Understanding Forefront Client Security SP1 and getting “up-to-date”

The Forefront Client Security team announced the release of Service Pack 1(SP1) last month. As described in the announcement SP1 is a server-only update. As this is a departure from what many folks are used to it causes a little confusion about which updates apply to which machines and how to be “up-to-date”. In the below I have links to KB articles to learn more information about the updates, however all of the FCS updates referenced below are available from either Microsoft Update or deployment through WSUS.


It is important to understand that SP1 is essentially:

· an aggregation of the existing FCS server component fixes into a single deployment package that received more testing and is easier to deploy than would be the individual fixes;

· changes required to allow FCS server components to operate properly on Windows 2008 server;

· a correction to a policy deployment issue not significant enough to warrant a released fix.

(note: FCS SP1 does not contain any additional MOM 2005 fixes)

If you are deploying FCS server components to a Windows 2008 server then you will need to follow the instructions in the deployment guide for installing the release binaries and then applying SP1. If you are deploying to a new Windows 2003 server we recommend that you deploy using SP1 bits. If you have an existing Windows 2003 server deployment we recommend that you test SP1 in your lab and deploy it upon the successful completion of that testing. Since this testing may not complete immediately, the FCS team has allowed the Sp0 fixes to remain available on the Microsoft Update website in case they are needed in the interim.

I specifically used the words FCS server components in conjunction with SP1; but what about all your FCS clients, what about an update for them? The FCS client consists of three components: antimalware agent, security state assessment agent, and the MOM agent. Taking each of these individually:


The MOM agent that FCS installs is the MOM 2005 SP1 agent. Any fixes for the MOM agent would come from the MOM product team here at Microsoft. To date, support has not seen many FCS-related problems with the MOM agent. Occasionally a customer will run into the hibernation issue, but the problems caused by them are usually transient and have not warranted discussion of a broader release.

Security State Assessment

There have been both feature additions and problems found affect the SSA client which was shipped with FCS RTM. However, those changes were all made to the object processor and manifest which are both included in the SSA definitions. Therefore, if you have the latest SSA definition set your SSA client is up-to-date with Microsoft’s releases.


There have been several updates to the FCS antimalware client. These antimalware releases have been published to the Microsoft Update website and a knowledge base article has been written detailing the nature of the changes in each revision. Each of these releases are full (all binaries redistributed) and cumulative. Therefore, if you move to the latest update you will have all of the current fixes. The released versions are listed below:





Update KB938054


Update KB952265


Update KB956280


Update KB971026



In an effort to make finding the latest build easier we have created an FWLink (currently points to KB956280) which we will keep pointed to the latest build. This FWLink was also added to the FCS SP1 article to make it more discoverable.

It is important to understand that these fixes update components of the antimalware agent, which are the vehicles that the antimalware engine uses for protection (the antimalware service, the UI, and the kernel mode mini-filter). These packages do not contain definition or engine updates. Each version of the FCS v1 antimalware client should be able to consume the engine and definitions created by the Microsoft Malware Protection Center(MMPC). For optimal malware protection we recommend installing the latest antimalware client update and definition updates.


Craig Wiand
Forefront Client Security Escalation Engineer