What Does CSS Need to Help Troubleshoot an FCS Issue?
Are you suspecting an Infection in your network?
If you suspect an Infection in your network and if you could find the infected file please upload the sample to the link https://www.microsoft.com/security/portal/submit.aspx
Only one file can be submitted at one time and the size of that file is limited to 10 megabytes. Compress the file and password protect the file with the password "infected" (without quotes).
If you want to submit more than one file for analysis, please compress the files into a single archive and password protect the files with the password "infected" (without quotes).
In the comments field please provide any information about the Infection.
Microsoft Malware Protection Center will send you the results of the analysis on the submission.
FCS customers please contact Microsoft Customer Service and Support to raise an incident and follow the below steps.
You can also try these steps,
· Run a Full Scan in the infected machine with the recent signature updates.
· Try to isolate the machine from the network to avoid spreading the infection.
Are you facing an issue while installing Forefront Client Security?
Check the Prerequisites
· https://technet.microsoft.com/en-us/library/bb404270.aspx
If you still experience issues after reviewing the Prerequisites, please contact Microsoft Customer Service and Support to raise an incident and follow the below steps
Server installation issues: Gather and provide the engineer with the topology you are attempting to install and computer and account information (see deployment guides)
Example:
Item |
Description |
Your Notes |
|---|---|---|
Management server |
Server name |
|
Collection server |
Server name |
|
Collection database |
Server name and SQL Server instance name (if it's not the default) |
|
Reporting server |
Server name |
|
Reporting Database |
Server name and SQL Server instance name |
|
Distribution Server |
Server name |
|
DAS Account |
Domain user account required |
|
DTS Account |
Domain user account required (Recommendation: re-use DAS account) |
|
Reporting Account |
Domain user account required (Recommendation: re-use DAS account). |
|
Action Account |
Domain user account required (Recommendation: re-use DAS account) |
|
Management Group Name |
Defined during Client Security setup |
|
Reporting Server URL |
Defined during SQL Server 2005 setup (Default:https://reportingservername/ReportServer) |
|
Report Manager URL |
Defined during SQL Server 2005 setup (Default: https://reportingservername/Reports) |
|
Size of Collection Database |
Defined during Client Security setup |
|
Size of Reporting Database |
Defined during Client Security setup |
|
WSUS Management URL |
Created when installing WSUS |
|
WSUS Client Configuration URL |
Created when installing WSUS |
Collect the failed setup log from the below location and share it with the Engineer who is contacting you
For Server role installation:
<Install drive>\Program files\Microsoft Forefront\Client Security\Server\Logs\Server_date.log
For Client installation:
%Program Files%\Microsoft Forefront\Client Security\Client\Logs
If your Forefront Clients are not getting the signature updates
Please execute the CSS Sec MPS report from the Link in the distribution Server https://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
(If it’s a Single server topology run it in the FCS Server)
Also execute the CSS Sec MPS report from the Link in a client machine https://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
and when Microsoft Engineer has contacted you request him/her for the Workspace to upload the output of the MPS Report.
For other Issues faced in Forefront Client Security
Execute the CSS Sec MPS report from the Link
https://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
· Run this in all the Forefront Client Security Server Roles.
· If it’s a Single Server topology execute this in FCS Server.
· To Run this Script you need to login with Administrator ID.
· This Script will not take more than 5 to 15 minutes.
· This Script is transparent and utilizes less processor time and memory.
· Gather and provide the engineer with the topology you are attempting to install along with computer and account information (See Deployment Guides)
When Microsoft Engineer has contacted you request him/her for the Workspace to upload the output of the MPS Report.
What will the CSSSEC MPS Report log from your machine?
Information on IIS:
IIS Anonymous (IUSR) User Information
IIS Metadata and Module Information (MBSchema.xml, MetaBase.xml, sysinfo xml).
IIS Configurations and logs.
Windows update related Information:
WinHTTP Proxy Settings.
BITS (Service and Queued job Status)
Missing Security update Information.
FCS Information:
FCS Anti malware support Logs.
FCS Security State Assessment Information.
FCS Account Information.
FCS Client setup files.
FCS Database Information.
Profile settings of FCS Console.
Checks the Status for Forefront client dependency services.
MOM and reporting Services Information:
MOM Management Pack Information.
MOM *.mc8 Log Files.
MOM Configuration (Onepoint database size and permissions, System Center Reporting database Size and Permissions)
SQL reporting Services Information and logs.
Other Information:
Dcom Information.
Event Logs (Application, System and Security Event logs)
Schedule task Information.
Version of Windows OS.
Version and Symbol Information of Executables.
NTFS Information
Group Policy Information.
Disk Quota Information.
MS Office Information.
Hardware Information of the Local machine.
ISA Server Information.
Security center Configuration (Anti Virus, Firewall, Automatic Updates)
For More Information please read the readme file from the link: https://www.codeplex.com/SECTools/Release/ProjectReleases.aspx?ReleaseId=15744
Thanks
Swami
CSS Security Team