logged from DCOM. The event contains the following error: "DCOM got error 'logon failure: unknown user name or bad password.'"
Background
This error indicates that the Data Access Server (DAS) account needs to be updated.
Solution
To change the DAS account information
Click Start, point to Administrative Tools, and then click Component Services.
In the tree, expand Component Services, expand Computers, expand My Computer, expand COM+ Applications, right-click Microsoft Operations Manager Data Access Server, and then click Properties.
Click the Identity tab, enter the correct password, and then click OK.
For more information about updating Client Security service account passwords, see Updating service account passwords in the Client Security Administration Guide (https://go.microsoft.com/fwlink/?LinkId=86743).
Agents are rejected with event ID 26017
After installing the Client Security agent on client systems, you begin to see (in the Application log) agent rejection events with event ID 26017. Additionally, a MOM alert is raised and can be viewed in the MOM Operator console.
Solution
On the Agent Install tab of Management Servers properties, verify that the Reject new manual agent installations check box is cleared, and then restart the MOM service.