FCS KB2394433 (QFE 9) Introduces a Real-Time Protection Error 0x8007007f on Windows 2000

Issue:

There is an issue with the changes made in QFE9 (KB2394433 or KB2394439) that prevents the Antimalware minifilter mpfilter.sys from loading properly on Windows 2000. This causes a failure to provide On Access Real-Time Protection.

Customers experiencing this issue should revert back to QFE8 (KB979536) by uninstalling the antimalware client, installing the RTM client, then upgrading to QFE8.

The command line to uninstall:

msiexec.exe /x {A22989EE-AE7A-42F8-A0C0-9C99CFB644FB} /qn

Symptoms:

After deploying KB2394433 (or KB2394439) to Windows 2000 computers, you will see two FCSAM 3002 errors in the System log with the following information:

10/19/2010 01:24:53 PM                FCSAM Error                      3002       Win2k

Microsoft Forefront Client Security Real-Time Protection agent has encountered an error and failed.

User: NT AUTHORITY\SYSTEM

Agent: On Access

Error Code: 0x8007007f

Error description: The specified procedure could not be found.

From a command prompt, the fltmc command doesn't list the mpfilter minifilter driver as loaded, as shown in the below sample output

C:\Windows\system32>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
No filters loaded

It's worth mentioning that there was an installation issue with the "1725" client package available in WSUS that resulted in the Antimalware service being removed. Customers using WSUS to deploy the FCS client to Windows 2000 machines should use the RTM "1703" client package to avoid both this issue with the "1725" client package and the Real-Time Protection error described in this article.