No new definitions or updates are available for Forefront Client Security? Try Microsoft Update

I’ve seen this problem before on my Windows 7 machines but I thought it was a Windows 7 issue… now I’ve experienced it in a Windows XP virtual machine and so I thought I’d blog it here.

After installing Forefront Client Security (FCS) (the next version of which will be known as Forefront Endpoint Protection 2010), Windows complains that it’s antivirus protection is out of date (and it is – the definitions date back to 2006) but Forefront says there are no updates.

No new definitions or updates are available for Microsoft Forefront Client Security

To resolve this, visit Windows Update and elect to use Microsoft Update instead. After the update settings are changed, FCS works out that there are some downloads available (and directs you to the Microsoft Update Catalog) but if you ignore that and let Microsoft Update run its course, FCS is updated automatically and no further intervention is required.

Identity and security developments at Microsoft

In amongst all the exciting new product announcements for new Windows releases and cloud computing platforms it’s all too easy to miss out on some of the core infrastructure enhancements that Microsoft is making. Last week I got the chance to catch up with Joel Sider from Microsoft’s Identity and Security group – a new organisation at Microsoft formed to address the issues of identity and security (which are really two sides of the same coin) and which, until recently have been treated as individual point solutions.

Joel explained to me that, with a single business group and a single engineering group, Microsoft is able to focus on the complete product stack, from System Center and Identity Lifecycle Manager (ILM – formerly MIIS), through Forefront security to the Windows platform, including Active Directory, Rights Management Services (RMS) and Network Access Protection (NAP).

Two of the products under the umbrella of the identity and security group have been in the news recently:

  • A release candidate of Identity Lifecycle Manager “2” is available now. Due for final release in the first half of 2009, ILM “2” provides self-service for employees, enhanced administration and automation for IT professionals, and extensibility for developers. In developing this product, Microsoft’s focus was in allowing IT departments to set policies for access, empowering end users and knowledge workers to perform actions and tasks (e.g. reset passwords, manage group membership, etc.). Until the release of this product, such actions would have required the use of third party products (e.g. Quest Active Roles Server and unlike MIIS, which was powerful but had a limited user interface, the focus with ILM is on providing an intuitive management interface and self service capabilities whilst still allowing extensibility (e.g. for audit and compliance purposes). ILM uses a concept of sets to group objects (e.g. “All people”) and then a workflow (authentication, authorisation, or action) may be applied to complete a number of steps (e.g. in a password reset scenario to answer a number of security questions; or approving membership of a group and sending out a notification in a group membership scenario).
  • Intelligent Application Gateway (IAG) service pack 2 is also due for release shortly. Originally available only in hardware appliance form, the former Whale Communications product can now be run as a Hyper-V virtual machine to reduce costs and increase flexibility in the infrastructure. In addition, IAG supports access from non-Microsoft browsers (e.g. Firefox) and platforms (i.e. users running Linux and Mac OS X) and has additional optimisers for recently released applications. (For those who are unaware of IAG’s capabilities, it provides granular access to specific applications via an SSL VPN with support for almost any application but optimisations for those which it has an awareness of – that’s the “intelligent” part of IAG).

Other significant developments taking place within the identity and security group include: the Windows Azure .NET Identity Framework (codenamed Geneva) which provides a Microsoft.NET identity access control service; Windows Cardspace; and the Forefront integrated security product (codenamed Stirling) which will combine the various disparate Forefront components.

From my perspective, I’m really encouraged to see Microsoft working to provide a more focused approach. As I’ve written before, many of Microsoft’s identity and security products are the result of acquisitions and, whilst it’s important not to lose the features and functionality that made these products successful in the first place, they also need to be tightly integrated to avoid the inevitable confusion caused by feature overlap and conflicting goals. It seems to me that Microsoft is working towards providing a sensible and logical identity and security portfolio for customers and partners.

Microsoft Licensing: Part 6 (Forefront security products)

Continuing the series on licensing Microsoft software, in this post I look at the various security products that Microsoft offers. Many of these products are the result of acquisitions, so it may help to look at the old and new product names:

  • Sybari Antigen is now integrated into Forefront Server Security and Forefront Client Security.
  • FrontBridge services are now sold as Exchange Hosted Services (EHS).
  • The Whale Communications product is now offered as Internet Access Gateway (IAG).
  • Sybari Antigen Enterprise Manager has become the Forefront Server Security Management Console.

The Forefront security products make use of multiple anti-virus engines, with five engines included in the base cost (CA InnoculateIT, CA VET, Microsoft Antivirus, Norman DataDefense and Sophos) and four more optional engines available (AhnLabs, Authentium, Kaspersky and Virus Busters). Included within the Forefront Security Suite is:

  • Forefront Client Security.
  • Forefront Client Security Management Console.
  • Forefront Security for Exchange Server.
  • Forefront Security for SharePoint.
  • Forefront Server Security Security Management Console.

All products are offered on a subscription basis although the Enterprise CAL (ECAL) suite includes the Forefront Security Suite with no extra licensing requirements.

The Exchange Enterprise CAL is also available to Select and Enterprise customers with services included, adding Forefront for Exchange Server and Exchange Hosted Filtering to the Exchange Enterprise CAL. This option is not available with retail licensing or to Open license customers) and must be taken up on a company-wide basis.

In the next part of this series, I’ll finally move on to take a look at the various methods that are available in order to buy Microsoft software.

Forefront Security overview

A few weeks back, I spent some time learning about the Microsoft Forefront security products.  I’ve written before about Forefront Client Security and intend to write some more posts that go into some detail on the other Forefront products, but I thought I’d start by taking a look at the suite as a whole.

The Forefront suite of applications currently includes a number of products:

Looking first at the client, Forefront Client Security provides virus and spyware protection in a single product for client and server operating systems with updates received using Microsoft Update.  That all sounds OK but, for some critics, the natural question to ask is "what does Microsoft know about client security?".  Well, it seems that they know quite a lot:

  1. First, Microsoft purchased GeCAD Software – a respected Romanian anti-virus vendor.
  2. Next, Microsoft purchased GIANT Software – a respected anti-malware provider.
  3. The Microsoft Malicious Software Removal Tool provides more than just the ability to remove malware from PCs as he reporting information helps indicate how widespread a particular issue is.
  4. Microsoft also purchased FrontBridge Technologies, whose scanning technology protects many organisations from viruses and spam.
  5. Another Windows Live service that provides Microsoft with reconnaissance information is the Windows Live OneCare Safety Scanner (indeed the entire OneCare product range – although these consumer products have little in common with Forefront Client Security).
  6. Oh yes, and the fact that they run one of the world’s largest free e-mail services won’t hurt their ability to gather diagnostic information.

So that’s the client – what about the server products?  Based on the former Antigen products gained with Microsoft’s acquisition of Sybari Software there are currently two products carrying the Forefront brand name – plus Microsoft Antigen for Instant Messaging (to be replaced with an OCS-compatible product under the Forefront banner).  Making use of multiple anti-virus engines, the Forefront Server Security products provide realtime and manual scanning for messaging and collaboration products.

Finally, at the edge, ISA Server has been with us since 2000 (we had Proxy Server before then) and has become a well-respected application-level firewall and proxy server that is available in both software-only and appliance formats.  Intelligent Application Gateway (IAG) is a newer product, built around ISA Server by another company that Microsoft recently acquired – Whale Communications.  IAG provides SSL VPN capabilities, combined with a detailed understanding of how applications work (positive logic) in order to ensure that only valid traffic is allowed to cross the network boundary.  Whilst IAG is currently only available in appliance format, with Microsoft being a software company I can’t help feeling that a version of IAG will be released in software form at some point in the future.

Unfortunately, this mix of products from different backgrounds means that Forefront doesn’t feel as tightly integrated as some other product suites (e.g. Microsoft Office) but that is changing as the components are updated.  In addition, Microsoft has announced a product (codenamed Stirling) which they are touting as:

"[…] a single product that delivers unified security management and reporting with comprehensive, coordinated protection across clients, server applications, and the network edge. Through its deep integration with the existing infrastructure, such as Microsoft Active Directory and Microsoft System Center, customers can reduce complexity, making it easier to achieve a more secure and well-managed infrastructure."

For anyone looking at purchasing Forefront products, Software Assurance (SA) might not be a bad choice as there are new versions of IAG planned based on the forthcoming ISA Server codename Nitrogen and ISA Server codename Oxygen products (don’t quote me on this as information is a little sketchy on these!) and further updates planned across the Forefront suite.

IT security is no longer an afterthought and has become an integral part of any organisation’s IT infrastructure. I’m impressed by the range of options that Microsoft can provide in the Forefront suite and, if they can convince critics that they have a credible range of products (they are currently suffering from "the Škoda badge problem"), then over time I expect to see Microsoft take a dominant position in Windows Server security.

Microsoft security suffers from “the Škoda badge problem”

I’m attending a Microsoft Forefront Security course and it was interesting to hear the analogy that the instructor used to describe how people perceive Microsoft and security when used in the same sentence… he referred to it as the Škoda badge problem – i.e. that everyone knows a modern Škoda is a well engineered car built on a trusted Volkwagen platform but Škoda is still struggling to discard its image as a producer of cheap eastern-European cars. Similarly, Microsoft has some excellent security products (e.g. ISA Server) but the perception is that they are from Microsoft so they can’t be secure.

Forefront Client Security

A couple of years back, Microsoft bought a load of security companies and since then we’ve seen them continue to offer FrontBridge services as Microsoft Exchange Hosted Services; Windows Defender was born out of the previous Giant Company anti-spyware product, and a couple of months back they released Forefront Client Security (FCS) – which I believe is based on the technology gained from the purchase of Sybari.

Yesterday, I spent some time working though a hands-on lab for Forefront Client Security and it seems pretty good. What follows is not a full product review (a demo is available on the Microsoft web site), but some of the highlights I picked out from the lab.

  • In line with most anti-virus clients, Forefront Client Security displays a taskbar icon to indicate status. Depending on the policies applied (from an FCS management console), this will allow a user to launch the client software.
  • Quick scans check for viruses and spyware in:
    • Processes loaded in memory.
    • User profile, Desktop, system folders and Program Files folder.
    • Common malware infection points (auto start registry entries, etc.)
  • FCS does not scan removable or network disks
  • Periodic quick scans should be scheduled in order to make use of the latest definitions to detect any malware that may have infected a computer between the previous scan and the application of new definitions.
  • Real time protection detects and prevents malware attacks immediately
  • Quarantined files are stored as encrypted files inside a .CAB in a subfolder under C:\Documents and Settings\All Users
  • Event log messages may include the acronym MCPAVAS (Microsoft Client Protection Anti-Virus Anti-Spyware)
  • Definition updates are stored at C:\Users\All Users\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\{GUID}
  • To reduce the size of definition file transfers, FCS uses a system of base and delta definition files. Key files are:
    • mpengine.dll – malware scanning engine
    • mpasbase.vdm – antivirus base definition file
    • mpasdlta.vdm – antvirus delta definition file
    • mpavbase.vdm – antivirus base definition file
    • mpavdlta.vdm – antvirus delta definition file
  • Definition updates are available from Microsoft Update (or WSUS for internal deployments). Because WSUS uses a daily synchronisation schedule, FCS installs a service (the Microsoft Forefront Client Security Update Assistant service) that automatically connects WSUS to Microsoft Update every hour to retreive definition updates. This service also automatically approves updates for distribution and installation so that updates are always available within one hour of release (although it should be noted that there may be a further delay before updates are retrieved depending on the frequency of client update checks).
  • FCS policies (e.g. to control the level of user interaction and reporting, or to specify allowed applications) are managed using the Microsoft Forefront Client Security Console.
    • FCS policies can be deployed to organizational units (OUs), security groups, or manually (using a registry file). Group policy objects (GPOs) may also be created manually.
    • Upon deployment via OU or security group, FCS uses the group policy management console (GPMC) API to create a new GPO (named fcspolicyname-{guid} which is applied to the appropriate OU or filtered based on security group membership. This policy is unlinked and deleted when the FCS policy is undeployed. Group policy updates may need to be forced using the gpupdate /force command and Kerberos ticket renewal may delay group-based policy application.
    • For local policy file deployment (e.g. using a registry file), a tool is provided on the FCS product CD-ROM (fcslocalpolicytool.exe).
    • As with other group policies, settings deployed via FCS policies are unavailable to users (greyed out).
  • FCS also includes a report viewer for management purposes, e.g. for security state analysis.

It may be useful to note that the European expert group for IT security (EICAR) produces an anti-virus test file that can be useful for fine-tuning anti-virus processes and procedures. The Microsoft Malware Protection Center includes threat research and response information (similar to the services offered by other anti-virus vendors) as well as details of the latest definition updates.

Links

Forefront Client Security team blog.

Microsoft acquires FrontBridge

Back in March, I wrote about some new e-mail message continuity services from FrontBridge. Well, according to a press release just received from Microsoft, FrontBridge is about to become Microsoft’s latest acquisition as it steps up its systems management and security capabilities. With the purchase of Giant Company (anti-spyware), Sybari (anti-virus) and now FrontBridge (anti-spam and message continuity), Microsoft’s security arsenal is starting to look good. It will be interesting to see how these purchases shape up and whether they are integrated into Windows, retained on an application service provider (ASP) basis, or developed into one or more new products, perhaps as part of the System Center family, or (in the case of FrontBridge) maybe we will see some of the new technology integrated into Exchange 12?

Microsoft buys into the anti-virus market

Following Microsoft’s recent foray into the anti-spyware market and ending months of speculation, Microsoft announced today that it is to attack another form of malware through its purchase of Sybari Software.

Whether anti-virus technologies will be included within Windows (alongside the Windows Firewall), or made available as a separate download (as for Microsoft Windows AntiSpyware) is yet to be seen but with the US Department of Justice and the European Union already investigating the bundling of middleware within Windows it will be interesting to see how Microsoft positions its new acquisition.