On patch Tuesday this month, February 2015, a new version of the System Center Endpoint Protection client was released, which replaces the one released in October. The same way as the latest versions of the Endpoint protection client they are released on Microsoft Update / WSUS and can be deployed as an update to your clients. The scpeinstall.exe file on the Configuration Manager 2012 servers are updated with the Cumulative Updates as it has been before as well. So when you deploy a new System Center Endpoint Protection client it will require this update as well.
New in this release from the KB article, http://support.microsoft.com/kb/3036437:
The KB article was updated 13/2 with this new content.
Update 20150220:
The Update is now pulled back from Windows Update and expired in WSUS, if you are experiencing the issues with downloads being blocked with a message that they contain virus, you should downgrade those effected systems. More details can be found here: Team Blog
Update 20150302
A new version 4.7.209.0 is released with the issue resolved: http://blogs.technet.com/b/configmgrteam/archive/2015/02/19/known-issue-endpoint-protection-blocks-internet-explorer-downloads.aspx
“The revised update to address the Internet Explorer download issue is now available on Microsoft Update and Windows Software Update Services as KB3041687. This release is version 4.7.209.0″.
- Improvements to registry and file system protection to counter tampering from malware.
- Sub-mount points can be automatically excluded, and volumes can be fully excluded in Real time protection (RTP).
- This update also includes the deprecation of the DisableGenericReports subkey in the following registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting
Note Unless this key is edited directly in the registry, this update should not have any effect on telemetry behavior.After you apply this update, to disable telemetry that’s sent by Endpoint Protection through Microsoft Active Protection Service (MAPS), open the Endpoint Protection UI, click the Settings tab, select the MAPS section, and then click I don’t want to join MAPS.
Notes
- Administrators can manage the MAPS configuration options through Windows Management Infrastructure (WMI), Windows PowerShell, and Group Policy.
- Endpoint Protection may request file samples to be sent to Microsoft for further analysis. By default, Endpoint Protection will always prompt before it sends such samples. There is an option available to send samples automatically. To opt in to automatic sample submission, open the Endpoint Protection UI, click the Settings tab, select the Advanced section, and then click Send file samples automatically when further analysis is required.
- Administrators can manage automatic sample submission with additional configuration options through WMI, PowerShell, and Group Policy by using the following registry subkeys:
- MAPS Configuration Registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting
DWORD name: SpyNetReporting
DWORD values:- 0 – Off
- 1 – Basic Membership
- 2 – Advanced Membership
- Sample Submission Registry location:
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\Reporting
DWORD name: SubmitSamplesConsent
DWORD values:- 0 (default) – Automatic sample submission disabled. End-users will always be prompted for samples.
- 1 – Most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
- 2 – All sample submission disabled. Samples will never be sent and end-users will never be prompted.
- 3 – All samples will be sent automatically. All files determined to require further analysis will be sent automatically without prompting.
- MAPS Configuration Registry location:
The new version is 4.7.205.0 which can be seen in the UI under help.
I have seen some issues being reported on the forums and from customers.
- WMI related errors in the event logs and SCCM Client Health reports back a faulty WMI, a reboot solves this issue.
- The next issue with the update is that registry keys needs to be configured as the KB articles states above, to stop the Submit sample consent dialog from being displayed and to be able to configure MAPS membership.
- There has also been reports about all downloads in IE being blocked as they contains virus, no real solution to that one yet.
We auto deployed this yesterday. If you have reboots suppressed it will cause the event viewer to fill with errors registering in WMI until reboot. Not really an issue for workstations but for servers it can leave you with SCOM reporting backlogs on monitoring. If you cannot reboot the server immediately a repair of the SCCM client also seems to clear it.
Most of my clients starting logging an error in Windows event viewer after the update to v4.7.205.0 – “There was an error 0x800106f7 in creating the Antimalware Health State WMI instance”. Not sure what is causing this and a reboot does not appear to solve the issue.
The update was deployed automatically through SCCM 2012 R2 automatic deployment rule and I’m wondering what I need to do to fix or remove the update?
I’m going to try and reboot servers and workstations again to see if they clear. I will post an update to let you know if this resolves the issue. Thanks for the update.
Will try the client repair for servers that I cannot reboot right now (most are Windows 2008 R2).
After upgrading SCEP to 4.7 my workstation could not download files using IE. A reboot fixed this for me. Not so much of an issue for Servers admittedly.
Using the SCCM 2012 Administration console to push an installation of the client to existing clients (uninstall option left unchecked) appears to have cleared it up on most servers. Rebooted workstations and error appears to have corrected itself. Domain controller did not correct issue so issuing a reboot (I have other domain controllers that permit me to reboot the PDC).
Forgot to check the “All client to be installed on domain controllers” options when redeploying the client for the domain controller that did not update.
Since upgrading to the new 4.7 Client some (not all)downloads are being blocked by endpoint because it thinks it is a virus. The we have ran this test many times in .doc .xls .ppt we know are not infected. Uninstalling endpoint and going to an earlier version seems to fix the issue. Anyone else had this?
All downloads in IE are now reporting that they contain a virus and are being deleted, and there is also a DLL error I get when downloading files from within an application – “The procedure entry point MpAmsiScan could not be located in the dynamic link library c:\Program Files (x86)\Microsoft Security Client\MpOAv.dll”
These started occurring after this update was installed. Rebooting does NOT resolve it.
Ok. So we have found a common factor so far…
Devices that run the windows 8 to 8.1 upgrade are showing the fault. Any exceptions to file types etc do not work! Going back to Client 4.6 solves this issue but means we are behind on the client version.
Any machine that has been built from 8.1 as scratch do not have this fault. so far as we have seen so far
We also upgraded to SCCM 2012R2 CU4 in a vein effort in case the policy xml’s changed but this did not solve anything. We have stopped rolling out 4.7 for now.
Interesting that is exactly the sam that I am seeing, on my upgraded machine from 8 – 8.1 it doesn’t work, but on a newly installed it works fine. Great! I will forward that information.
The update for the .xml file is not in the CU4 update… so you will have to either wait for a new update or set the registry keys as described in the KB article.
/Jörgen
Re: the IE/Chrome downloads are being blocked and reported as being infected. The workaround so far has been to rename the Program Files\Windows Defender folder. Once you do that, and close and reopen any IE/Chrome sessions downloads start working again.
Not sure if this only affects Windows 8/8/1 that have had their clients upgraded (rather than new, clean installs), as I haven’t heard reports of the same issue on Windows 7.
Hi,
The update is pulled back and will be rereleased when the issue is fixed until the I would recommend downgrading affected systems.
http://blogs.technet.com/b/configmgrteam/archive/2015/02/19/known-issue-endpoint-protection-blocks-internet-explorer-downloads.aspx
/Jörgen
New update version 4.7.209.0 available.
http://blogs.technet.com/b/configmgrteam/archive/2015/02/19/known-issue-endpoint-protection-blocks-internet-explorer-downloads.aspx