Various information on antivirus related products

Forefront Client Security – problems updating

ffcsI have just had a few servers that somehow has failed to update their Forefront Client Security client software 🙁  The problem seem to be that Forefront cannot seem to stop the FCSAM service while updating, the service is stuck on “Stopping” and neither taskkill og any other utility seem to be able to kill it.

The errors in the eventlog go something along these lines;

Microsoft Forefront Client Security Antimalware Service
Error 1921. Service  'Microsoft Forefront Client Security
Antimalware Service' (FCSAM) could not be  stopped.

I have tried uninstalling, rebooting and reinstalling but this did not help.

The workaround suggested is to set the service FCSAM to manual, reboot, upgrade and then setting the service back to automatically – however this only works for now and thus only postpones the problem.

I have found this article on a similar problem which I will try tomorrow, this includes some additional cleanup steps;
Eg. issuing the command; sc delete fcsam

I will also try to slipstream the installation of Forefront Client Security before I retry the re-installation, description on how to do here (mind you use the latest update and not the one the article refer to);

AV slowdown comparison

AV comparison, www.av-comparatives.org has made a rather interesting comparison of how much different AV products slow down your machine, besides the technical comparison they also offer some general advices on how to optimize your experience with AV products in general..  Interesting reading, get their PDF here

A summery of their findings (higher is better);

  • AVIRA AntiVir Premium 9.0 – 199 point
  • Kingsoft Antivirus 9 Plus – 196 point
  • F-Secure Anti-Virus 2010 – 195 point
  • Kaspersky Anti-Virus 2010 – 193 point
  • Sophos Anti-Virus 9.0.1 – 193 point
  • Microsoft Security Essentials 1.0 – 190 point
  • avast! Free 5.0 – 188 point
  • Symantec Norton AntiVirus 2010 – 188 point
  • ESET NOD32 Antivirus 4.0 – 183 point
  • McAfee VirusScan Plus 2010 – 174 point
  • Norman Antivirus & AntiSpyware 7.30 – 169 point
  • AVG Anti-Virus 9.0 – 164 point
  • BitDefender Antivirus 2010 – 154 point
  • G DATA AntiVirus 2010 – 152 point
  • eScan AntiVirus 10.0 – 137 point
  • Trustport Antivirus 2010 – 125 point
  • Avast amok

    The popular Avast antivirus went amok yesterday after a bug in a definition file, it started detecting hundreds of files as infected with Win32:Delf-MZG.

    For cleanup instructions and explanation go here;
    http://forum.avast.com/index.php?topic=51647

    F-Secure antivirus boot cd 3.11

    fsceureWhen trying to get rid of a virus it often a good idea to scan using a boot CD, some viruses / rootkits bury themselves so deep that even the best antivirus cant detect them.  Sadly very few CD’s are commercially available, and most often requires regular updates to always have the latest definitions.

    A friend of mine Mr. Grøn, Torben pointed out that he had just stumbled across;

    http://www.f-secure.com/linux-weblog/2009/09/22/rescue-cd-311/

    Now this is interesting, F-Secure is an old player on the AV marked and usually makes good stuff, and it would appear this is no exception.  It is a Linux boot CD that can scan NTFS partitions, and the clever part is that it actually downloads the latest definition files before it begin scanning – clever..  One minor “issue” though, it will rename file extensions to .virus if a file is infected, and this is also true for system files – thus you can ‘damage’ your windows installation and make it non bootable which can be a problem for novice users.

    Other than that it offer some extra recovery utilities for pictures etc.  Absolutely worth a look.

    Update;
    You may also want to give this a spin, I just learned about this;
    http://trinityhome.org/Home/index.php?wpid=1&front_id=12

    Panda Cloud Antivirus. Version 1.0 is finally here!

    From Panda’s Cloud Antivirus blog

    cloudav-10

    First of many thanks to the millions of beta testers and specifically to those who have given us feedback and helped improve the product. We think we have fixed all the issues you have reported.

    If you have any of the previous versions installed (Beta1, Beta2 or Beta3) do the following:
    1- Uninstall your current version.
    2- Reboot your computer.
    3- Download version 1.0 from http://www.cloudantivirus.com and install.
    4- If you already have an account from Beta3, you can use the same one. Otherwise the installer will prompt you to create a Cloud Antivirus account.

    As a reminder, don’t forget to use the Panda Cloud Antivirus Technical Support Forum for posting any issues you might experience.

    Thanks again for helping us create this great free antivirus !!!

    Microsoft Security Essentials – LMHost file

    Just a quick update on my previous posting regarding “Microsoft Security Essentials”. It has been brought to my attention, that there is a minor issue during the installation process. – During the “Microsoft Security Essentials” installation the LMHost file is replaced with a new one, now most users will never notice this – but if you made additions to your LMHost file (for security or anti commercial wise) you might find this annoying and might have spend some time debugging before you found this (your original lmhost.ini is renamed to lmhost.bak btw).

    Nothing major, just something to think about.

    Microsoft Security Essentials – Final version released

    Microsoft-Security-EssentialsThe long awaited “Microsoft Security Essentials” is released 🙂  and as the beta looked promising and the company I work for has been using “Forefront Client Security” (the corporate version) for a year now, I was looking forward to trying this out…

    I fired up my browser and went to “http://www.microsoft.com/security_essentials/“, however as I live in Denmark I was met by this message;

    Not available in your country or region
    You appear to be in a country or region where
    Microsoft Security Essentials is not available.
    Thank you for your interest in Microsoft Security Essentials.

    Shown in 9 languages (of cause not in Danish), well bummer…   However as I have access to a US proxy I just changed the proxy settings and things brightened up 🙂  So I am now the happy ‘owner’ of “Microsoft Security Essentials”, the thing about this is it’s free 😀

    Should you want to check this product out, just direct your browser to; http://www.microsoft.com/security_essentials/

    And should you get the same annoying message stating that it is ‘Not available in your country’, then you might want to take a look at; www.torproject.org  TorProject is mostly an anonymity solution that allows you to browse without being tracked by IP etc, however they also offer the possibility to select which breakout/proxy you wish to use, and here you can select a US breakout and you can fool the MS server into letting you download all the same – you may also need to modify your IE settings to show a US regional code etc. but it should all be possible..

    Want more details and maybe a review?
    Visit here; http://www.winsupersite.com/win7/mse.asp

    Enjoy.

    Update!
    You may be able to download MSE from here even if you are not in the US 🙂

    FCS Tamper Protection ++

    If you are using Forefronturing  Client Security you know that it is not big in the corporate configuration department, much can however be done using GPO’s and general AD management..  Yes I also prefer having these options in a management console, but atlas it is still possible..

    Read this article to get the low down.
    Every Anti-Virus has a mechanism called tamper protection that helps administrator keep users from mishandling there antivirus settings and services. Forefront Client Security only offers basic control over what the user can or cannot do with the FCS Client Console on his client machine. What the FCS System doesn’t provide is a built-in mechanism to protect FCS services from being stopped or prevent FCS from being removed by the user.

    It’s true that some of these are possible to prevent by not giving administrative privileges on the client workstation, but some of us don’t have that luxury.

    Windows Group Policy has built-in settings that allow you both protect your services and disable removal by unauthorized users. This is how it’s done.

    Protecting Forefront Client Security Services

    http://blogs.microsoft.co.il/blogs/yanivf/archive/2009/01/09/temper-protection-in-forefront-client-security.aspx

    Forefront Client Security & Windows Defender debugging

    If you experience problems with Forefront Client Security (or Windows Defender) and likely also the new free Microsoft antivirus, here are some tips for debugging it;

    Look for the file called;

    MpCmdRun.exe

    On Forefront Client Security this is found in;

    C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware

    If you go to a command prompt and run this command with a -? you will get a bunch of debugging commands, there are among others restore commands that will reset the configuration of the client etc etc..

    One likely useful command to debug performance issues is;

    MpCmdRun.exe -trace

    However I have been unable to determine how to decode the .bin file created!?  So if you have any suggestions please let me know!?  However if you look in the .log file in the same directory you will get some historic information which may prove useful.  Also, there is still the good old utils from Sysinternals (eg filemon) to assist you.

    All very useful..

    Here are the switches for Forefront Client Security;

       -Scan [-ScanType]
            0  Default, according to your configuration
            1  Quick scan
            2  Full system scan
       -Trace [-Grouping] [-Level]
            Begins tracing Microsoft Forefront Client Security's actions.
            You can specify the components for which tracing is enabled and
            how much information is recorded.
            If no component is specified, all the components will be logged.
            If no level is specified, the Error, Warning and Informational levels
            will be logged. The data will be stored in the support directory
            as a file having the current timestamp in its name and bearing
            the extension BIN.
            [-Grouping]
            0x1    Service
            0x2    Malware Protection Engine
            0x4    User Interface
            0x8    Real-Time Protection
            0x10   Scheduled actions
            [-Level]
            0x1    Errors
            0x2    Warnings
            0x4    Informational messages
            0x8    Function calls
            0x10   Assertions
       -GetFiles
            Gathers the following log files and packages them together in a
            compressed file in the support directory
            - Any trace files from Microsoft Forefront Client Security
            - The Windows Update history log
            - All FCSAM or FCSAMRtp events from the
              System and Application event log
            - All relevant Microsoft Forefront Client Security registry locations
            - All software information from Software Explorer
       -RemoveDefinitions
            Restores the last set of signature definitions
       -RemoveDefinitions -All
            Rolls the signature definitions back to the default signature set
            and removes any installed signature and engine files.Use this
            option if you have difficulties trying to update signatures.
       -RestoreDefaults
            Resets all configuration options to their default values; this is the
            equivalent of running Microsoft Forefront Client Security setup
            unattended.
       -GetSWE
            Exports the contents of Software Explorer into a file named MPSWE.txt
            in the support directory

    VistaPE a replacement for BartPE?

    I just stumbled across a blog post from Claus Valca  refering to VistaPE, as I could judge this is more or less a replacement for BartPE which has been dead in the water since 2006.

    VistaPE should allow you to create a bootable CD/DVD with the Vista kernal (much as BartPE did with the XP kernal), this is useful as a recovery tool/image tool/repair tool/virus cleanup tool etc.  I have previously created antivirus cleanup cd’s using BartPE, but maybe VistaPE could offer better compatibility with the later hardware models.

    I will add this to my “I have to look into this list” (which sadly has become quite long)..